Showing results for 
Show  only  | Search instead for 
Did you mean: 

SIEM Foundations: Basic Correlation Rule Tuning in ESM 10x

Many correlation rules include embedded parameters that can be easily customized by the end user to tune the operation of the rule.  To edit parameters for a correlation rule, find the rule in the Policy Editor, and select Edit and Modify Parameters.

For example, one common set of rules to tune is the ones that start with “Policy - Off-hours Events…”  These correlation rules identify anomalous activities outside of standard working times, and leverage parameters to identify working hours:

Consider modifying the time parameter (“WorkingHours”) in each of these rules to meet your needs:

Note that WorkingHours parameters are defined in GMT time zone; you will need to convert your working time to GMT in order for these variables to be effective.  Default values for WorkingHours parameters are 12:30 – 22:00, which are equivalent to 7:30 – 17:00 in the US Eastern Standard Time zone.

Version history
Revision #:
1 of 1
Last update:
‎10-31-2017 01:16 PM
Updated by:

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community