4 Replies Latest reply on Jan 27, 2014 3:42 PM by Scott Taschler

    Create Alarm/Report Based off of Signature ID and Watchlist

      All -

       

      I am attempting to make an alarm and subsequently a report in the SIEM to report every time a specific signature ID hits, but only if the source IP is present on one of the GTI watchlists.

       

      McAfee HIPS is utilized in my environment, and the signature ID I am looking for is "363-18001" which corresponds to a "Network intrusion detected and handled" . I want an alarm created every time that signature ID matches a source IP on the GTI Suspicious or GTI Malicious watchlists, but I am not sure I have the logic correct on how to make a report happen out of this.

       

      I can set an alarm based off of the signature ID, but I have not determined a way to make both the signature ID and the watchlist Source IPs pop at the same time. I think I may have the logic wrong on how to make this work. Perhaps a correlation would be better suited for this?

       

      Any insight would be greatly appreciated!

        • 1. Re: Create Alarm/Report Based off of Signature ID and Watchlist
          kcole

          You need to start by creating a correlation rule that will look for the signature ID and the source IP (and/or dest IP) in a GTI watchlist match.  Then create the alarm against the correlation rule triggering.  Here is a screenshotcommunity.png

           

          Please let me know if you have any other questions.

           

          Kara

          • 2. Re: Create Alarm/Report Based off of Signature ID and Watchlist

            Thanks, Kara!

             

            This makes a lot more sense when you showed it to me like that. Now the correlation rule gets assigned a Normalized ID and then I can creat an alarm or a report using that!

            • 3. Re: Create Alarm/Report Based off of Signature ID and Watchlist
              cllapole

              It's early on Monday, so forgive me if this is a dumb question.  I have just started creating my own correalation rules so I am fairly new at this.  But why would you split the filters out in this example versus just having all three events in a single Parameter set?  Obviously if the rule gets more complicated and one of the filters is a part of an Or set along with other Ands or something.  But for this example, is there a reason for it being split into two?

              • 4. Re: Create Alarm/Report Based off of Signature ID and Watchlist
                Scott Taschler

                As written, the rule above is probably not what was intended.  The rule, as shown, requires 2 events to trigger the rule:

                 

                - One event that has a Source IP on one of the GTI watchlists.

                - A 2nd event that has a Sig ID of 363-18001

                 

                We don't see the rest of the rule, so we don't know the time frame that must encapsulate these events (within 5 minutes?  1 hour?)  We also don't see the "Group By" field, so we don't know what must be common between the events. 

                 

                However, I think the intention of the rule was to fire when all these conditions apply to a single event.  To accomplish that, you are correct Chris...you'd put all the conditions in a single filter block.

                 

                Scott