3 Replies Latest reply on Dec 20, 2016 3:35 AM by sssyyy

    correlation rule

    izik

      hi

      lets say i have 2 separated  logs with shared field

      this is how the mailGW send the syslog for every mail.

      for example :

       

      log 1 -

       

      mail id - 123asd

      subject - this is test

       

      log 2 -

       

      mail id - 123asd

      direction - external

       

      how can i combine Between these logs ?

       

      i want to create rule like that :

       

      5 different mail id with the same subject and direction

       

      is it possible ?

       

       

        • 1. Re: correlation rule
          abanaru

          This should work for you but I haven't tested it.

           

          • 2. Re: correlation rule
            izik

            hi

             

            it's not work.

             

            please note that the subject field is in other event , it's a bit tricky

             

            i will try to explain better -

             

            for every mail,  the mail gateway send a few syslog

            1 with mail id and subject

            1 with mail id and direction

            and so on... for every mail the mail id is the same

             

            i create ASP rule for every syslog

            now i have 6 different ASP rules for this data source

             

            so the problem is when i create rule with direction field the event doesn't contain the subject field and i don't know how to connect between them..

             

             

            i hope its understood....

            • 3. Re: correlation rule
              sssyyy

              yeah, it will be difficult if at all do-able, as you are trying to match a particular field. Can you try group by Mail ID?