1 Reply Latest reply on Apr 3, 2014 2:03 AM by vinayakumara

    Correlation Rule Exceptions

    gene33

      I would like to create exceptions to filter out false positives that fire for McAfee correlation  rules.  I see that I could edit the specific rule, but if I make changes to it I would need to save a new copy of that, then probably disable the McAfee version.  That doesn't seem right to me - is there another way to add exceptions to correlation rules?

       

      Example:  Windows firewall allows itself to access objects (127.0.0.1).  This can create a ton of "Excessive Firewall/ACL Connections Accepted From Single Host" correlations.  The solution would be to filter out 127.0.0.1.  How can I do this without needing to create a new copy of the correlation and disabling the McAfee version?

       

      Any help would be appreciated!

       

      Thanks!

       

      Gene