Does anyone have experience with creating custom wmi parsing rules in the McAfee/Nitro ESM?
I have a McAfee ESM, and I am trying to create a custom wmi parsing rule. There is a "learned" event that I am seeing from Windows data sources...by "learned" I mean it wasn't one of the ESM's rules as defined by Mcafee. This particular event has a field that distinguishes failure from success, but the ESM thinks they are the same event since they have the same windows event ID. I want to craete an alarm on this event, but only in the case of failure, so I am trying to create a custom parsing rule to pull out these details. I have no experience with this so I'm honestly pretty lost. If anyone has some experience creating wmi parsing rules and could share how they did it or some examples, that would be fantastic.