I'm using Sentinel 7.0.3 and I have mapped a list of position codes
contained in a csv file to a new map configuration using SCC. I have
also used the "Event Configuration" tool in SCC to change CustomerVar001
to have a new name and reference the new map I configured (with the
position codes). Now I want to build a correlation rule that looks at
this new CustomerVar001 and notify me of any events that come across for
the position codes in the map. The end goal being to look at all events
for privileged accounts that map to the position codes in the csv file.
The problem I am having is the new CustomerVar001 is not showing up in
my correlation rule expression builder with the new name I gave it. I
don't think the UI has detected the changes I made.

The other way I can think of doing this is to map the position code
attribute in eDirectory to one of the CustomerVar variables and then
reference a dynamic list with the position codes I'm interested in, but
I don't know how to map the attribute to the variable. I'm assuming I
would have to edit the collector using the SDK? If so, how?


ztaylor's Profile: https://forums.netiq.com/member.php?userid=513
View this thread: https://forums.netiq.com/showthread.php?t=47908