cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Correlation event that doesn't have specific field

Jump to solution

Hi everyone,

I'm trying to troubleshoot a correlation and come up with the question that, if a correlation is looking for a specific field to not contain some values but one event doesn't even have the field. Would the ACE trigger the correlation? or it would discard the event because it doesn't have the field?

If someone knows what would happen.

Thanks

Labels (3)
1 Solution

Accepted Solutions
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Correlation event that doesn't have specific field

Jump to solution

Hi ppineda.

it depends:

if your rule is - Field X - in - X  so if there's no such field it wont trigger

if your rule is - Field X - not in - X   so if theirs no such field, could be it will trigger i'm not sure.

anyway, if you wish to trigger a alarm when field X doesn't exist.

try inserting this syntax - Field X - in - {Unavailable} 0    or    {Unavailable}

 

Best Regards👍👍👍

David.

2 Replies
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Correlation event that doesn't have specific field

Jump to solution

Hi ppineda.

it depends:

if your rule is - Field X - in - X  so if there's no such field it wont trigger

if your rule is - Field X - not in - X   so if theirs no such field, could be it will trigger i'm not sure.

anyway, if you wish to trigger a alarm when field X doesn't exist.

try inserting this syntax - Field X - in - {Unavailable} 0    or    {Unavailable}

 

Best Regards👍👍👍

David.

Re: Correlation event that doesn't have specific field

Jump to solution

Thanks I'll try the part of unavailable.

Made some tests and from the results that I got. I'm pretty confident that it needs to have the field otherwise it would not be taken into account.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator