I have seen a spike in multiple vector attack source offenses in my deployment since adding in logs from our symantec host based firewall that runs on all of our workstations. we decided to collect the logs from these so that we could see the ips events, but so far all it has done is flag numerous multiple vector offenses a day for firewall allows coming from the symantec firewall.
Is there a good way to work on tuning these down? Or does anyone have any advice they have done to tune out false positive for multiple vector offenses in general?-------Posted BY Greg Mathes
SystemAdmin 110000D4XK184 Posts
Re: Greg, which particular rule2012-11-27T18:07:12ZThis is the accepted answer. This is the accepted answer.Greg, which particular rule in QRadar is firing?
There are a number of ways you can tune this out depending on how much you are comfortable with. If you are not concerned about the Firewall allows at all, you could simply add "and NOT when Qid matches FW allow" to the rule that is triggering.
Posted By scott.vanwart