Showing results for 
Search instead for 
Did you mean: 

multiple rule correlation

Hi friends,

can anyone help me with below scenario.

i have a use case in which we need to correlate  multiple failed login attempts (10 in 10)   with IPS event    grouped by destination IP     ( both events should have same destination IP). may be we can put them in sequence ...   but not sure how i can acheive this .



2 Replies
Level 9
Report Inappropriate Content
Message 2 of 3

Re: multiple rule correlation


have you been able to resolve this yet?


Re: multiple rule correlation

Group By: Destination IP

Correlation Logic:

  • AND (Threshold 10, Time Window 10 minutes)
    • Match Component Filter #1: Signature ID (In) <list of failed login Signatures> (or Normalized ID (in) Authentication > Login + Event Subtype (in) Failure)
    • Match Component Filter #2: Device ID (In) <select your IPS Data Source/Sensor> (and/or use Signature ID / Normalized ID for specific IPS events)

The above should only trigger if there are 10 Failed Login Events with IPS Events within a 10 Minute window, and the Group By setting will make sure those events only meet the criteria if the Failed Login and IPS events share the same Destination IP. Hopefully this works as desired and helps.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator