I have a data source, which only shows flows of network traffic.
When I try to create a correlation rule based on flows , I don't see any correlation or even alarms (created an alarm based on the use case signature).
With events I never had any issue's, but I have the feeling that with flows it works different.
How do you correlation rules based on flows?
(Events are events logged on a systems, flows is just network traffic passing by)
When create an correlation rule and selecting flows, I don't get any results , but flows do come in .
The datasource is s-flow
Solved! Go to Solution.
This is a bug , as you would have guessed.
There was a filter to get events from certain receivers.
Once the filter was removed, it worked.
Now Siem has been upgraded to a higher version, the issue is completely gone and filter was also turned on.
Hope this helps someone with the same issue.
We have an ACE running, so I am not sure what you meaning.
We have an S-Flow data source and this source can see the flows, and the correlation rule is based on flows (instead of events) ,
but the ACE is not showing any flows
I was assuming you didn't have an ACE. Did you enable correlation of flows on the ACE ?
You can do that in ACE Properties | ACE Configuration | Data.
I had another good look into the SIEM and it seems the receiver do get the flow data, but not the ACE.
I tried to get the events and flows manually, but the flow option is greyed out.
Seems the ACE is not configured for flows ?
I think I have found the option to allow flow data, when selecting flows , it doesn't safe the option.
How can I enable the ace to collect also flows ? Or would I need a Storage pool?
Thx for your reply.
I did al the steps you mentioned, but still the flow option is greyed out.
DO I need to wait ? And why can't I still manually get the flows, I can manually get the events in.
The flows are coming in on the datasource and also on the event receiver.
I can verified that, but on the ACE I cant see the flows at all.
Seems the flows are not coming in on the ACE and thus I can't use correlation rules.
The point is to create correlation rules based on the flows, if ACE doesnt get the flows, it can't correlate.
you can check this in ACE properties-> ACE Configuration->Data check that flow checkbox is enabled or not?
what ever you are viewing in the ACE section is not events or flows they all are correlated events generally considered as events so when you select get events and flows it only shows events and flows are grayed out.
yes, I have checked the ACE properties-> ACE Configuration->Data ,
Flow data wasn't checked before, but I have checked it now,
in the meantime I still have correlation rules based on flows and none of them are triggered,
so what you are saying is that the flow data will come in , even though the option is grayed out, when you try manually to get the data,
anyway, the rules are not triggered and also I can't see the flows on the ACE dashboard, I do see them on the ESM and receiver,
shouldn't the flow dashboard for the esm also show the flows? Would make sense to see it on the dashboard also, but I have the feeling that the flows are not coming in.
here are some screen shot