Co-dependent realtime rules in ESM firing in wrong order
I have around 10 aggregation/correlation rules that state track and follow a sequence of events that come in from a device, and the correlation rules appear to be firing in a random order. This is causing rules that depend on each other (filling in active lists and session lists for state tracking) to not populate the lists before another rule attempts to extract list values through variables.
I'm attempting to write rules that detect e-mail phishing attacks based on our Cisco IronPort logs. The source IP the e-mail comes from is only in a single event, a "New SMTP ICID" event - this has a unique ID (ICID) and the source IP. The ICID is in all the subsequent events, but the source IP is not. So I add the ICID and Source IP into a session list.
So what I end up seeing is the events roll into arcsight, and I see all the base events show up. Then I see the correlated events show up in the wrong order, which jacks up the list management. Is there a way to get the rules to fire in the correct order?
You could use the generator URI to make sure they are firing in the correct order. Used this before at a MSSP.
Tier 1 - Identified bad
Tier 2 - Who was it bad for