1 2 3 Previous Next 47 Replies Latest reply on Sep 28, 2017 11:44 PM by rama2209

    Correlation Rule Question




      I've been working on this for awhile now, researched the forums, read documentation etc etc. I've used several other SIEM's and unless I'm mistaken this SIEM is the most difficult to work with in terms of making correlated rules that actually work. Is there a tester I'm not aware of. I've had to make the bottom four rules because well........zero documentation exists on this. I based my initial correlated rules of the pre-existing ones. Still didn't work. I'm getting the information I need in the default viewer so I KNOW the data is there.


      List of things done so far:


      -ACE is Enabled

      -All of my rules have been assigned a normalized ID range (in this case "malware")

      -All of the policies have been rolled out

      -I disabled the default group

      -Inside the Rule Correlation Policy group is disallowed inheritance from the parent (default group) and all of them have been enabled/rolled out


      What else can I do to make ONE of these templates work? Am I missing something easy? Very frustrated with this process! Any help would be greatly appreciated.






      test rule 1.png


      test rule 2.png


      test rule 3.png


      test rule 4.png

        1 2 3 Previous Next