cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Looping correlation rules

Jump to solution

Hi all,

We have an ESM/ERC combo box, and no ACE.  Our correlation engine is another data source on our receiver. 

Some out-of-the-box correlation rules have Normalization IDs which are the same as a match component.  For instance, the rule matches on events with a Normalization ID of "malware."  However, the rule itself creates an event with the Normalization ID of "malware." 

Under the right circumstances, this can lead to rules triggering off their own events, leading to infinite loops and multitudes of events being created. 

Has anyone else dealt with this problem, and how have you resolved it?  My usual method is to change the Normalization ID of the correlation rule; for instance I might change "malware" to "suspicious activity." 

Another technique that seems like it would be effective would be to include the match compoent "Device ID Not In Correlation Engine."

I'm interested to hear people's thoughts.

Thank you!

- Steve

 

1 Solution

Accepted Solutions
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Looping correlation rules

Jump to solution

"Device ID Not In Correlation Engine." Does seem like your best answer.

One of the disadvantages of not having a dedicated ACE is the lack of "Filters" which are basically rule sets you can place on individual correlation engines as to what events they will evaluate. They basically have all of the capacity of a filter component in a correlation rule. On the receiver based correlation, the only option you have when it comes to filtering is local events.

 

Brent
2 Replies
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Looping correlation rules

Jump to solution

"Device ID Not In Correlation Engine." Does seem like your best answer.

One of the disadvantages of not having a dedicated ACE is the lack of "Filters" which are basically rule sets you can place on individual correlation engines as to what events they will evaluate. They basically have all of the capacity of a filter component in a correlation rule. On the receiver based correlation, the only option you have when it comes to filtering is local events.

 

Brent

Re: Looping correlation rules

Jump to solution

Thanks very much, Brent!

Best regards,

- Steve

 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community