securitysavy

Correlation rules broken related to device groups and variables

Discussion created by securitysavy on Jul 8, 2013

I have several custom correlation rules that have worked for months and they broke - presumably after the last ESU I did in February.

 

Old logic is shown here.   Notice that I use a Device Group - not a Device Class.  The view containing this rule no longer will start.

 

If I edit this rule, when I get to the Filter section I am no longer able to choose individual variables. I can only choose [CONTENT].  THis is a clear change since the current (unmodifed rule shows I was previously able to select individual variables (like username and saddr).

 

There have been no changes to the rule.  The Device Group contains multiple device types, but this rule clearly says to only look at UNIX Solaris.


I tested this rule using a current ESU on our test instance, that mimics this rule's design (incl device group and some specific device type for eventIDs), it doesn't work anymore.

 

Any ideas why this would stop working?  Its as if RSA made a change that broke this.  That isn't very acceptable.  Its ruined the ability to use rules against only the devices we care about.  The only fix seems to be using a Device Type.  Which will have lots of other devices we don't want to trigger this alert for.

 

 

 

Consider every event in the Event Selection
Cache Set
NameAssociate With Variable
username2username
Device Set
Device Group NameOperator
Unix Production
Event Set
Event Type/Device TypeComparisonValue/MaskOperator
Event ID/UNIX SolarisIN000236
000238
000245
000248
Filter Set
VariableComparisonValueCache ValueCaseOperator
usernameNOT INusername1falseAnd
saddrNOT IN10.1.1.129

Outcomes