Correlation rule problem
I have created a correlation rule for IDS alerts. I have created a rule 1 which populates an active list based on the attacker address from which signatures are observed. It adds the source IPs to active list. Then, a rule 2 reads the source IP from active list and checks for connections from these source IP in firewall and fires an alert if connections are found. The problem is that I am not getting the IDS signature name in the alert and do not have access to ArcSight Manager so that I could edit the notification format in mail. Is there a way that the people viewing the alert in Web console can see the IDS siganture triggered as well?
Re: Correlation rule problem
Reply by Issues:
:: "The problem is that I am not getting the IDS signature name in the alert "
- Are you positively aggregating by name on the rule?
:: "Is there a way that the people viewing the alert in Web console can see the IDS signature triggered as well?"
- i would say that yes. The rules that are triggered may have "any" king of information that you what. You may use aggregate that keeps the event values or you could use the "action" and "Set filed Values".