Hi-

I am examining Sentinel Correlation Rules.

I am attempting to query syslog messages (The messages are there),
but I 'm missing something on the correlation queries.

Does anyone have an examples on their Sentinel Syslog correlation
queries?

I am trying to examine syslog queries and filter by the content
in the message. For example, a CRITICAL message from a syslog message
like:

filter(((e.InitiatorUserName = "root")) AND ((e.XDASOutcomeName =
"XDAS_OUT_FAILURE")) AND ((e.XDASTaxonomyName =
"XDAS_AE_AUTHENTICATE_ACCOUNT")))flow trigger(5,60).

Any suggestions and/or direction to other useful resources would be
greatly appreciated.

Sincerely,

Tom


--
Wheeth4
------------------------------------------------------------------------
Wheeth4's Profile: https://forums.netiq.com/member.php?userid=9829
View this thread: https://forums.netiq.com/showthread.php?t=53670