0 Replies Latest reply on Mar 25, 2014 10:34 AM by planting_acorns

    "Rule Message" Field for Correlation Rule

    planting_acorns

      1.) Most technoloies have a unique vendor Event ID and Event Description for each type of log generated by the vendor's technology.

       

      2.) Nitro parses the vendor's Event Description to the Rule Message field.

       

      3.) When creating a new Correlation Rule based on the Signature ID for an individual event type, a Name must be given to the Correlation Rule. Additionally, the new Correlation Rule will have have its own unique Signature ID newly created and assigned to it within Nitro.

       

      4.) When the newly created Correlation Rule fires, the Rule Message field equals the Name given to the Correlation Rule, as I describe in number 3 above.

       

      5.) Equally so, when a new Alarm is created to fire based on the new Signature ID of the new Correlation Rule, the Rule Message field will equal the Name given to the Correlation Rule.

       

       

       

      This is a problem for me because I require the vendor's Event Description to come across in new Correlation Rule, to be able to include the vendor's Event Description in the Alarm's email output action.

       

      How can I accomplish this?

       

      Can this be accomplished via Data Enrichment some how? If so, what are the steps to successfully do so?

       

      Thank you!

       

      Message was edited by: planting_acorns on 3/25/14 10:33:47 AM CDT

       

      Message was edited by: planting_acorns on 3/25/14 10:34:10 AM CDT