This makes a lot more sense when you showed it to me like that. Now the correlation rule gets assigned a Normalized ID and then I can creat an alarm or a report using that!
It's early on Monday, so forgive me if this is a dumb question. I have just started creating my own correalation rules so I am fairly new at this. But why would you split the filters out in this example versus just having all three events in a single Parameter set? Obviously if the rule gets more complicated and one of the filters is a part of an Or set along with other Ands or something. But for this example, is there a reason for it being split into two?
As written, the rule above is probably not what was intended. The rule, as shown, requires 2 events to trigger the rule:
- One event that has a Source IP on one of the GTI watchlists.
- A 2nd event that has a Sig ID of 363-18001
We don't see the rest of the rule, so we don't know the time frame that must encapsulate these events (within 5 minutes? 1 hour?) We also don't see the "Group By" field, so we don't know what must be common between the events.
However, I think the intention of the rule was to fire when all these conditions apply to a single event. To accomplish that, you are correct Chris...you'd put all the conditions in a single filter block.