cancel
Showing results for 
Search instead for 
Did you mean: 

Configuring filters for alarms

I'm using Application and Change Control via ePO and I'm looking to create an alarm within ESM that's triggered when changes occur to certain file types. Events are being brought into ESM that populate Destination_Filename and I've created an alarm that uses Field Match with the following filter

alarm.png

The alarm triggers for a variety of file types as well as those that contain the above yet not for all file types. Am I doing something wrong with this filter? Is there a better way?

Thanks in advance

2 Replies

Re: Configuring filters for alarms

You could right the rule like I have in this figure. Personally I like to create a correlation rule first then create an Alarm

off of the Correlation rule... It's easier.

Alarm_filter.png

Re: Configuring filters for alarms

Thanks for your advice. I'll give that a go and report back

Edit...

I have created a correlation rule that filters against all the Sig IDs that I are applicable but I have a problem with File_Type. Looking at the packet info for a particular event shows nothing that maps to that variable. Best I can come up with is TargetFileName that maps to Destination_Filename. And this leads to another puzzle. When I filter against a view using, say, contains(jpg) in the Destination_Filename fields, I see filtered results. When I use the same kind of filter in and alarms I don't get the same results 

File_type would be very handy but how would I get that custom type populated?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator