cancel
Showing results for 
Search instead for 
Did you mean: 

Looping correlation rules

Jump to solution

Hi all,

We have an ESM/ERC combo box, and no ACE.  Our correlation engine is another data source on our receiver. 

Some out-of-the-box correlation rules have Normalization IDs which are the same as a match component.  For instance, the rule matches on events with a Normalization ID of "malware."  However, the rule itself creates an event with the Normalization ID of "malware." 

Under the right circumstances, this can lead to rules triggering off their own events, leading to infinite loops and multitudes of events being created. 

Has anyone else dealt with this problem, and how have you resolved it?  My usual method is to change the Normalization ID of the correlation rule; for instance I might change "malware" to "suspicious activity." 

Another technique that seems like it would be effective would be to include the match compoent "Device ID Not In Correlation Engine."

I'm interested to hear people's thoughts.

Thank you!

- Steve

 

1 Solution

Accepted Solutions
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Looping correlation rules

Jump to solution

"Device ID Not In Correlation Engine." Does seem like your best answer.

One of the disadvantages of not having a dedicated ACE is the lack of "Filters" which are basically rule sets you can place on individual correlation engines as to what events they will evaluate. They basically have all of the capacity of a filter component in a correlation rule. On the receiver based correlation, the only option you have when it comes to filtering is local events.

 

Brent
2 Replies
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Looping correlation rules

Jump to solution

"Device ID Not In Correlation Engine." Does seem like your best answer.

One of the disadvantages of not having a dedicated ACE is the lack of "Filters" which are basically rule sets you can place on individual correlation engines as to what events they will evaluate. They basically have all of the capacity of a filter component in a correlation rule. On the receiver based correlation, the only option you have when it comes to filtering is local events.

 

Brent

Re: Looping correlation rules

Jump to solution

Thanks very much, Brent!

Best regards,

- Steve

 

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center