cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Highlighted
cristianradu
cristianradu
Level 8
Report Inappropriate Content
Message 1 of 3
‎09-04-2018 01:50 AM

Correlation rule not triggering

I have created a dashboard with the query source: source user and with the following filters: 

normalized ID = Login

Subtype ID = success

Destination IP = watchlist with IPs

The dashboard is working. But when I create a rule with the same filter it is not triggering. The rules has the following filters:

Normalization Rule (in) Login

Event Subtype (in) success

Destination IPs (in) same watchlist 

 

How can I troubleshoot the rule? What am I doing wrong? 

0 Kudos
Reply
2 Replies
akerr
Reliable Contributor akerr
Reliable Contributor
Report Inappropriate Content
Message 2 of 3
‎09-05-2018 04:20 PM

Re: Correlation rule not triggering

have you rolled out policy after making the change?

Is the correlation rule enabled at the correct policy level?

0 Kudos
Reply
cristianradu
cristianradu
Level 8
Report Inappropriate Content
Message 3 of 3
‎09-06-2018 12:06 AM

Re: Correlation rule not triggering

Yes, I have rolled out the policy. The correlation rule is enabled at the correlation engine under the Local Receiver-ELM. I have a combo box.

I have attached some photos.

policy + rule

0 Kudos
Reply
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator