Recently I did some tuning around a "Large outbound transfer..." flow rule. For false positive avoidance, I created a rule that does "bypass correlation" - targets the original rule, uses a BB with a list of destination ports I want to avoid, references several local source networks and also references some trusted Remote networks. However, I keep getting the offenses which I believe should not appear. Interestingly, when I bring up the resulting set of flows from the offense and make a search to exclude some records using the tests/criteria in the exclusion rule - the list of flow records clears out (suggesting the rule should have behaved the same as the search). 

Has anyone noticed something similar? 

(BTW, it's on 7.5.0UP14IF05)

Hey Dusan,

If you search for rule hits, do the records show up then, but only as EP events, so the raw flow does not show up?  If so, yes, I have seen this with event and flows, they match the rule and then disappear.  Sometimes searching on the rule will allow you to find them, but it is not very consistent.  

Recently I did some tuning around a "Large outbound transfer..." flow rule. For false positive avoidance, I created a rule that does "bypass correlation" - targets the original rule, uses a BB with a list of destination ports I want to avoid, references several local source networks and also references some trusted Remote networks. However, I keep getting the offenses which I believe should not appear. Interestingly, when I bring up the resulting set of flows from the offense and make a search to exclude some records using the tests/criteria in the exclusion rule - the list of flow records clears out (suggesting the rule should have behaved the same as the search). 

Has anyone noticed something similar? 

(BTW, it's on 7.5.0UP14IF05)

Hi Frank. 

It's actually that I expected that they would not end up in a offense :)

When I pull these flows from the offense I see them tagged with some of BBs I used on the false positive rule (to bypass correlation) and I also see the final one actually tagged with the False positive rule (!) If I run a search against these with a test from the false positive rule, the list empties out (as I would generally expect). Interestingly also, accessing these flows from the offense and looking at the list, none have that "part of offense" icon in the most left column (though the CRE event the rule triggers has it). 

Hey Dusan,

If you search for rule hits, do the records show up then, but only as EP events, so the raw flow does not show up?  If so, yes, I have seen this with event and flows, they match the rule and then disappear.  Sometimes searching on the rule will allow you to find them, but it is not very consistent.  

Recently I did some tuning around a "Large outbound transfer..." flow rule. For false positive avoidance, I created a rule that does "bypass correlation" - targets the original rule, uses a BB with a list of destination ports I want to avoid, references several local source networks and also references some trusted Remote networks. However, I keep getting the offenses which I believe should not appear. Interestingly, when I bring up the resulting set of flows from the offense and make a search to exclude some records using the tests/criteria in the exclusion rule - the list of flow records clears out (suggesting the rule should have behaved the same as the search). 

Has anyone noticed something similar? 

(BTW, it's on 7.5.0UP14IF05)