0 Replies Latest reply on Aug 14, 2014 9:45 AM by pfabrizi

    ePolicy Orchestor Correlations

    pfabrizi

      I am trying to create a correlation rule with the following confiuration:

       

      Device = ePolicy Orchestrator - ePolicy Orchestrator_VirusScan (ePO)

      AND   Threat_Category = av.detect,av.pup

      AND   Threat_Name [does not begin] JS/

       

      I added this - threat_name not in (/^JS/)  

       

      When I deployed the rule the only option I had was to go to EPO itself, not the individual device and when I went to EPO in ESM to enable there is only log parser in the policy editor but nothing for correlation rule.

       

      questions:

       

      will the regex for the threat_name work?

       

      Is there a way to apply the correlation rule to ePolicy Orchestrator ?

       

       

       

      Thank You!