I need to save in a watchlist, several 'signature id' of correlation rules, to monitor those correlation rules. Thus, in the event that one of this list is triggered, the correlation rule that is monitoring it will be generated.
So we're doing this, to generate a cross-correlation.
Probably an easy solution to your problem, would be to create another correlation engine, filtering for ONLY other correlated events.
Device Type ID -> (Correlation Engine)
Then any rules you enable on that engine, can only correlate other correlated events. Be aware, by doing this you are basically creating "Component/Composite" rules.
What I need is: in a watchlist to save the signature id of a set of correlation rules (A ".) This watchlist, will be monitored by another correlation rule (B"), so when any rules of the contained are triggered in the watchlist, another correlation window is opened to validate if the data generated by the rule is repeated with events from another watchlist.
As I understand you are trying to create a hierarchy of correlation rules. This is not advisable and not "technically" possible (however there are ways to achieve this). This can easily create loops of rules that would fire forever, especially if you have watch lists involved that are updated automatically.
For the most part the correlation engines automatically filter any events that come from correlation engines, unless they are part of a composite rule.
You can probably achieve this effect another way. Do you have an example use case?
For example, I have several rules assigned to some phases that we have been using. (WEB EXPLOIT: PHASE01, MALWARE: PHASE02) what I want is the following, when a correlation rule of phase 01 is triggered, I want to activate another correlation rule (for a time x), which takes the basic data of the event triggered and compare them with the events that are unchaining. My purpose is that it can be spun between two or more events, which explode in different phases.
So I take it you are trying to implement some kind of kill-chain style detection?
So what was the reason for watchlists, do you need this for a large list of dynamically updated rules in each phase?
If your answers are yes, and no respectively, you can achieve this with components. To do this break the rules down into components, then create a correlation rule (including all previous components) for each phase you would like to explode on.
Exactly, what I'm looking for is to implement a model of the kill-chain type. My idea was to use watchlist, because with them I can update them automatically (DYNAMIC: ESM RULES NAME), in case any rule becomes part of a phase and does not have to be modifying the rules by components, each time it passes to production of this.
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center