cancel
Showing results for 
Search instead for 
Did you mean: 
pfabrizi
Level 9

ePolicy Orchestor Correlations

I am trying to create a correlation rule with the following confiuration:

Device = ePolicy Orchestrator - ePolicy Orchestrator_VirusScan (ePO)

AND   Threat_Category = av.detect,av.pup

AND   Threat_Name [does not begin] JS/

I added this - threat_name not in (/^JS/)  

When I deployed the rule the only option I had was to go to EPO itself, not the individual device and when I went to EPO in ESM to enable there is only log parser in the policy editor but nothing for correlation rule.

questions:

will the regex for the threat_name work?

Is there a way to apply the correlation rule to ePolicy Orchestrator ?

Thank You!

0 Kudos