cancel
Showing results for 
Search instead for 
Did you mean: 
artek
Level 11
Report Inappropriate Content
Message 1 of 2

What is needed to hit "Multiple events for Peer-to-Peer on a host" correlation rule?

Jump to solution

Hello,

do you know what exactly is needed to hit "Multiple events for Peer-to-Peer on a host" correlation rule? What device type can create events, that will be processed to "Normalization rule IN [P2P Policy]"? What about "Internal IP [Not In] [0.0.0.0]" parameter - is it ready to use or we should change this address to something other?

Best Regards,

Artur

1 Solution

Accepted Solutions

Re: What is needed to hit "Multiple events for Peer-to-Peer on a host" correlation rule?

Jump to solution

Artur,

The correlation rule "Multiple events for Peer-to-Peer on a host" is designed to detect multiple peer to peer events from the same IP. The rule will trigger if we see 20 events in a 10 minute window that all meet the following criteria.

1. The event Normalization ID is "P2P Policy". (All device types have the potential of sending us rules that could fall into this Normalization ID. For Example IPS, Firewall, Router, Switches, etc... Our Rules team determines what Normalization ID each rule falls into as they write the parsing rules.)

2. The event is going from one of your internal network IP's to an IP outside your internal network or the event is going from an external IP to one of your internal IP's. (We determine your internal vs. external network IP address based on the network discovery Homenet variable value. This is located in Asset Manager > Network Discovery > Homenet button.)

3. The internal IP is not 0.0.0.0 (this prevents false positives when an eventdoes not have an Internal IP.)

If you have a scenario that you think should meet these requirements and the correlation rule is not triggering, please submit a Service request and we will be happy to help you look into the issue.

Thanks,

Steve

McAfee Corporate Online Support (Service Portal): https://mysupport.mcafee.com

1 Reply

Re: What is needed to hit "Multiple events for Peer-to-Peer on a host" correlation rule?

Jump to solution

Artur,

The correlation rule "Multiple events for Peer-to-Peer on a host" is designed to detect multiple peer to peer events from the same IP. The rule will trigger if we see 20 events in a 10 minute window that all meet the following criteria.

1. The event Normalization ID is "P2P Policy". (All device types have the potential of sending us rules that could fall into this Normalization ID. For Example IPS, Firewall, Router, Switches, etc... Our Rules team determines what Normalization ID each rule falls into as they write the parsing rules.)

2. The event is going from one of your internal network IP's to an IP outside your internal network or the event is going from an external IP to one of your internal IP's. (We determine your internal vs. external network IP address based on the network discovery Homenet variable value. This is located in Asset Manager > Network Discovery > Homenet button.)

3. The internal IP is not 0.0.0.0 (this prevents false positives when an eventdoes not have an Internal IP.)

If you have a scenario that you think should meet these requirements and the correlation rule is not triggering, please submit a Service request and we will be happy to help you look into the issue.

Thanks,

Steve

McAfee Corporate Online Support (Service Portal): https://mysupport.mcafee.com

ePO Support Center Plug-in
Check out the new ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.