cancel
Showing results for 
Search instead for 
Did you mean: 

Correlation event that doesn't have specific field

Jump to solution

Hi everyone,

I'm trying to troubleshoot a correlation and come up with the question that, if a correlation is looking for a specific field to not contain some values but one event doesn't even have the field. Would the ACE trigger the correlation? or it would discard the event because it doesn't have the field?

If someone knows what would happen.

Thanks

Labels (3)
1 Solution

Accepted Solutions
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Correlation event that doesn't have specific field

Jump to solution

Hi ppineda.

it depends:

if your rule is - Field X - in - X  so if there's no such field it wont trigger

if your rule is - Field X - not in - X   so if theirs no such field, could be it will trigger i'm not sure.

anyway, if you wish to trigger a alarm when field X doesn't exist.

try inserting this syntax - Field X - in - {Unavailable} 0    or    {Unavailable}

 

Best Regards👍👍👍

David.

2 Replies
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Correlation event that doesn't have specific field

Jump to solution

Hi ppineda.

it depends:

if your rule is - Field X - in - X  so if there's no such field it wont trigger

if your rule is - Field X - not in - X   so if theirs no such field, could be it will trigger i'm not sure.

anyway, if you wish to trigger a alarm when field X doesn't exist.

try inserting this syntax - Field X - in - {Unavailable} 0    or    {Unavailable}

 

Best Regards👍👍👍

David.

Re: Correlation event that doesn't have specific field

Jump to solution

Thanks I'll try the part of unavailable.

Made some tests and from the results that I got. I'm pretty confident that it needs to have the field otherwise it would not be taken into account.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community