3 Replies Latest reply on Jan 29, 2014 7:38 AM by kmallein

    Correlation Rule Help

    kmallein

      Hi all

       

      I created a correlation rule to monitor adding and deleting of admin groups from DC's. My steps are below and I can not get this to trigger the alarm.

       

       

      1. I created a watchlist with the admin groups I want to monitor.

       

      2. I created a correlation rule with

       

           1. The two signature ID's first (in)

           2. Then the watchlist group (in)

           3.  Then the event sub type of success (in)

       

      3. Roll out the rule to the Reciever that has all the DC's on it.

       

      4. Created an alarm triggering on the signature ID of the correlation rule.

       

      5. Deleted an admin from a group in the watchlist.

       

      Nothing happened.......

       

       

      Does the severity have anything to do with it?

       

      Any help would be appreciated...

       

      Thanks

        • 1. Re: Correlation Rule Help
          tlcrain

          I created an ALARM, to monitor all windows Groups ( Domain and Local ).  This Alarm generates a Report.  There is no filtering on which groups have been changed.  What is odd about this, is this has two querys - one for Domain groups that were changed and the other for Local Groups that were changed.

           

          Alarm
               Field Match : Normalized ID 407912448

               [x] Log Event
               [x] Generate Report


          Report

          Query 1
            Comment : Normalized ID : 407912448 A change was made to a Domain Group [Source User] made the change [Rule Message] added/deleted [Destination User] to/from [Domain]|[Host] / [Object]"

               Filters : Normalized ID [407912448], State [All]


          Query 2
          Comment : "Normalized ID : 407912448 A change was made to a Local Group [Source User] made the change [Rule Message] added/deleted to/from [Host] / [Object]"

           

          Filters : Normalized ID [407912448],  NOT Signature ID [43-211006330,43-211006410,43-211006390,43-211006370,43-211006320,43-211006310] ,  State [All]

           

          -----------------------

           

          Hope this helps.  I've never created a Correlation Rule.  I look forward to learning how to do this in a Correlation rule.

          • 2. Re: Correlation Rule Help
            cllapole

            I am not sure if you resolved this yet yourself.  The first time I tried creating a correalation rule I ran into the same problem, but I don't know if this is the same fix for you.  When going into Policy Editor, I choose Correalation on the left.  I created the rule, the alarm, enabled it, the did a rollout.  The part I missed was that I needed to actually go to the top left where it says Default Policy, click the little right pointing triangle for the drop down menu, click on Correalation in there.  At that point I realize that while I enabled the rule under default policy, it wasn't enabled under Correalation.  Once I enabled it there, it started working for me.  I was told by McAfee support that I should also disable the rule at the Default Policy level and only have it enabled at the Correalation level, not really sure what the reasoning is for that but I followed their suggestion on that as well.

            • 3. Re: Correlation Rule Help
              kmallein

              I finally got it to work after engaging Support, there were a bunch of processes locked up. Once the tech stopped the services and killed all the processes it worked. Now I have to figure out how to get the information from the rule to show up right in the alarm email. There is a tab in the triggered rule thats called Source Events that I cant get to show up in the alarm email.