This seems to be the issue. I narrowed my event group down to 3 event types, and I was able to perform advanced settings on source IP.
While that is the answer... I can't help but be frustrated by the lack of functionality here. How would I even know which event types have Source IP as a valid parsed field unless I pore over documentation for each event type while I'm building my custom group? I can sense the headache already.
Wouldn't it be easier if LEM just categorized logs more efficiently? Like, putting all my IPS Events into a single bucket for me to do what I want with, rather than sending them to dozens of event types that are unknown to me? For example, here's my proposed change.
How it is now:
Event Type>
UDPPortScan
UnusualICMPTraffic
HTTPInvalidFormatAccess
CoreAccess
UDPBombDenial
TCPPortScan
How it SHOULD be:
Event Type>
IPS Event
IPS Event Subtype>
UDPPortScan
UnusualICMPTraffic
HTTPInvalidFormatAccess
CoreAccess
UDPBombDenial
TCPPortScan
We're missing a critical level of categorization here. What events does LEM currently consider to be IPS events? What events parse the Source IP? Who knows!? How can I account for these unknowns while trying to build accurate and complete correlations?