cancel
Showing results for 
Search instead for 
Did you mean: 
ecan007
Level 9

correlation rules based on s-flows

Jump to solution

I have a data source, which only shows flows of network traffic.

When I try to create a correlation rule based on flows , I don't see any correlation or even alarms (created an alarm based on the use case signature).

With events I never had any issue's, but I have the feeling that with flows it works different.

siem2.png

How do you correlation rules based on flows?

(Events are events logged on a systems, flows is just network traffic passing by)

When create an correlation rule and selecting flows, I don't get any results , but flows do come in .

The datasource is s-flow

0 Kudos
1 Solution

Accepted Solutions
ecan007
Level 9

Re: correlation rules based on s-flows

Jump to solution

This is a bug , as you would have guessed.

There was a filter to get events from certain receivers.

Once the filter was removed, it worked.

Now Siem has been upgraded to a higher version, the issue is completely gone and filter was also turned on.

Hope this helps someone with the same issue.

0 Kudos
23 Replies
abanaru
Level 11

Re: correlation rules based on s-flows

Jump to solution

Flow correlation is only available on the ACE.

0 Kudos
ecan007
Level 9

Re: correlation rules based on s-flows

Jump to solution

We have an ACE running, so I am not sure what you meaning.

We have an S-Flow data source and this source can see the flows, and the correlation rule is based on flows (instead of events) ,

but the ACE is not showing any flows

0 Kudos
abanaru
Level 11

Re: correlation rules based on s-flows

Jump to solution

I was assuming you didn't have an ACE. Did you enable correlation of flows on the ACE ?

You can do that in ACE Properties | ACE Configuration | Data.

ace_props.PNG

0 Kudos
ecan007
Level 9

Re: correlation rules based on s-flows

Jump to solution

I had another good look into the SIEM and it seems the receiver do get the flow data, but not the ACE.

I tried to get the events and flows manually, but the flow option is greyed out.

Seems the ACE is not configured for flows ?

ace.png

0 Kudos
ecan007
Level 9

Re: correlation rules based on s-flows

Jump to solution

I think I have found the option to allow flow data, when selecting flows , it doesn't safe the option.

How can I enable the ace to collect also flows ? Or would I need a Storage pool?

ace option.png

0 Kudos
abanaru
Level 11

Re: correlation rules based on s-flows

Jump to solution

Enable flow pass like in Post No. 3.

Enable flow correlation in the correlation manager.

0 Kudos
ecan007
Level 9

Re: correlation rules based on s-flows

Jump to solution

Thx for your reply.

I did al the steps you mentioned, but still the flow option is greyed out.

DO I need to wait ? And why can't I still manually get the flows, I can manually get the events in.

The flows are coming in on the datasource and also on the event receiver.

I can verified that, but on the ACE I cant see the flows at all.

Seems the flows are not coming in on the ACE and thus I can't use correlation rules.

The point is to create correlation rules based on the flows, if ACE doesnt get the flows, it can't correlate.

0 Kudos
kmc
Level 12

Re: correlation rules based on s-flows

Jump to solution

First confirm that your ACE is configured to process the flows as well or not?

you can check this in ACE properties-> ACE Configuration->Data check that flow checkbox is enabled or not?

what ever you are viewing in the ACE section is not events or flows they all are correlated events generally considered as events so when you select get events and flows it only shows events and flows are grayed out.

0 Kudos
ecan007
Level 9

Re: correlation rules based on s-flows

Jump to solution

yes, I have checked the ACE properties-> ACE Configuration->Data ,

Flow data wasn't checked before, but I have checked it now,

in the meantime I still have correlation rules based on flows and none of them are triggered,

so what you are saying is that the flow data will come in , even though the option is grayed out, when you try manually to get the data,

anyway, the rules are not triggered and also I can't see the flows on the ACE dashboard, I do see them on the ESM and receiver,

shouldn't the flow dashboard for the esm also show the flows? Would make sense to see it on the dashboard also, but I have the feeling that the flows are not coming in.

here are some screen shot

siem1.png

siem2.png

0 Kudos