I'm trying to set a correlation based on "C_Username" variable at the multi-threading menu.
I cant find this specific variable nor "username" variable in the multi-threading feature.
Has anyone faced this issue before ?
To use variable as a thread key, all messages choosen in all statements must have this variable defined. To be shure that variable is present you may use additional condition in each statement, and specify what are variables of your interest.
Does it show you any variables other than the default for multi-threading?
Also, can you provide more information? What device type? Which MessageID? Are you using device group or device class?
are you creating your rule using device class (Host.Windows Hosts)? or using a certain windows collection method?
Since you are using Security_628_Security and Security_628_Security:01 events you cannot multithread on username or c_username as both the events don't have these variables. Only Security_628_Security event has these. Since the key for multithreading is that all the selected events must have the variables in common it is not showing the username variables. It's allowing you to pick event_log and data variables because both the events have these in common. Hope I was able to help you.
Hello.. sorry to takeover the thread.
If we have two statements and the variable username is not present on the second and we chose to multithread on the first, won't it work anyway?
This can only be done specifying the multi-threading key by manually editing the XML.
Retrieving data ...