cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Multi-Tenant Correlation Rules Triggering for Wrong Tenant

Jump to solution

Hi All,

 

We have a problem with our multi-tenant SIEM setup. We've setup two customers, Tenant A and Tenant B, with their own receivers and their own correlation engine on the shared ACE. Tenant A has been fully on-boarded with data sources, Tenant B will soon be on-boarded. Zones were setup for both tenants, Tenant A has subzones setup recently based on IP ranges. In the Zones setup, only the devices associated to each tenant are selected for their respective zone. Separate policies exist for each tenant although some rules are the unchanged copies of the default McAfee rules, and the correlation engine has the appropriate zone selected.

 

However, Tenant B correlation engine/rules keep correlating on events coming from Tenant A data sources (data sources under Tenant A receiver). For instance, if a user has logged in from multiple geolocations the correlation rule "User Logon from Multiple Geolocations" triggers from both the Tenant A and Tenant B correlation engines/policies, even though the source events have only come from Tenant A data sources to the Tenant A receiver.

 

Has anyone else had this issue and fixed it, or have any ideas on how to fix this?

Any help is greatly appreciated Smiley Happy

Labels (3)
1 Solution

Accepted Solutions
Reliable Contributor akerr
Reliable Contributor
Report Inappropriate Content
Message 3 of 5

Re: Multi-Tenant Correlation Rules Triggering for Wrong Tenant

Jump to solution

 

Here's how we've done it.

 

First, created a dedicated correlation engine for each customer:

ACE Properties -> Correlation Management

Add a rule correlation for Customer A, name it, enable events, flows, logging, etc. as needed and asign the zone.  Under Filters, select only that customer's receiver(s).

Repeat for Customer B.

 

Next, in the policy editor, you want to set your rules disabled at the default policy level.  Then drill down to the policy for the customer specific correlation engine.  At this level, set the policy to "block inheritence" which will enable it, but only for that correlation engine.

4 Replies
DavA
Level 9
Report Inappropriate Content
Message 2 of 5

Re: Multi-Tenant Correlation Rules Triggering for Wrong Tenant

Jump to solution

Hi, i know it's nor recomended to add the correlation to the receiver itself,

but if you do so, ther's a option to Check "Only correlate data that is generated for this receiver."

 

COrrelatioN.PNG

 

Reliable Contributor akerr
Reliable Contributor
Report Inappropriate Content
Message 3 of 5

Re: Multi-Tenant Correlation Rules Triggering for Wrong Tenant

Jump to solution

 

Here's how we've done it.

 

First, created a dedicated correlation engine for each customer:

ACE Properties -> Correlation Management

Add a rule correlation for Customer A, name it, enable events, flows, logging, etc. as needed and asign the zone.  Under Filters, select only that customer's receiver(s).

Repeat for Customer B.

 

Next, in the policy editor, you want to set your rules disabled at the default policy level.  Then drill down to the policy for the customer specific correlation engine.  At this level, set the policy to "block inheritence" which will enable it, but only for that correlation engine.

Re: Multi-Tenant Correlation Rules Triggering for Wrong Tenant

Jump to solution

Thank you!

We hadn't added to the filter section as we thought it was only optional if the correct data sources were applied to each zone.

Reliable Contributor akerr
Reliable Contributor
Report Inappropriate Content
Message 5 of 5

Re: Multi-Tenant Correlation Rules Triggering for Wrong Tenant

Jump to solution

 

Here's how we've done it.

 

First, created a dedicated correlation engine for each customer:

ACE Properties -> Correlation Management

Add a rule correlation for Customer A, name it, enable events, flows, logging, etc. as needed and asign the zone.  Under Filters, select only that customer's receiver(s).

Repeat for Customer B.

 

Next, in the policy editor, you want to set your rules disabled at the default policy level.  Then drill down to the policy for the customer specific correlation engine.  At this level, set the policy to "block inheritence" which will enable it, but only for that correlation engine.

Tags (1)
ePO Support Center Plug-in
Check out the new ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.