cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

multiple rule correlation

Hi friends,

can anyone help me with below scenario.

i have a use case in which we need to correlate  multiple failed login attempts (10 in 10)   with IPS event    grouped by destination IP     ( both events should have same destination IP). may be we can put them in sequence ...   but not sure how i can acheive this .

regards

raghu

2 Replies
jp87
Level 9
Report Inappropriate Content
Message 2 of 3

Re: multiple rule correlation

Hi,

have you been able to resolve this yet?

/JP

Re: multiple rule correlation

Group By: Destination IP

Correlation Logic:

  • AND (Threshold 10, Time Window 10 minutes)
    • Match Component Filter #1: Signature ID (In) <list of failed login Signatures> (or Normalized ID (in) Authentication > Login + Event Subtype (in) Failure)
    • Match Component Filter #2: Device ID (In) <select your IPS Data Source/Sensor> (and/or use Signature ID / Normalized ID for specific IPS events)

The above should only trigger if there are 10 Failed Login Events with IPS Events within a 10 Minute window, and the Group By setting will make sure those events only meet the criteria if the Failed Login and IPS events share the same Destination IP. Hopefully this works as desired and helps.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community