cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

SIEM Correlation Rule: Increasing Number of Malware Events Occurring on Internal Hosts

Hello,

May I ask if its okay to just disable this rule? based on my observation, there is no useful info that can be seen on the packet, no malware name, malware type. or can someone recommend me the right tune on this rule. pls see attached screenshot:

correlation rule.PNG

 

2 Replies
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: SIEM Correlation Rule: Increasing Number of Malware Events Occurring on Internal Hosts

Hi.

It's a Generic Rule...

and right, most of the Generic Rules don't trigger at all, or trigger multiple times as "false"

in order to set a good customized Correlation Rule you will need to go through all of your logs that are representing "Malware"  and double check that they are assigned in the right Normalized category

(in are Case "Malware")

 

Best Regards 👍👍👍

David.

Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 3

Re: SIEM Correlation Rule: Increasing Number of Malware Events Occurring on Internal Hosts

Oh what a horrible rule. I assume it came from a content pack?

As David said, a lot of the pre-canned rules from content packs, etc... all heavily rely on normalization. If you are not normalizing all of your datasource's event types, these kinds of rules are mostly useless, they will either never trigger or fire at times you are not expecting.

When it comes to correlation rules you really have 2 main approaches.

  1. Normalize all incoming data into the the McAfee classifications. Tons of work, as updated devices can start sending new kinds of events.
  2. Don't attempt to use normalization and instead base things on devices.

I'll give an example here.

Let's say we want to define a correlation rule that triggers on 5 failed login attempts within a minute to a firewall. Using the first technique, we could make a rule like the one you have posted.

Group by: Device ID
AND GROUP
Threshold: 5
Time Window 1 minute
[FILTER: Device Type IN (Firewall), Normalization Rule: IN (Authentication), Event Subtype IN (failure, ...)]

This would require you to make sure packets/events are correctly marked as Authentication packets. Removing that filter component would trigger on all kinds of other events such as; a failure to forward packets, failure to add a rule, failure save configuration, etc...

However, if you know somethings about your firewalls, let's say they are "dumb" firewalls and just doing Layer 3/4 stuff. 

Group by: Device ID
AND GROUP
Threshold: 5
Time Window 1 minute
[FILTER: Signature ID IN (VAR:Firewall Login Sigs), Event Subtype IN (failure, ...)]

This way you can just keep a list of signature IDs you want to evaluate against this rule, looking at the firewalls events would be the first step in normalizing the rules anyways. It's a lot faster, one of the fastest performing indexes in the Nitro database is the composite key on device ID and signature ID.

If your firewalls are 'dumb' and don't know about users, then you can probably just say something like, does not contain source user '{}' and skip the whole signature ID process. It really depends on the devices and data you are getting, any SIEM is not a one size fits all solution.

Brent
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community