cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
hanzch
Level 7
Report Inappropriate Content
Message 1 of 9

Watchlist Monitoring

Dear,

I need to save in a watchlist, several 'signature id' of correlation rules, to monitor those correlation rules. Thus, in the event that one of this list is triggered, the correlation rule that is monitoring it will be generated.

So we're doing this, to generate a cross-correlation.

8 Replies
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 2 of 9

Re: Watchlist Monitoring

Probably an easy solution to your problem, would be to create another correlation engine, filtering for ONLY other correlated events.

Device Type ID -> (Correlation Engine)

Then any rules you enable on that engine, can only correlate other correlated events. Be aware, by doing this you are basically creating "Component/Composite" rules.

Brent
hanzch
Level 7
Report Inappropriate Content
Message 3 of 9

Re: Watchlist Monitoring

I did not want to use "Components" because I had to choose each rule manually and the changes are not dynamic, but with the watchlist I have more actions.

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 4 of 9

Re: Watchlist Monitoring

Can you give an example of what you are trying to do?

Brent
hanzch
Level 7
Report Inappropriate Content
Message 5 of 9

Re: Watchlist Monitoring

What I need is: in a watchlist to save the signature id of a set of correlation rules (A ".) This watchlist, will be monitored by another correlation rule (B"), so when any rules of the contained are triggered in the watchlist, another correlation window is opened to validate if the data generated by the rule is repeated with events from another watchlist.

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 6 of 9

Re: Watchlist Monitoring

As I understand you are trying to create a hierarchy of correlation rules. This is not advisable and not "technically" possible (however there are ways to achieve this). This can easily create loops of rules that would fire forever, especially if you have watch lists involved that are updated automatically.

For the most part the correlation engines automatically filter any events that come from correlation engines, unless they are part of a composite rule.

You can probably achieve this effect another way. Do you have an example use case?

Brent
hanzch
Level 7
Report Inappropriate Content
Message 7 of 9

Re: Watchlist Monitoring

For example, I have several rules assigned to some phases that we have been using. (WEB EXPLOIT: PHASE01, MALWARE: PHASE02) what I want is the following, when a correlation rule of phase 01 is triggered, I want to activate another correlation rule (for a time x), which takes the basic data of the event triggered and compare them with the events that are unchaining. My purpose is that it can be spun between two or more events, which explode in different phases.

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 8 of 9

Re: Watchlist Monitoring

So I take it you are trying to implement some kind of kill-chain style detection?

So what was the reason for watchlists, do you need this for a large list of dynamically updated rules in each phase?

If your answers are yes, and no respectively, you can achieve this with components. To do this break the rules down into components, then create a correlation rule (including all previous components) for each phase you would like to explode on.

Brent
hanzch
Level 7
Report Inappropriate Content
Message 9 of 9

Re: Watchlist Monitoring

Exactly, what I'm looking for is to implement a model of the kill-chain type. My idea was to use watchlist, because with them I can update them automatically (DYNAMIC: ESM RULES NAME), in case any rule becomes part of a phase and does not have to be modifying the rules by components, each time it passes to production of this.

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center