1 Reply Latest reply on Sep 13, 2017 10:47 AM by franciscosotoq

    Corrolation rule based on Signature ID 43-263046580

    fin@bws.dk

      Hi

       

      I'm new to SIEM/ESM and need some help.

      Please forgive me if it's a basic question.

       

      I want to create a rule that detects af signature id 43-263046580 / the handle to an object was closed happens more then 200 times with in 60 sec.

       

      Best regards

      Finn

        • 1. Re: Corrolation rule based on Signature ID 43-263046580
          franciscosotoq

          Hello,

           

          Dont know if you still need help on this one, actually is really simple what you need, so here is it.

           

          1) Go to Policy Editor > Correlation (Or directly click the Correlation Button)

          2) Create a new rule

          3) Add a filter with the signature id you need as shown in the screenshot.

          CR_1.PNG

           

          4) Now we have to add the logic, click on Parameters, here we are going to create 2 parameters, one for Time Frame (Time Window) and another for Number of events (Threshold)

          CR_2.PNG

           

          5) Make sure your logical element is using the parameters we just created, you want to keep the logical element if you want to add more conditions to the rule later.

          CR_3.PNG

           

          6) Save the rule and go to operation > rollout so the policy is actually going to be applied to your correlation engines.

           

          That should do the work, let me know if you need any assistance.

           

          Best regards,

           

          Francisco Soto

          Solutions Architect McAfee / Ingram Micro