Today i was trying to create a correlation rule to notify me about multiple/reoccurring Virus detection on single machine.
My Datasource is ePO server integrated as regular DS instead of Integrated device.
I've created a correlation as follows:
I've tried various combinations including normalized rule and ID but no luck.
I've tried with and without grouping however no luck.
P.S: i'm running 9.6 MR5 Combo Device
Thank you in advance,
have you saved and rolled out? Maybe check first in events to make sure the signature IDs do trigger five times in 30 mins?
Well i've tried that as it's a common problem . I've tested further and the correlation doesn't work only for short signatures like:
However it works normally with the normal full length signature like:
I did additional test and it seems that the alarms will be triggered based on both type of signatures but the correlation would not
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center
2821 Mission College Blvd.
Santa Clara, CA 95054 USA
Consumer Support | Enterprise Support | McAfee.com
Legal | Privacy | Copyright © 2019 McAfee, LLC