2 Replies Latest reply on Apr 27, 2015 2:30 AM by jp87

    Creating a reporting including AND and OR operations

    jp87

      Hi,

       

      I'm trying to create a report that should look something like this(note the Normalized ID is just an example numbers):

       

      (Source user=WL:Admin AND Normalized ID=1111) OR (Destination user=WL:Admin AND Normalized ID=2222)



      Can someone please give me some hints/help regarding this?

       

      Thanks!

        • 1. Re: Creating a reporting including AND and OR operations
          jp87

          andor.jpg

          Is this the right way to create the rule? Where I have the (Source user=WL:Admin AND Normalized ID=1111) in one AND bracket and (Destination user=WL:Admin AND Normalized ID=2222) in the other AND bracket. And then the OR bracket which covers them both.

          • 2. Re: Creating a reporting including AND and OR operations
            jp87

            This was solved by removing the AND operators and just having the argument in there. Then create a report by filtering on the correlation rules Signature ID or Normalized ID and having the correlation engine(ACE) as source device.

             

            What I can't figure out is how to include information from the Source Events? For instance the Rule Message from the Source event that the Correlation rule is relying on? Anyone have a clue regarding that?