1 Reply Latest reply on Mar 26, 2015 8:37 AM by pcktech

    Alarm Configuration Question : Showing "All" Source Events From A Correlated Rule In One Alarm Email

    davids15

      I have a correlated event setup and working. When I review the event I see 5 unique source IP's, as I should per the rule conditions. I have setup an alarm using the "$Source_Event_Start" and "Source_Event_Start" fields. When the alarm fires, It only shows the first event of the correlation and not all 5 separate events.

       

      Is there a way to show all the source events that made the correlated rule meet the conditions and trigger in one Alarm Email?

       

      In the alarm should show:

       

      Source IP 1

      Source IP 2

      Source IP 3

      Source IP 4

      Source IP 5

       

      and some other information.

       

      Thanks...

        • 1. Re: Alarm Configuration Question : Showing "All" Source Events From A Correlated Rule In One Alarm Email
          pcktech

          Hello,

           

          I don't know if you found the solution, but it may have to do with needing the Repeating Block surrounding (or inside -- haven't tested that) the Source Events Block.

           

          For Example,

          [$REPEAT_START]

          Correlated Event Time: [$First Time] through [$Last Time]

          [$SOURCE_EVENT_START]

          Source IP Address: [$Source IP]

          [$SOURCE_EVENTS_END]

          [$REPEAT_END]

           

          I don't know for certain that's what's needed, but that's how my alert is configured and it shows 5, 10, or even 60 events (even though the documentation says it'll only show 10). I was also on 9.4.2 and now 9.5.0 if you're using a different version of SIEM.