The correlation appears to be looking for a "HostIncident," which can only be generated by the LEM itself. Unless you have another rule that looks for those DNS events under the appropriate taxonomy, like an ObjectAudit or other event calls, and makes a host incident, your rule will probably never fire. Seeing how the SEM is normalizing the event so the appropriate correlations can be chosen will help.
↧