cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Custom Rules by Signature ID

Jump to solution

Hello Team.

Could someone help me with custom rules.  I've created a simple cutom rule like Logon, where I take Signature ID. Without Signature ID rules working just fine. How can I create a rule with Signature ID? ESM and ACE 11.1.1 verison. In-pack rules working. Custom Rules by Signature ID worked on ESM combo-box 10.3. Perhaps, this is a some feature in new version?

1.PNG

 

2.PNG2

 

1 Solution

Accepted Solutions

Re: Custom Rules by Signature ID

Jump to solution

It triggeres. I suppose this an 11.1.1 issue.

 

Update

It is a version issue: 11.1.1 ACE don't triggeres on rules by signature ID. After update to 11.1.3 rules firing

6 Replies
McAfee Employee lpinheir
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: Custom Rules by Signature ID

Jump to solution

Hello GlebSmagin, how are you?

Could you be more specific what are you trying to do?

What is going wrong?

Lucas

 

Re: Custom Rules by Signature ID

Jump to solution

Good day!

 

I'm trying to create custom correlation rules and define them with signature ID, but they are not wotking with such configuration. On the combo box 10.3 the were firing with signature id's but on ACE 11.1.1 they doesn't. On the screenshot i took signature id which means an account was successfully logged on, I'm trying to understand why rules not working. Event receiver is working, in packs rules working too.

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 4 of 7

Re: Custom Rules by Signature ID

Jump to solution

Can you make sure this signature ID is still triggering? Just do a search for that ID over the last few days, see if anything comes back.

Brent

Re: Custom Rules by Signature ID

Jump to solution

It triggeres. I suppose this an 11.1.1 issue.

 

Update

It is a version issue: 11.1.1 ACE don't triggeres on rules by signature ID. After update to 11.1.3 rules firing

McAfee Employee lpinheir
McAfee Employee
Report Inappropriate Content
Message 6 of 7

Re: Custom Rules by Signature ID

Jump to solution
Great,
Thanks for sharing with us.
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 7 of 7

Re: Custom Rules by Signature ID

Jump to solution

@GlebSmagin  i'm shocked!!!

how could it be that the version doesn't support such a basic field as

"Signature ID" it's the basic of the basic......

I'm Interested of hearing from the McAfee guys in this forum answers...

 

Best Regards👍👍👍

David.

 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community