cancel
Showing results for 
Search instead for 
Did you mean: 

Correlation not Triggering for ePO malware events

Hi Everyone,

Today i was trying to create a correlation rule to notify me about multiple/reoccurring Virus detection on single machine.

My Datasource is ePO server integrated as regular DS instead of Integrated device.

I've created a correlation as follows:

I've tried various combinations including normalized rule and ID but no luck.

I've tried with and without grouping however no luck.

P.S: i'm running 9.6 MR5 Combo Device

Thank you in advance,

Alex

2 Replies
Reliable Contributor sssyyy
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Correlation not Triggering for ePO malware events

have you saved and rolled out? Maybe check first in events to make sure the signature IDs do trigger five times in 30 mins?

Highlighted

Re: Correlation not Triggering for ePO malware events

Hi sssyyy,

Well i've tried that as it's a common problem . I've tested further and the correlation doesn't work only for short signatures like:

357-1278

367-1278

However it works normally with the normal full length signature like:

466-2187532925

I did additional test and it seems that the alarms will be triggered based on both type of signatures but the correlation would not

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community