cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

How can I get more fields into my correlation rule?

Jump to solution

Hi all,

ESM/ERC Combox box running 10.2 here.

I'm trying something that's new for me, and I could use some advice.  I've created a correlation rule that correlates events with different fields, with a matching message ID.  These are logs from a mail system, and I'm correlating a log that contains the recipient with a log that contains the sender, looking for specific domain values.

This is working well as far as it goes.  My issue is that the correlation event doesn't contain all of the Custom Types from both of the correlated events.  I'm getting the "To" field but not the "From" field. 

This isn't a problem when I'm in the console (because I can look at the events individually) but it is a problem for creating a report.  I included the "From" field in the but it's not populating.

My suspicion is that the fields in the correlation event are determined by the normaliation ID I chose for the event.  Am I right, or is something else at play here?

Any help is appreciated!

Thank you,

- Steve

 

Labels (2)
1 Solution

Accepted Solutions
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 4 of 5

Re: How can I get more fields into my correlation rule?

Jump to solution

I've never been extremely happy with the report templates and limitations, and I do believe this is a limitation.

I know this data is available via the API/web calls and I have build reports in the past to retrieve this data from the ESM, to be presented in a report generated separate from the ESM GUI's reporting engine.

Brent
4 Replies
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 2 of 5

Re: How can I get more fields into my correlation rule?

Jump to solution

The correlated event only contains one event data record (where possible). If you want to this in an email template for example, it is possible to create a section of the email that loops over all of the events. This often the technique to send the data to ticketing system.

Is your goal to have all of the raw data in a report for all of the correlation events? That report might be quite long.

Brent

Re: How can I get more fields into my correlation rule?

Jump to solution

Hi Brent,

Thanks for the response.  I'm not concerned with an email template, since the event won't be turned into a ticket.  And no, I don't want all of the raw data in the report - just "to" and "from" would be suffiencient.  (Or by "raw data" did you mean each email that triggers the correlation rule?  In that case, yes, but we aren't a large environment and we are looking for pretty specific emails.) 

How does the correlation engine determine WHICH event record with which to populate the correlated event?

Best regards,

- Steve

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 4 of 5

Re: How can I get more fields into my correlation rule?

Jump to solution

I've never been extremely happy with the report templates and limitations, and I do believe this is a limitation.

I know this data is available via the API/web calls and I have build reports in the past to retrieve this data from the ESM, to be presented in a report generated separate from the ESM GUI's reporting engine.

Brent

Re: How can I get more fields into my correlation rule?

Jump to solution

Thanks, Brent.  Oh, well.  I will probably end up suggesting that we do the same, pull the data and manipulate it externally.

Thanks for the help!

Best regards,

- Steve

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator