cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to use a recursive field (IP) on two events to triger a Correlation Rule

Hello guys,

About this topic, recently  I'm created a new correlation rule to evaluate this:

Event 01
Source IP 1.1.1.1 > destination IP 2.2.2.2 > port 3389 > event sub type: Start

Event 02
Source IP 2.2.2.2 > destination IP 3.3.3.3 > Normalization Rule: Login > event sub type: Success

Policy.JPGI have made a few tests, where the Event 01 match correctly, but Event 02 not, because show me a different source IP but with an successfully authentication.

Event 02
Source IP 6.6.6.6 > destination IP 3.3.3.3 > Normalization Rule: Login > event sub type: Success

My questions here are:

How can I mix this flow to encounter the best result in a correlation Rule??

There exists a method to export/extract the destination IP from Event 01 to evaluate that in Event 02 as a source IP recursively??

The best scenario is according the following:

Event 01
Source IP 1.1.1.1 > destination IP 2.2.2.2 > port 3389 > event sub type: Start

Event 02
Source IP 2.2.2.2 > destination IP 3.3.3.3 > Normalization Rule: Login > event sub type: Success

So clearly, in Event 01 the destination IP is 2.2.2.2, cause the user is trying connect to a remote desktop, so that remote desktop have to authenticate with active directory, in that case, now, the source IP is 2.2.2.2 and destination is 3.3.3.3 (AD).

Waiting for your kind comments.

Thanks.

DP.

5 Replies
lratcliffe
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: How to use a recursive field (IP) on two events to triger a Correlation Rule

This sounds like a use case for the "override group by" functionality.

As standard, Correlated Events are linked by the field chosen in "Group By" but you can override which field is used on specific filters.

So I would set the overall correlation rule to group by destination IP and in the properties of your second filter rule, override the group by with source ip.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
David1111
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 6

Re: How to use a recursive field (IP) on two events to triger a Correlation Rule

Hi, i like to call it a Domino Flow

where the Destination of 1 is the Source of 2
in order to do that, there not a good option in the McAfee ESM but the next idea

involving a lot of Wathclists but i dont see a different solution

share your thoughts or Kudes.

it's a bit hard to explain with text, so i attached a nice topolgy for that

if you need explenation dont be shay...Domino Flow.png

 

Best Regards👍👍👍

David

Re: How to use a recursive field (IP) on two events to triger a Correlation Rule

Hello David,

Thank you so much, I'm trying to perform this, but my problem here is: I don't know how to create this dynamic watchlist, because ask me for a source, and different values, that I don't know.

So, if you have can share some documentation or procedure to create a dynamic watchlist, will be the best for me. (I have tried with official documentation but in useless way)

Thank you in advance.

 

Re: How to use a recursive field (IP) on two events to triger a Correlation Rule

Hello David,

Recently, I configured an alarm with append to a static watchlist, it is update with destination IP, but my point here is, how much time take to update this values on WL???.

Correlation Rules, at this moment doesn't work, even if I put the watch list like source IP to login  AD server in second event.

Maybe I have to increase the time windows for correlation rule, At this moment the value is one minute.

Let me know if you have another idea or recommendation about this,

Thank you so much.

DP

Re: How to use a recursive field (IP) on two events to triger a Correlation Rule

Hello David-Pach,
ESM getting log from RCVR every 10 minutes as You know. When logs come to ESM they corelated each other. So If first section when happened i guess it will update watchlist 10 minutes later. So you need to give time to live minumum 10 min for WL.

Note : You can change getting event logs time. It occurs performans problem.

Best Regards.
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community