I have created a dashboard with the query source: source user and with the following filters:
normalized ID = Login
Subtype ID = success
Destination IP = watchlist with IPs
The dashboard is working. But when I create a rule with the same filter it is not triggering. The rules has the following filters:
Normalization Rule (in) Login
Event Subtype (in) success
Destination IPs (in) same watchlist
How can I troubleshoot the rule? What am I doing wrong?
have you rolled out policy after making the change?
Is the correlation rule enabled at the correct policy level?
Yes, I have rolled out the policy. The correlation rule is enabled at the correlation engine under the Local Receiver-ELM. I have a combo box.
I have attached some photos.
policy + rule
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center
2821 Mission College Blvd.
Santa Clara, CA 95054 USA
Consumer Support | Enterprise Support | McAfee.com
Legal | Privacy | Copyright © 2019 McAfee, LLC