1 Reply Latest reply on Sep 15, 2014 9:46 AM by alexander_h

    Correlation magic (aka - streamline operations via traffic pattern matches)

    rhinomike

      Hi there,

       

      I have a scenario that I frequently face and that I am trying to automate using correlation rules:.

       

      The scenario is more of less like this:

       

      1. system access malicious URL, third-party IPS vendor product issues alarm saying "this is really bad".

      2. I click on "look around 5 minutes, match via destination IP"

      3. I find a third-party proxy log displaying if the access was successful or not

       

      Please note that I have no way of guaranteeing the IPS alert will reach the McAfee SIEM platforms before the events generated by the logs from the proxy, therefore I am looking to do a match around the time event 1 took place.

       

      Has anyone had success automating this type of correlation? How?

       

      Cheers

        • 1. Re: Correlation magic (aka - streamline operations via traffic pattern matches)
          alexander_h

          This is great use case.

          Let me know what you have tried?

          Anyway it should be something simple as :

           

          1.Create the rule and put the details/filters as appropritate.

          2. Within the "AND":

           

               -Specify "time window"

               -Leave the "sequence" check box unticked.

           

          That should be pretty much enough, but the best will be to test with some more generic events so you could ensure it's behaving as expected.

          There are other ways to do it but they will be much more complicated.