Today i was trying to create a correlation rule to notify me about multiple/reoccurring Virus detection on single machine.
My Datasource is ePO server integrated as regular DS instead of Integrated device.
I've created a correlation as follows:
I've tried various combinations including normalized rule and ID but no luck.
I've tried with and without grouping however no luck.
P.S: i'm running 9.6 MR5 Combo Device
Thank you in advance,
Well i've tried that as it's a common problem . I've tested further and the correlation doesn't work only for short signatures like:
However it works normally with the normal full length signature like:
I did additional test and it seems that the alarms will be triggered based on both type of signatures but the correlation would not