I would like to create exceptions to filter out false positives that fire for McAfee correlation rules. I see that I could edit the specific rule, but if I make changes to it I would need to save a new copy of that, then probably disable the McAfee version. That doesn't seem right to me - is there another way to add exceptions to correlation rules?
Example: Windows firewall allows itself to access objects (127.0.0.1). This can create a ton of "Excessive Firewall/ACL Connections Accepted From Single Host" correlations. The solution would be to filter out 127.0.0.1. How can I do this without needing to create a new copy of the correlation and disabling the McAfee version?
Any help would be appreciated!
By Default you can only modify the parameters for a built in correlation rule. If you want to fine tune it's always recommended to copy the default rule and add you conditions whilist disabling your default rule.