cancel
Showing results for 
Search instead for 
Did you mean: 
alexander_h
Level 12

Correlation not Triggering for ePO malware events

Hi Everyone,

Today i was trying to create a correlation rule to notify me about multiple/reoccurring Virus detection on single machine.

My Datasource is ePO server integrated as regular DS instead of Integrated device.

I've created a correlation as follows:

I've tried various combinations including normalized rule and ID but no luck.

I've tried with and without grouping however no luck.

P.S: i'm running 9.6 MR5 Combo Device

Thank you in advance,

Alex

0 Kudos
2 Replies
sssyyy
Level 12

Re: Correlation not Triggering for ePO malware events

have you saved and rolled out? Maybe check first in events to make sure the signature IDs do trigger five times in 30 mins?

0 Kudos
alexander_h
Level 12

Re: Correlation not Triggering for ePO malware events

Hi sssyyy,

Well i've tried that as it's a common problem . I've tested further and the correlation doesn't work only for short signatures like:

357-1278

367-1278

However it works normally with the normal full length signature like:

466-2187532925

I did additional test and it seems that the alarms will be triggered based on both type of signatures but the correlation would not

0 Kudos