cancel
Showing results for 
Search instead for 
Did you mean: 

Correlation rule not triggering

I have created a dashboard with the query source: source user and with the following filters: 

normalized ID = Login

Subtype ID = success

Destination IP = watchlist with IPs

The dashboard is working. But when I create a rule with the same filter it is not triggering. The rules has the following filters:

Normalization Rule (in) Login

Event Subtype (in) success

Destination IPs (in) same watchlist 

 

How can I troubleshoot the rule? What am I doing wrong? 

2 Replies
Reliable Contributor akerr
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Correlation rule not triggering

have you rolled out policy after making the change?

Is the correlation rule enabled at the correct policy level?

Highlighted

Re: Correlation rule not triggering

Yes, I have rolled out the policy. The correlation rule is enabled at the correlation engine under the Local Receiver-ELM. I have a combo box.

I have attached some photos.

policy + rule

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator