The correlation rule "Multiple events for Peer-to-Peer on a host" is designed to detect multiple peer to peer events from the same IP. The rule will trigger if we see 20 events in a 10 minute window that all meet the following criteria.
1. The event Normalization ID is "P2P Policy". (All device types have the potential of sending us rules that could fall into this Normalization ID. For Example IPS, Firewall, Router, Switches, etc... Our Rules team determines what Normalization ID each rule falls into as they write the parsing rules.)
2. The event is going from one of your internal network IP's to an IP outside your internal network or the event is going from an external IP to one of your internal IP's. (We determine your internal vs. external network IP address based on the network discovery Homenet variable value. This is located in Asset Manager > Network Discovery > Homenet button.)
3. The internal IP is not 0.0.0.0 (this prevents false positives when an eventdoes not have an Internal IP.)
If you have a scenario that you think should meet these requirements and the correlation rule is not triggering, please submit a Service request and we will be happy to help you look into the issue.
McAfee Corporate Online Support (Service Portal): https://mysupport.mcafee.com