I am just venturing a guess, but I suspect enrichment and correlation happen either in parallel or too close together and it is possible the correlated event has not yet been enriched.
Notice how you can't perform contains or regex on many fields in the ACE
I have also noticed that data is treated differently by the ACE than by the ESM and same search patterns can produce different results. ( at least that's what support has told me, they could elaborate on why)
Good luck let us know if you work this out.
I don't think that's the case because data enrichment happens on the receiver if I may quote Scott on this topic Data enrichment clarification - where the enrichment field is added and then, the ESM pulls them from the ERC. After that the ACE is using these events from the ESM to make correlations.
Right now a workaround is to increase the severity of the events that match the enrichment and that way I can make the risk correlation work but I'm still working on the main idea.
What are your severity weight settings (click the little scales icon at the top right of the policy editor dialogue).?
This can change the severity of events behind the scenes.
The weights influence only the final severity of the event, not the risk scoring afaik.
Right now they are 100% to rules, 0% for assets, vulnerability and tags.
But you are using severity in your risk scoring. 100% rules should mean no hidden manipulation. Do you have aggregation turned off for the rule?
Check out this blog post.
It's about the only piece I've seen that works through setting up a Risk rule. Note that it only talks about event counts and not Severity or Scores as such.
Aggregation is turned off for all authentication related rules because I did't know how that would influence the risk (I guess it would work the same, basically it would multiply the severity with the number of occurrences to obtain the risk value).
What do you mean by 100% rules = no hidden manipulation ?
Regarding that blog post, I came upon it a while ago and while it's working for that example it does not include the data enrichment unfortunately :-(
Aggregation can hide things from the ACE.
100% Rules means you do not have to dig through asset, tags, vulnerability settings to figure out what the severity value is going to be. What you see in the rule is what you get.
I'm not sure how enrichment plays with risk - the only link is the word 'score', but see below.
Note I don't have an ACE I can play with and it's been a couple of years since I tried this stuff.
This may help...from the ESMI 9.1.0 User Guide. There is a bit more in there as well, it's also in the 9.2 User Guide...look for the old ones on the McAfee web site.
220.127.116.11Risk Correlation Scoring
The Risk Correlation Scoring dialog allows you to add scoring conditional statements based on a
risk field that contains a certain value that then makes a defined score for a target risk field. Each
row in the grid is a single IF THEN conditional statement. These scoring conditions are global in
nature and can be overwritten by a Risk Correlation manager's fields and/or filters. Scoring is
updated every 10 minutes.
The Risk Correlation Scoring dialog allows you to add, edit, and remove scores as well as write the
scores to the device.
Add a Risk Correlation Score
To add a score to the Risk Correlation Score table, do the following:
1. Access the Risk Correlation Scoring dialog (ACE Properties > Risk Correlation Scoring).
2. Click on Add. The Add Risk Correlation Score dialog opens.
3. The Source Field drop-down list contains all the possible fields against which a value can be
compared. Select the desired field.
4. In the Value in field, select the type of value that will be compared.
5. In the Value field, select the comparing value. The options available in this field will vary
based on the type of value you selected in the Value in field. If you want to add values so
they can be selected in this field, refer to the following sections:
If you selected Static Value in the Value in field, type in the comparing value.
6. On the Target Field drop-down list, select the field that will receive the score if the
comparison is true.
7. In the Score fields, enter the minimum and maximum score that the target field will receive.
8. Click OK. The conditional statement will be added to the list of Risk Correlation scores.
9. Click on Write to write out all Risk Correlation scores to the device. You will be informed
when the process is complete.