RSA Admin

PC added/removed correlation rule help

Discussion created by RSA Admin Employee on Sep 20, 2011
Hello, I am trying to set up a correlation rule or rules to alert me when a new PC or server has been added or removed from a specific subnet. I tried modifying the NIC023 and NIC024 rules but I either get way too many alerts or it just isn't working the way I would like it to. Currently I have it set to the following: Device Class/Type is set to Hosts.Windows Hosts/Windows Events with the subnet specified Event selection is set to event category ->windows events and the value is either system shutdown or network.device.removals For the device addition I did the same setup with system startup or network.device.additions What am I doing wrong in this case? Thanks for any help!

Outcomes