cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
awhitf
Level 7
Report Inappropriate Content
Message 1 of 7

Filter & correlation

I am trying to create a correlation rule which is set up as follows;

Filters -> Sig ID(in) 43-263046630, Access_privileges(in) [1537], source user(in) [Admin groups]

 

This is to display when the windows event for a file being deleted by an admin, where the file was and the machine ID.

However it displays different results to when I create a filter on the dashboard.

The filter gives me the host ID, source user, destination filename and that it has been deleted on Custom Types

The correlation rule only gives me the client id and that the rile has been removed.

But with both, the views on 'Details' and 'Custom types' are giving me different info too along with neither of them displaying the same IPs. 

 

 

 

 

6 Replies
McAfee Employee TaskManager
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: Filter & correlation

Is it possible to get a screenshot. From the sounds of it, the correlation rule filters sound like they are on their own line, which would translate to two separate events matching two different filters, whereas the filter from the dashboard is two filters for each event.

As for the IP Address not being the same, if you are searching for two separate events, there is a group by option at the top, that let's you bind events based on the specific fields you need to match against.

Hope this helps.

awhitf
Level 7
Report Inappropriate Content
Message 3 of 7

Re: Filter & correlation

Unfortunately no screenshots as it's on a closed network. 

The filter looks like;

Signature ID = 43-263046630
AND
Access_Privileges = 1537

AND

Source User = admin


The correlation reads;

Filters -> Signature ID (In) [43-263046630], Access_Privileges(In) [1537], Source User (In) [Various admin groups AND 'admin']


Are the filters and Correlation rules not applied globally?

McAfee Employee TaskManager
McAfee Employee
Report Inappropriate Content
Message 4 of 7

Re: Filter & correlation

If you have an AND gate encapsulating 3 different filters, then it is trying to match on any 1 of those.

It would need to end up being a filter with both fields in the filter.

awhitf
Level 7
Report Inappropriate Content
Message 5 of 7

Re: Filter & correlation

Oh, I thought it was 
this AND that AND that = result.
(As per the guide 'NOTE: Select AND because there are two types of actions that need to occur (logon tries first, then a successful logon).'
Could you please advise on how to create the rule to display when ever an Admin account deletes a file or if you know  of any solid documentation that can help out. The guide (Link below) doesn't offer much help for me.

https://docs.mcafee.com/bundle/enterprise-security-manager-10.2.0-product-guide-unmanaged/page/GUID-...

McAfee Employee TaskManager
McAfee Employee
Report Inappropriate Content
Message 6 of 7

Re: Filter & correlation

Apologies, for not responding sooner.

I do not know of any good documentation on my side for building correlations, there may be some here in the community, unfortunately I have not spent a terrible amount of time seeing what's out here.

You would drag a single filter component, and specify your logic there. I don't have a file deleted event in front of me to give the exact details, however the event subtype in the example below may be questionable.

example-correlation.png

What this says is match a single event, with the signature ID of 1 (replace this with the object deleted signature ID), and source user is in watchlist (create an ldap based dynamic watchlist and query your administrative accounts), and the event subtype field needs to be specific to the object deleted subtype (if it exists beyond informational, or specify the field found in custom subtypes that indicates it is deleted)

If you need to setup correlation for when multiple items are deleted by a single user before alerting, then you would add the group by logic, and add an and gate like such. The below example would trigger when the same Source User deleted 10 files in an hour.

example2-correlation.png

Hope this helps out

awhitf
Level 7
Report Inappropriate Content
Message 7 of 7

Re: Filter & correlation

That is very similar to what I have but unfortunately, not working as needed. 

I'm on a course in a few weeks and looking at additional consulting for support. Thank you for trying to help though.

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center