cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Tuning question - Field Match Alarms

Jump to solution

Hi all,

Does it make sense to apply a field match alarm to a correlation engine (i.e., include the correlation engine on the Devices tab?)

We have an field match alarm which matches on a normalization in "malware."  Today, we had a series of events which matched a "Conficker" correlation rule.  The correlation engine created an event, and the field match alarm sent an email.  All fine.

However, there is another correlation rule, "worm activity on an internal host."  This rule saw the event created by the first rule and *also* created an event.  And the field match alarm sent another email.

Then, for reasons that are still unclear, the field match alarm kept firing, citing the same correlation rule events.  It eventually looped itself out. 

Is the way things should be set up?  Or should field match alarms only apply to "direct" data sources (i.e., the servers, etc.) and should Internal Event alarms be used for correlation rules?

Any help is appreciated.

Thanks,

- Steve

1 Solution

Accepted Solutions
David1111
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Tuning question - Field Match Alarms

Jump to solution

Hi

try configuring the Alarm fot "internal Event Match"

set the "field" to "Signature ID"

and insert in the "Values" the correlation Signature ID.

theres' no sense configuring A field match alarm when your correlation engine is working fine.

Best regards

David

View solution in original post

2 Replies
David1111
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Tuning question - Field Match Alarms

Jump to solution

Hi

try configuring the Alarm fot "internal Event Match"

set the "field" to "Signature ID"

and insert in the "Values" the correlation Signature ID.

theres' no sense configuring A field match alarm when your correlation engine is working fine.

Best regards

David

View solution in original post

Re: Tuning question - Field Match Alarms

Jump to solution

Hi David,

Thank you.  That is helpful and confirms my suspicions about this configuration.

For another example, we have firewalls that send threat information directly to the ESM.  I assume that I still want to have a field match alarm on those particular data sources.  That way, I can be alerted immediately to a these threat events.

Is that correct?

Thanks,

- Steve

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community