RSA Admin

Correlation Rule Filters

Discussion created by RSA Admin Employee on Sep 18, 2008
Latest reply on Sep 19, 2008 by RSA Admin
Hi everyone!  I have been trying to build a correlation rule that will show a successful logon to an ftp server after failed logins from the same source address.  So, I used a device group of FTP servers and created 2 circuits with one statement each.  The first circuit contains Windows 529 events followed by a 528 event.  This will show me login failures and then a successful login.  I want to filter our enterprise IP addresses out so that everything I see that sets off this alert will be from the outside trying to get in.  However, when I try to set filter in each statement, only the Content variable shows up.  How do I configure this so that the other variables will show up so that I can filter by IP address?  Help!!!!!  :smileyhappy: