Does it make sense to apply a field match alarm to a correlation engine (i.e., include the correlation engine on the Devices tab?)
We have an field match alarm which matches on a normalization in "malware." Today, we had a series of events which matched a "Conficker" correlation rule. The correlation engine created an event, and the field match alarm sent an email. All fine.
However, there is another correlation rule, "worm activity on an internal host." This rule saw the event created by the first rule and *also* created an event. And the field match alarm sent another email.
Then, for reasons that are still unclear, the field match alarm kept firing, citing the same correlation rule events. It eventually looped itself out.
Is the way things should be set up? Or should field match alarms only apply to "direct" data sources (i.e., the servers, etc.) and should Internal Event alarms be used for correlation rules?
Thank you. That is helpful and confirms my suspicions about this configuration.
For another example, we have firewalls that send threat information directly to the ESM. I assume that I still want to have a field match alarm on those particular data sources. That way, I can be alerted immediately to a these threat events.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.