cancel
Showing results for 
Search instead for 
Did you mean: 
leone
Level 7
Report Inappropriate Content
Message 1 of 4

Siem Alarm

Jump to solution

Hi,

I've done an alarm for trigger the event with severity greater 80 and all works fine!

Now I'd like to do an alarm for trigger the event with severity greater 80 and with Event Count greater than 30

in the event field i didn't find the correct field, with the field"count" doesn't work :

has anyone a tip?

Thaks

Luca

1 Solution

Accepted Solutions
Highlighted
xded
Level 12
Report Inappropriate Content
Message 2 of 4

Re: Siem Alarm

Jump to solution

Go to you Correlation --> new Correlation rule --> set a new AND operator --> add a filter rule with Severity > 80 ---> open the configuration of you AND operator and add your threshold by 30

Add a correlations rule Name and change the default Normalization. Save the rule and copy this Signature ID and past it in your new Alarm with the condition Internal Event match.

3 Replies
Highlighted
xded
Level 12
Report Inappropriate Content
Message 2 of 4

Re: Siem Alarm

Jump to solution

Go to you Correlation --> new Correlation rule --> set a new AND operator --> add a filter rule with Severity > 80 ---> open the configuration of you AND operator and add your threshold by 30

Add a correlations rule Name and change the default Normalization. Save the rule and copy this Signature ID and past it in your new Alarm with the condition Internal Event match.

leone
Level 7
Report Inappropriate Content
Message 3 of 4

Re: Siem Alarm

Jump to solution

Works! Many thanks

Re: Siem Alarm

Jump to solution

Hi xded,

Thank for your help. Just to be sure :

if you want to group 1 signature id (for example kerberos pre authentication failed) and 1 criteria on event count (more than 20) ,

you have to :

1) in Correlation rule, add an ADD operator; then add the signature ID filter of our rule and Severity filter > x  ?

2) Click on edit on the AND operator and select the threshold we want ?

3) Name our correlation rule and ..chosse which normalization ? (undefined could be ok ?)

4) Then save and copy the Signature ID xxx of the correlation that we've created

5) create an alarm on the signature ID xxx with Internal Event condition ?

Thank you in advance,

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community