lperlak

Need help for exception on correlation rules

Discussion created by lperlak on Jun 21, 2013

Hi

I have some correlation rule which alert me when software is installed, rule base on on some windows MsiInstaller eventID 1022.

 

Now i tried to make some exceptions for kind of software like Windows patches, Antivirtus patches, and so one. I realized that i have to use minimum 4 variables contrition:

Event Description

Object Name

Object Type

Product,

 

Sometimes some variable are present in this variable sometimes are not.

My exceptions are in attachment

Unfortunately i get still alerts when for example Object Type is equal 'Update Patch'.

 

 

 

Attachments

Outcomes