cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Custom Rules by Signature ID

Jump to solution

Hello Team.

Could someone help me with custom rules.  I've created a simple cutom rule like Logon, where I take Signature ID. Without Signature ID rules working just fine. How can I create a rule with Signature ID? ESM and ACE 11.1.1 verison. In-pack rules working. Custom Rules by Signature ID worked on ESM combo-box 10.3. Perhaps, this is a some feature in new version?

1.PNG

 

2.PNG2

 

1 Solution

Accepted Solutions

Re: Custom Rules by Signature ID

Jump to solution

It triggeres. I suppose this an 11.1.1 issue.

 

Update

It is a version issue: 11.1.1 ACE don't triggeres on rules by signature ID. After update to 11.1.3 rules firing

6 Replies
McAfee Employee lpinheir
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: Custom Rules by Signature ID

Jump to solution

Hello GlebSmagin, how are you?

Could you be more specific what are you trying to do?

What is going wrong?

Lucas

 

Re: Custom Rules by Signature ID

Jump to solution

Good day!

 

I'm trying to create custom correlation rules and define them with signature ID, but they are not wotking with such configuration. On the combo box 10.3 the were firing with signature id's but on ACE 11.1.1 they doesn't. On the screenshot i took signature id which means an account was successfully logged on, I'm trying to understand why rules not working. Event receiver is working, in packs rules working too.

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 4 of 7

Re: Custom Rules by Signature ID

Jump to solution

Can you make sure this signature ID is still triggering? Just do a search for that ID over the last few days, see if anything comes back.

Brent

Re: Custom Rules by Signature ID

Jump to solution

It triggeres. I suppose this an 11.1.1 issue.

 

Update

It is a version issue: 11.1.1 ACE don't triggeres on rules by signature ID. After update to 11.1.3 rules firing

McAfee Employee lpinheir
McAfee Employee
Report Inappropriate Content
Message 6 of 7

Re: Custom Rules by Signature ID

Jump to solution
Great,
Thanks for sharing with us.
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 7 of 7

Re: Custom Rules by Signature ID

Jump to solution

@GlebSmagin  i'm shocked!!!

how could it be that the version doesn't support such a basic field as

"Signature ID" it's the basic of the basic......

I'm Interested of hearing from the McAfee guys in this forum answers...

 

Best Regards👍👍👍

David.

 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator