cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
layer0
Level 8
Report Inappropriate Content
Message 1 of 4

Rule correlation Not match rule

Hello

I have a situation, I want to create a rule that shows me when a particular event didn't trigger in a perior of time. So for example if i want to watch for the event with signature ID 363-2411, over a period of 2 minutes, i think that the rule must be like this, but it doesn't trigger. For example:

Captura.PNG

And in the logical operator.

Captura2.PNG

I don't see any event with this rule, why?

Thanks

3 Replies

Re: Rule correlation Not match rule

Set "A Number of Distinct Values must be observed."and then enable the NOT.  See if that helps.

Re: Rule correlation Not match rule

Did you get this to work?

If you did, can you post details?

cheers

Andrew

xded
Level 12
Report Inappropriate Content
Message 4 of 4

Re: Rule correlation Not match rule

You should change your Correlation rule to a Sequence

               1. Signature ID in 360-2413

And  [

               2. Signature ID Not in 360-2412

360-2412 = Deployment failed

360-2413 = Attempt to unistall Mcafee Agent

For this you didn't need the "Not Match" rule

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community