1 2 3 Previous Next 44 Replies Latest reply on Dec 14, 2016 8:09 PM by hegemon76

    Correlation Rule not Firing

    hegemon76

      Hello,

       

      I have been attempting to create a correlation rule that would fire based off a watchlist for most of this week with little success. The watchlist is populating with the admins I want to monitor correctly but this rule never fires.

       

      Correlation Rule.png

       

      I have removed the time of day, the sub type everything I can think of to see if this is firing with the broadest parameters. It is not. I've rolled it out and made an alarm based off this rules Signature ID. One of the admin accounts fires constantly (another issue entirely) so I should see data within a half hour.

       

      What am I doing wrong in either the correlation creation process, rolling out the rule or something totally unforeseen?

       

      The documentation available, again unless I'm mistaken, is not detailed regarding nuance. Furthermore I have no been able to find anything within the community, but I'm still researching. If there is information I can provide to help please feel free to let me know as this is a time sensitive matter.

       

      Thank you,

       

      Tim

        • 1. Re: Correlation Rule not Firing
          abanaru

          Do any correlation rules work on your SIEM ?

          Also, don't forget to use a "Group By: Source User" inside your correlation rule.

          • 2. Re: Correlation Rule not Firing
            hegemon76

            Yes correlation rules do fire.

             

            Some of the verbiage I've read is that inside the ACE component (we do not have this) default is "disable" and after rolling out it needs to be enabled for it to work.

             

            I've created a view just to see if the watchlist data populates and I see the data I'm looking for....

             

            Thanks for the tip on Group By. Very frustrated this is not working yet.

            • 3. Re: Correlation Rule not Firing
              hegemon76

              I assume Group By as in the line directly above the Correlation Logic?

              • 4. Re: Correlation Rule not Firing
                abanaru

                Yes, that's the one.

                It's one of the most important factors in making correlation rules.

                • 5. Re: Correlation Rule not Firing
                  hegemon76

                  Yep I actually got it working for the better part of last night.

                   

                  I ended up changing the format: Correlation Rule Updated Format.png

                   

                   

                  So clearly right now I have no timeframe involved with this Correlation rule. I did it in the broadest sense I could think of. I rolled it out to everything and applied the alarm to every device.

                   

                  What troubles me is a couple things. Why is it when I roll it out to say just the windows servers and workstations it doesnt work when that's all these admins on the watchlist are logging into to generate the alert in the first place. Second and for the exact same reason do I have to apply every device in the conditions part of the alarm for it to fire? I should be able to specify specific devices etc.

                   

                  Regard,

                   

                  Tim

                  • 6. Re: Correlation Rule not Firing
                    sssyyy

                    Why is it when I roll it out to say just the windows servers and workstations it doesnt work when that's all these admins on the watchlist are logging into to generate the alert in the first place.

                    What's the error?

                     

                     

                    Second and for the exact same reason do I have to apply every device in the conditions part of the alarm for it to fire? I should be able to specify specific devices etc.

                    It will do all devices by default, you can explicitly include device so the rule fire on events that occurred on that particular device only.

                     

                    There is a variable called working hours, but it's in GMT, so make sure you convert it into your time zone for working hours. Can add this into the top logical group.

                    • 7. Re: Correlation Rule not Firing
                      hegemon76

                      Hi,

                       

                      Yes I know that's the case regarding both the variable and GMT.

                       

                      The rule itself is for non-working hour logins (whether a success or failure) so inside the component I've been adding in "Time of Day" and then 1000 to 0500 hours.

                       

                      I'm more concerned with the issues I'm seeing in the rollout and the alarm in terms of having to deploy it to everything for it to work correctly.

                      • 8. Re: Correlation Rule not Firing
                        sssyyy

                        Yeah, you have to save everything you make a change and roll out the policy to the ACE. That's mandatory.

                        • 9. Re: Correlation Rule not Firing
                          hegemon76

                          The client I'm working with doesn't have the ACE (device/appliance...component?). Would that affect anything and/or limit ones ability to implement correlation rules?

                          1 2 3 Previous Next