Quantcast
Channel: THWACK: Message List - Security Event Manager (SEM) - Formerly Log & Event Manager
Viewing all articles
Browse latest Browse all 5385

Re: Issue - Rule Creation Logic vs nDepth Logic

$
0
0

Here's a screenshot comparing a quick rule I threw together to demonstrate mixing fields from different event sources in rule creation, and that it isn't possible to create a 1-to-1 nDepth search since the nDepth search creation tool will not allow you to drag disparate event fields into the same group:

 

rule vs ndepth.png

 

The rule on the left generates incidents, so I know that it is finding logs that match the criteria.  However, the nDepth search on the right returns 0 results over the same time frame.

 

I'm basically looking for a way to test new correlation rules that I am creating against historical log data to see what logs trigger the correlation rule.  I had hoped I would be able to feed the rule logic into the nDepth search to go back over the last day/week/etc. but I am running into this problem.  I have to resort to creating a rule and just waiting to see what incidents will trigger in the future.  Is there a way to accomplish what I'm trying to do?


Viewing all articles
Browse latest Browse all 5385

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>