cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 3

ESM - Creating an alarm based on multiple events using two fields

Hi.

I'm currently receiving 'virus detected' information from an endpoint protection server. I am trying to create an alarm that triggers when a virus has been detected on the same IP address 3 times in 10 minutes.

Basically I need to match on the same Source_IP as well as signature_ID, across 3 events in the space of 10 minutes.

I currently have an alarm in place that triggers when the same signarure_ID shows 3 times in the space of 10 minutes, but this doesn't meet the criteria of same IP.

I am trying to get my head around the logic.

Is there a way, possibly using watchlists, to use the Source_IP as a variable to match against in separate events, and create an alarm based on signature_ID and the results of the watchlist?

Thanks,
Andrew.

2 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 3

Re: ESM - Creating an alarm based on multiple events using two fields

So I may have a solution for you, even if it isnt the most elegant solution. I have the following setup for a 3 virus' within 2 weeks alert:

2 watchlists - both purge accounts after 14 days.

3 alarms total.


First virus alert hits, inserts into first watchlist. Then a second alarm checks to see if a user is in the first watchlist and if it is adds the computer name (or IP in your case) to the second watchlist. A third alarm checks the second watchlist and first watchlist. If a user is in both watchlists and triggered a virus this alerts, creating a 3 in 2 weeks alert.

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 3

Re: ESM - Creating an alarm based on multiple events using two fields

Why don't you use Correlation Rule?


I'm currently receiving 'virus detected' information from an endpoint protection server. I am trying to create an alarm that triggers when a virus has been detected on the same IP address 3 times in 10 minutes.



You can define this by Correlation Rule.

Then, you should define "Field Match" alarm referring to the Signature ID of this Correlation Rule.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community