Need help for exception on correlation rules

Discussion created by lperlak on Jun 21, 2013


I have some correlation rule which alert me when software is installed, rule base on on some windows MsiInstaller eventID 1022.


Now i tried to make some exceptions for kind of software like Windows patches, Antivirtus patches, and so one. I realized that i have to use minimum 4 variables contrition:

Event Description

Object Name

Object Type



Sometimes some variable are present in this variable sometimes are not.

My exceptions are in attachment

Unfortunately i get still alerts when for example Object Type is equal 'Update Patch'.