cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 1 of 4

How to configure Beaconing Correlation Rule in SIEM ??

I have an requirement to configure the beaconing correlation rule..

Here is an example :    Connection attempt to external Botnet category site  -  5 events for every 10 min over period of 24 hours..

i can configure the rule to have 5 events in 10 Min interval.. how do we configure to run over for 24 hours period.. Any help really appreciated.. Thanks

3 Replies
Highlighted
Level 9
Report Inappropriate Content
Message 2 of 4

Re: How to configure Beaconing Correlation Rule in SIEM ??

Hi Avjana

You can try the following:

Add Match component - define you criteria in here   - Botnet Cat

Click on Parameters  - set threshold to 5 events and TimeWindow to 10min

Then add a AND operator on the component and set the TimeWindow to 24H and tick the sequence box.

Regards,

Japie

Highlighted
Level 7
Report Inappropriate Content
Message 3 of 4

Re: How to configure Beaconing Correlation Rule in SIEM ??

Thank you Japie

I did exactly what you mentioned but i didn't check on Sequence box which didnt allow me to set the time more than child .. now i click on Sequence box which allowed me to set the time to 24 hr ... Thank you very much for your response


Highlighted
Level 7
Report Inappropriate Content
Message 4 of 4

Re: How to configure Beaconing Correlation Rule in SIEM ??

Hi Japie

it seems it didnt work for me.. i am able to see the events trigger only for 5 events in 10 min.. but not repetitive.

here it looks like..

AND [ 1. AND [ Filter --> Object_type In Botnet Category

1st AND - i have 24 hr with Sequence

2nd AND -  I have 5 events in 10 min Interval.

If  i select only one AND operator.. i can select only threshold and time window ( 5 event in 10 min interval)  with sequence but not sure where to mention 24 hour time period.. Can you tell me if something is not right here.. Thanks..

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community