3 Replies Latest reply on Apr 2, 2014 4:41 PM by Scott Taschler

    Basic Correlation Rule Help

    dtmc

      Hello,

      I have a very basic question about correlation rules but can't seem to solve the problem by reading. I'm trying to setup an rule that will trigger an email alert each time any account in a list of accounts gets locked out. I have created a test watchlist that contains the account names. I've tried using the watchlist and the Signature ID for the event(and have the normalization ID selected) and can't get it to work. I don't think this is very complicated but I can't figure out how to get it to work.  Any suggestions would be appreciated. thanks,

        • 1. Re: Basic Correlation Rule Help
          Scott Taschler

          The most common issue is that you need to manually enable your new rule on the Correlation Engine policy.  Enabling it on the "Default" policy won't do the trick...you need to ensure it's turned on in the end device policy.

           

          If you select your Correlation Engine in the device tree, then click the Policy Ediitor icon in the top left (above the device tree) you'll be taken directly to the proper policy for verification.

           

          Scott

          • 2. Re: Basic Correlation Rule Help
            dtmc

            Thank you, Scott, that seems to have done the trick. Do you know of any documents or resources that might have more examples of correlation rules or that might explain them in a bit more detail? Thanks!

            • 3. Re: Basic Correlation Rule Help
              Scott Taschler

              Congratulations.  You are now a McAfee ESM grizzled veteran.  This one bites everyone the first time they creaete a new rule.  The best resource for correlation examples is in the product itself.  Each correlation rule can be opened in the policy editor (double-click) and you can review the complete logic and documentation there.