2 Replies Latest reply on Sep 17, 2015 1:43 AM by mark.riddick

    Configuring filters for alarms

    mark.riddick

      I'm using Application and Change Control via ePO and I'm looking to create an alarm within ESM that's triggered when changes occur to certain file types. Events are being brought into ESM that populate Destination_Filename and I've created an alarm that uses Field Match with the following filter

      alarm.png

      The alarm triggers for a variety of file types as well as those that contain the above yet not for all file types. Am I doing something wrong with this filter? Is there a better way?

      Thanks in advance

        • 1. Re: Configuring filters for alarms
          rtorres3

          You could right the rule like I have in this figure. Personally I like to create a correlation rule first then create an Alarm

          off of the Correlation rule... It's easier.

          Alarm_filter.png

          • 2. Re: Configuring filters for alarms
            mark.riddick

            Thanks for your advice. I'll give that a go and report back

             

            Edit...

            I have created a correlation rule that filters against all the Sig IDs that I are applicable but I have a problem with File_Type. Looking at the packet info for a particular event shows nothing that maps to that variable. Best I can come up with is TargetFileName that maps to Destination_Filename. And this leads to another puzzle. When I filter against a view using, say, contains(jpg) in the Destination_Filename fields, I see filtered results. When I use the same kind of filter in and alarms I don't get the same results 

             

            File_type would be very handy but how would I get that custom type populated?