4 Replies Latest reply on Sep 23, 2013 10:03 AM by Scott Taschler

    Correlation rule does not fire even though the components fire

    tddhuy

      Hi Guys,

       

      I am trying to create a correlation rule to combine 2 seperate correlation rules by Source IP. The two components are firing just fine, but my correlation rule does not fire.

       

      I also confirmed that there are events in both component that have the same source IP, so my correlation rule should fire just fine.

       

      Even though the rules happen in sequence, I tried to take out the sequence, but still no help.

       

      I would be gladly to try any suggestions. I've been stuck with this for the whole week.

       

      Thank you in advance.

       

      Note that, I already enable the correlation rule in all Levels (Default Policy and Correlation Engine)

       

      This is the set up of my correlation rule to combine the other 2 correlation rules

      Untitledg.png

      This is the set up of the "Wireless User Authenticated" rule

      Untitledj.png

      This is the set up of the "Damballa Indicated Compromised System" rule

      Untitledh.png

        • 1. Re: Correlation rule does not fire even though the components fire
          jacobsd

          Hey tddhuy,

           

                    I may be off base here but, try this >>

           

          keep > "Group By" = Source IP

           

          replace both >  "Rules/Components" parameters

           

          with a single >  "Match Component" = Signature ID or Normalization ID    (or the desired rule(s) triggering component field )

           

          I hope that works, but either way i'm sure some thread contains your answer.

           

          Similar --

          https://community.mcafee.com/message/278939#278939

           

          Message was edited by: jacobsd on 9/19/13 7:57:53 PM CDT
          • 2. Re: Correlation rule does not fire even though the components fire
            tddhuy

            Thank you, jacobsd for your reply.

             

            I tried your suggestion once before. However, the correlation engine would not let me do that. If you try to filter by Signature ID of the 2 correlation rules I listed, you will receive a error.

             

            Untitledgg.png

            • 3. Re: Correlation rule does not fire even though the components fire
              jacobsd

              ttdhuy,

                        What are the triggering "component fields" for both of your initial rules? as i stated in my post it may be good to attempt by them, seems your error is giving the same suggestion. Also, Im in office now so i can take a look into things with a bit more reference than my last post.

               

              Please do let me know if you come to a resolution btw.

               

              /Jacob

              • 4. Re: Correlation rule does not fire even though the components fire
                Scott Taschler

                A few other thoughts:

                 

                • You may not be aware that the “parent” rule pushes its grouping field down to its child components. This is because without this grouping on the child, your correlation of “Source IP” in this case breaks down for those events.  What this means is that referenced component "Wireless User Authenticated" effectively groups on source MAC + Source IP.  This should work fine, assuming the events that trigger that component have a Source IP that matches the rest of the events in this rule.  Take a hard look at the events that trigger "Wireless User Authenticated", and ensure that they have the Source IP information needed for proper triggering of your rule.

                 

                • Is it possible you have a timing issue?  Obviously the referenced components have to trigger in time order since it’s a sequence, and of course it would have to happen for a single Source IP in your example.  Take a close look at your timestamps on all your source events, as well as examples of your "child" correlated events, and ensure they are reliably coming into ESM in the order you think they are. 

                 

                Other than these caveats, this rule looks fine.  If these suggestions don't help, I wouldn't mind seeing screenshots of the raw triggering events ("Details" and "Custom Types" tabs), as well as the same info for the individual child rules.  Your best bet at this stage, however, is likely to call into McAfee support for some expert troubleshooting.

                 

                Scott