I have being using correlation rule based on supplied CRL-00023-01.
I have noticed a strange thing that I don't fully understand.
Although the rule is based on the contents of NIC message id 508100 that contains the following fields:
Packager, <source>,<username>,<obj_type>,<obj_name>,<action> Detail: <pid>: Device <laddr> (<device>): <count> messages processed <@msg:*PARMVAL($MSG)><@level:*SYSVAL($LEVEL)>
The multi thread definition for rule CRL-00023-01 is using the following values:
"device, destination address"
that correspond (in its XML representation) to:
<thread value="1" set="daddr:device"/>.
Where is that "daddr" coming from?.It is not present in the parsing fields from message 508100.
Why is not "laddr" used instead?
I will appreciate any help on this.