I have a requirement to trigger alarm on WMI logon failure. I tried using the field match for triggering the alarm, where I entered the signature ID 47-000006 under the field match condition, but it didn't trigger any alarm for several such events. I went through some of the blogs to troubleshoot, and found that while triggering alarm using field match option it happens on the ESM. So I think, there is some issue with the ESM, now should I use the internal field match to check like if it could trigger the alarm for all such events as it checks for the condition when the log is at the ERC?
Please share suggestions.
I am using 9.6.3 MR
Signature ID 47-000006 is one of the correlation rule - did you check correct data source in the "Devices" pane? (it should be Correllation Engine).
Could you please send us some screen from the event and alarm settings?