I am trying to create a correlation rule with the following confiuration:
Device = ePolicy Orchestrator - ePolicy Orchestrator_VirusScan (ePO)
AND Threat_Category = av.detect,av.pup
AND Threat_Name [does not begin] JS/
I added this - threat_name not in (/^JS/)
When I deployed the rule the only option I had was to go to EPO itself, not the individual device and when I went to EPO in ESM to enable there is only log parser in the policy editor but nothing for correlation rule.
will the regex for the threat_name work?
Is there a way to apply the correlation rule to ePolicy Orchestrator ?