cancel
Showing results for 
Search instead for 
Did you mean: 
artek
Level 11
Report Inappropriate Content
Message 1 of 2

What is needed to hit "Multiple events for Peer-to-Peer on a host" correlation rule?

Jump to solution

Hello,

do you know what exactly is needed to hit "Multiple events for Peer-to-Peer on a host" correlation rule? What device type can create events, that will be processed to "Normalization rule IN [P2P Policy]"? What about "Internal IP [Not In] [0.0.0.0]" parameter - is it ready to use or we should change this address to something other?

Best Regards,

Artur

1 Solution

Accepted Solutions

Re: What is needed to hit "Multiple events for Peer-to-Peer on a host" correlation rule?

Jump to solution

Artur,

The correlation rule "Multiple events for Peer-to-Peer on a host" is designed to detect multiple peer to peer events from the same IP. The rule will trigger if we see 20 events in a 10 minute window that all meet the following criteria.

1. The event Normalization ID is "P2P Policy". (All device types have the potential of sending us rules that could fall into this Normalization ID. For Example IPS, Firewall, Router, Switches, etc... Our Rules team determines what Normalization ID each rule falls into as they write the parsing rules.)

2. The event is going from one of your internal network IP's to an IP outside your internal network or the event is going from an external IP to one of your internal IP's. (We determine your internal vs. external network IP address based on the network discovery Homenet variable value. This is located in Asset Manager > Network Discovery > Homenet button.)

3. The internal IP is not 0.0.0.0 (this prevents false positives when an eventdoes not have an Internal IP.)

If you have a scenario that you think should meet these requirements and the correlation rule is not triggering, please submit a Service request and we will be happy to help you look into the issue.

Thanks,

Steve

McAfee Corporate Online Support (Service Portal): https://mysupport.mcafee.com

1 Reply

Re: What is needed to hit "Multiple events for Peer-to-Peer on a host" correlation rule?

Jump to solution

Artur,

The correlation rule "Multiple events for Peer-to-Peer on a host" is designed to detect multiple peer to peer events from the same IP. The rule will trigger if we see 20 events in a 10 minute window that all meet the following criteria.

1. The event Normalization ID is "P2P Policy". (All device types have the potential of sending us rules that could fall into this Normalization ID. For Example IPS, Firewall, Router, Switches, etc... Our Rules team determines what Normalization ID each rule falls into as they write the parsing rules.)

2. The event is going from one of your internal network IP's to an IP outside your internal network or the event is going from an external IP to one of your internal IP's. (We determine your internal vs. external network IP address based on the network discovery Homenet variable value. This is located in Asset Manager > Network Discovery > Homenet button.)

3. The internal IP is not 0.0.0.0 (this prevents false positives when an eventdoes not have an Internal IP.)

If you have a scenario that you think should meet these requirements and the correlation rule is not triggering, please submit a Service request and we will be happy to help you look into the issue.

Thanks,

Steve

McAfee Corporate Online Support (Service Portal): https://mysupport.mcafee.com

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community