I need to create correlation rule which react when user logon from new IP address (for him). Number of users - 700+. Each of them has 1-2 source logon IP.
For example I have whitelisted pairs like:
and want to get correlation event when User2 logon from 10.1.1.3 or 10.1.5.1 for example. Number of users is 700+.
Can you advise me please how to realize this using McAfee ESM 11.2 (or 11.4) without creating very long correlation rule with hundreds of AND+OR elements?
Could you implement a custom parser rule and parse a new field which is a combined string "username-ipaddress" then compare that with a combined string watchlist?
> custom parser rule
Yes. I thought about this. But there was the question (I am new in ESM) - if I create additional parsing rule, will the original parsing rule be processed (for example for windows logon event 4624)? Or parsing engine try to apply all rules for all events in this device type - not only the first matching? Or I must rewrite original parsing rule to add field "user+ip"?
All enabled parsing rules are processed, so you would need to disable the existing parser rule to use your new rule.
You had not stated before this was for Windows events, this adds an additional challenge. To use custom parsing rules for Windows events you need to send them via syslog - see https://community.mcafee.com/t5/Security-Information-and-Event/Parsing-WMI-Events/m-p/458052#M3586 for an implementation another customer used.