cancel
Showing results for 
Search instead for 
Did you mean: 
layer0
Level 7

Rule correlation Not match rule

Hello

I have a situation, I want to create a rule that shows me when a particular event didn't trigger in a perior of time. So for example if i want to watch for the event with signature ID 363-2411, over a period of 2 minutes, i think that the rule must be like this, but it doesn't trigger. For example:

Captura.PNG

And in the logical operator.

Captura2.PNG

I don't see any event with this rule, why?

Thanks

0 Kudos
3 Replies
rgarrett
Level 9

Re: Rule correlation Not match rule

Set "A Number of Distinct Values must be observed."and then enable the NOT.  See if that helps.

0 Kudos
acommons
Level 10

Re: Rule correlation Not match rule

Did you get this to work?

If you did, can you post details?

cheers

Andrew

0 Kudos
xded
Level 12

Re: Rule correlation Not match rule

You should change your Correlation rule to a Sequence

               1. Signature ID in 360-2413

And  [

               2. Signature ID Not in 360-2412

360-2412 = Deployment failed

360-2413 = Attempt to unistall Mcafee Agent

For this you didn't need the "Not Match" rule

0 Kudos