cancel
Showing results for 
Search instead for 
Did you mean: 

Intresting Correlation Rule to be created

Hello Experts,

We have feeded McAfee ePO logs, AD logs and Check Point Firewall logs to McAfee ESM.

Now I would like to create a rule which will trigger when below points are satisfied within 15mins time frame.

1) suspicious outbound/inbound connections happened ( Firewall Logs )

2) Virus got dropped to a machine ( ePO Logs )

3) Abnormal logs fro AD  ( If any )

Can anybody help me with this to create a rule for above ? Let me know if any other details are required. Thanks in advance.

1 Reply
xded
Level 12
Report Inappropriate Content
Message 2 of 2

Re: Intresting Correlation Rule to be created

hi,

1) You have something like this and you have a correlation with the watchlist and your logs from your firewall.

2) You need this list https://kc.mcafee.com/corporate/index?page=content&id=KB52417      alls Signatur ID from ePo into siem. With this ID you can set up a Alarm or a correlation rule and than a alarm.

3) Maybe AD Zone Transfer