I have created a dashboard with the query source: source user and with the following filters:
normalized ID = Login
Subtype ID = success
Destination IP = watchlist with IPs
The dashboard is working. But when I create a rule with the same filter it is not triggering. The rules has the following filters:
Normalization Rule (in) Login
Event Subtype (in) success
Destination IPs (in) same watchlist
How can I troubleshoot the rule? What am I doing wrong?
have you rolled out policy after making the change?
Is the correlation rule enabled at the correct policy level?
Yes, I have rolled out the policy. The correlation rule is enabled at the correlation engine under the Local Receiver-ELM. I have a combo box.
I have attached some photos.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA