cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 9
Report Inappropriate Content
Message 1 of 3

Creating a reporting including AND and OR operations

Jump to solution

Hi,

I'm trying to create a report that should look something like this(note the Normalized ID is just an example numbers):

(Source user=WL:Admin AND Normalized ID=1111) OR (Destination user=WL:Admin AND Normalized ID=2222)



Can someone please give me some hints/help regarding this?

Thanks!

1 Solution

Accepted Solutions
Highlighted
Level 9
Report Inappropriate Content
Message 3 of 3

Re: Creating a reporting including AND and OR operations

Jump to solution

This was solved by removing the AND operators and just having the argument in there. Then create a report by filtering on the correlation rules Signature ID or Normalized ID and having the correlation engine(ACE) as source device.

What I can't figure out is how to include information from the Source Events? For instance the Rule Message from the Source event that the Correlation rule is relying on? Anyone have a clue regarding that?

View solution in original post

2 Replies
Highlighted
Level 9
Report Inappropriate Content
Message 2 of 3

Re: Creating a reporting including AND and OR operations

Jump to solution

andor.jpg

Is this the right way to create the rule? Where I have the (Source user=WL:Admin AND Normalized ID=1111) in one AND bracket and (Destination user=WL:Admin AND Normalized ID=2222) in the other AND bracket. And then the OR bracket which covers them both.

Highlighted
Level 9
Report Inappropriate Content
Message 3 of 3

Re: Creating a reporting including AND and OR operations

Jump to solution

This was solved by removing the AND operators and just having the argument in there. Then create a report by filtering on the correlation rules Signature ID or Normalized ID and having the correlation engine(ACE) as source device.

What I can't figure out is how to include information from the Source Events? For instance the Rule Message from the Source event that the Correlation rule is relying on? Anyone have a clue regarding that?

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community