Highlighted
Trusted Contributor.. anmol.seth Trusted Contributor..
Trusted Contributor..
238 views

Aggregating multiple correlated events(identical) into single Case?

Hi All,

This seems like a really simple question and probably I am missing something real simple. But still I would like to ask you this:::::: How to aggregate multiple correlated events into just one case if they are identical in nature. When I tried to do this all the correlated events for a single rule got aggregated into one, But I want to aggregate them only when they are identical (just different occurrence time). Hope to hear from you guys soon.

And thanks in advance for spending time on this post.

Regards

Seth

Labels (2)
0 Likes
2 Replies
rhope Acclaimed Contributor.
Acclaimed Contributor.

Re: Aggregating multiple correlated events(identical) into single Case?

One approach I have seen is to embed a variable into the case name e.g. the name and sourceAddress  fields so that you get a case per sourceAddress triggering the rule

0 Likes
Trusted Contributor.. anmol.seth Trusted Contributor..
Trusted Contributor..

Re: Aggregating multiple correlated events(identical) into single Case?

Thanks for the suggestion Richard.
Any idea how can I call a local variable or variable in the Case Name field
I was trying and the name just looked like
"Brute force Attempt from $CustomAttacker to $Customtarger"
Instead of the actual string.
Seems $localVariableName doesn't work.

Regards

Seth

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.