New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Cadet 1st Class
Cadet 1st Class
190 views

no rule assignment in active channel

we define a malware detection rule, then when we try to assign this detection rule, but in active channel, under attributes or filter tab, there is no field to assign rule.

also in filter tab, we can define a condition, in stead of define a new rule, can we define the condition in active channel to detect malarware. I'm a bit confused about difference between condition and rule

0 Likes
1 Reply
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

If you want to see the triggered alerts in an Active Channel you need to add the at least the following

event1

Type = Correlation

Generator URI startswith [folder where the rule or rules resides in]

 

An Active Channel is meant to be used to view events (base, aggregated, correlation etc..) and thus has no correlation function. A standard rule is to be used for the purpose setting up an alerting rule, a lightweight rule is often used to populate or depopulate active and/or session list and I often use them to supress follow up alerts which can sometimes overwhelm a SOC.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.