1.) Most technoloies have a unique vendor Event ID and Event Description for each type of log generated by the vendor's technology.
2.) Nitro parses the vendor's Event Description to the Rule Message field.
3.) When creating a new Correlation Rule based on the Signature ID for an individual event type, a Name must be given to the Correlation Rule. Additionally, the new Correlation Rule will have have its own unique Signature ID newly created and assigned to it within Nitro.
4.) When the newly created Correlation Rule fires, the Rule Message field equals the Name given to the Correlation Rule, as I describe in number 3 above.
5.) Equally so, when a new Alarm is created to fire based on the new Signature ID of the new Correlation Rule, the Rule Message field will equal the Name given to the Correlation Rule.
This is a problem for me because I require the vendor's Event Description to come across in new Correlation Rule, to be able to include the vendor's Event Description in the Alarm's email output action.
How can I accomplish this?
Can this be accomplished via Data Enrichment some how? If so, what are the steps to successfully do so?
Message was edited by: planting_acorns on 3/25/14 10:33:47 AM CDT
Message was edited by: planting_acorns on 3/25/14 10:34:10 AM CDT