1 Reply Latest reply on Apr 3, 2014 2:03 AM by vinayakumara

    Correlation Rule Exceptions


      I would like to create exceptions to filter out false positives that fire for McAfee correlation  rules.  I see that I could edit the specific rule, but if I make changes to it I would need to save a new copy of that, then probably disable the McAfee version.  That doesn't seem right to me - is there another way to add exceptions to correlation rules?


      Example:  Windows firewall allows itself to access objects (  This can create a ton of "Excessive Firewall/ACL Connections Accepted From Single Host" correlations.  The solution would be to filter out  How can I do this without needing to create a new copy of the correlation and disabling the McAfee version?


      Any help would be appreciated!