cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Highlighted
cristianradu
cristianradu
Level 8
Report Inappropriate Content
Message 1 of 3
‎09-04-2018 01:50 AM

Correlation rule not triggering

I have created a dashboard with the query source: source user and with the following filters: 

normalized ID = Login

Subtype ID = success

Destination IP = watchlist with IPs

The dashboard is working. But when I create a rule with the same filter it is not triggering. The rules has the following filters:

Normalization Rule (in) Login

Event Subtype (in) success

Destination IPs (in) same watchlist 

 

How can I troubleshoot the rule? What am I doing wrong? 

0 Kudos
Reply
2 Replies
akerr
Reliable Contributor akerr
Reliable Contributor
Report Inappropriate Content
Message 2 of 3
‎09-05-2018 04:20 PM

Re: Correlation rule not triggering

have you rolled out policy after making the change?

Is the correlation rule enabled at the correct policy level?

0 Kudos
Reply
cristianradu
cristianradu
Level 8
Report Inappropriate Content
Message 3 of 3
‎09-06-2018 12:06 AM

Re: Correlation rule not triggering

Yes, I have rolled out the policy. The correlation rule is enabled at the correlation engine under the Local Receiver-ELM. I have a combo box.

I have attached some photos.

policy + rule

0 Kudos
Reply
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator

    • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community


    Corporate Headquarters
    2821 Mission College Blvd.
    Santa Clara, CA 95054 USA

    Consumer Support   |   Enterprise Support   |   McAfee.com

    Legal   |   Privacy   |   Copyright © 2019 McAfee, LLC