3 Replies Latest reply on Dec 21, 2012 12:46 PM by dcobes

    Custom Correlation Rule not triggering properly

      Dear All,

       

      We want to create a rule for our critical servers to identify if some port scanning or malicious activity is performed. I have run Nmap on one of our servers, that triggered the default rules in SIEM, use those rule signatures i created a custom correlation rule that checks if the same attacks are on our critical servers. The rule is triggering but with other rule signatures that i did not mention. Please see the screenshots attached

       

      1.png

       

      As shown above, the rules are in the green but when i try to see the triggered events, i can see other rules that have been triggered rather than the ones mentioned above. please see below screenshots.

       

      rule 2.png

       

      rule 3.png

       

      rule1.png

       

      Can any one explain why other rules are triggered rather than the ones mentioned in the rule.

       

      thanks