Highlighted
baauji1 Absent Member.
Absent Member.
431 views

Correlation rule problem

Hi,

I have created a correlation rule for IDS alerts. I have created a rule 1 which populates an active list based on the attacker address from which signatures are observed. It adds the source IPs to active list. Then, a rule 2 reads the source IP from active list and checks for connections from these source IP in firewall and fires an alert if connections are found. The problem is that I am not getting the IDS signature name in the alert and do not have access to ArcSight Manager so that I could edit the notification format in mail. Is there a way that the people viewing the alert in Web console can see the IDS siganture triggered as well?

0 Likes
2 Replies
SCipriano Absent Member.
Absent Member.

Re: Correlation rule problem

Reply by Issues:

:: "The problem is that I am not getting the IDS signature name in the alert "

- Are you positively aggregating by name on the rule?

:: "Is there a way that the people viewing the alert in Web console can see the IDS signature triggered as well?"

- i would say that yes. The rules that are triggered may have "any" king of information that you what. You may use aggregate that keeps the event values or you could use the "action" and "Set filed Values".

0 Likes
baauji1 Absent Member.
Absent Member.

Re: Correlation rule problem

This is kind of similar to my other question. I will have to make the rule in the reverse way. Maybe then it might work !

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.