cancel
Showing results for 
Search instead for 
Did you mean: 
awhitf
Level 7
Report Inappropriate Content
Message 1 of 7

Filter & correlation

I am trying to create a correlation rule which is set up as follows;

Filters -> Sig ID(in) 43-263046630, Access_privileges(in) [1537], source user(in) [Admin groups]

 

This is to display when the windows event for a file being deleted by an admin, where the file was and the machine ID.

However it displays different results to when I create a filter on the dashboard.

The filter gives me the host ID, source user, destination filename and that it has been deleted on Custom Types

The correlation rule only gives me the client id and that the rile has been removed.

But with both, the views on 'Details' and 'Custom types' are giving me different info too along with neither of them displaying the same IPs. 

 

 

 

 

6 Replies
Highlighted
McAfee Employee TaskManager
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: Filter & correlation

Is it possible to get a screenshot. From the sounds of it, the correlation rule filters sound like they are on their own line, which would translate to two separate events matching two different filters, whereas the filter from the dashboard is two filters for each event.

As for the IP Address not being the same, if you are searching for two separate events, there is a group by option at the top, that let's you bind events based on the specific fields you need to match against.

Hope this helps.

awhitf
Level 7
Report Inappropriate Content
Message 3 of 7

Re: Filter & correlation

Unfortunately no screenshots as it's on a closed network. 

The filter looks like;

Signature ID = 43-263046630
AND
Access_Privileges = 1537

AND

Source User = admin


The correlation reads;

Filters -> Signature ID (In) [43-263046630], Access_Privileges(In) [1537], Source User (In) [Various admin groups AND 'admin']


Are the filters and Correlation rules not applied globally?

McAfee Employee TaskManager
McAfee Employee
Report Inappropriate Content
Message 4 of 7

Re: Filter & correlation

If you have an AND gate encapsulating 3 different filters, then it is trying to match on any 1 of those.

It would need to end up being a filter with both fields in the filter.

awhitf
Level 7
Report Inappropriate Content
Message 5 of 7

Re: Filter & correlation

Oh, I thought it was 
this AND that AND that = result.
(As per the guide 'NOTE: Select AND because there are two types of actions that need to occur (logon tries first, then a successful logon).'
Could you please advise on how to create the rule to display when ever an Admin account deletes a file or if you know  of any solid documentation that can help out. The guide (Link below) doesn't offer much help for me.

https://docs.mcafee.com/bundle/enterprise-security-manager-10.2.0-product-guide-unmanaged/page/GUID-...

McAfee Employee TaskManager
McAfee Employee
Report Inappropriate Content
Message 6 of 7

Re: Filter & correlation

Apologies, for not responding sooner.

I do not know of any good documentation on my side for building correlations, there may be some here in the community, unfortunately I have not spent a terrible amount of time seeing what's out here.

You would drag a single filter component, and specify your logic there. I don't have a file deleted event in front of me to give the exact details, however the event subtype in the example below may be questionable.

example-correlation.png

What this says is match a single event, with the signature ID of 1 (replace this with the object deleted signature ID), and source user is in watchlist (create an ldap based dynamic watchlist and query your administrative accounts), and the event subtype field needs to be specific to the object deleted subtype (if it exists beyond informational, or specify the field found in custom subtypes that indicates it is deleted)

If you need to setup correlation for when multiple items are deleted by a single user before alerting, then you would add the group by logic, and add an and gate like such. The below example would trigger when the same Source User deleted 10 files in an hour.

example2-correlation.png

Hope this helps out

awhitf
Level 7
Report Inappropriate Content
Message 7 of 7

Re: Filter & correlation

That is very similar to what I have but unfortunately, not working as needed. 

I'm on a course in a few weeks and looking at additional consulting for support. Thank you for trying to help though.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community