I'm using Application and Change Control via ePO and I'm looking to create an alarm within ESM that's triggered when changes occur to certain file types. Events are being brought into ESM that populate Destination_Filename and I've created an alarm that uses Field Match with the following filter
The alarm triggers for a variety of file types as well as those that contain the above yet not for all file types. Am I doing something wrong with this filter? Is there a better way?
Thanks in advance
You could right the rule like I have in this figure. Personally I like to create a correlation rule first then create an Alarm
off of the Correlation rule... It's easier.
Thanks for your advice. I'll give that a go and report back
I have created a correlation rule that filters against all the Sig IDs that I are applicable but I have a problem with File_Type. Looking at the packet info for a particular event shows nothing that maps to that variable. Best I can come up with is TargetFileName that maps to Destination_Filename. And this leads to another puzzle. When I filter against a view using, say, contains(jpg) in the Destination_Filename fields, I see filtered results. When I use the same kind of filter in and alarms I don't get the same results
File_type would be very handy but how would I get that custom type populated?
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center