Solved: Configuring a whitelist via

evan.chadwick1 · ‎05-31-2017

Hi,
is it possible to change whitelist violation severity? I believe by default they are priority 1 events. I'd like to test whitelist violations without causing incident tickets which are generated on P1 events.

atatistc · ‎06-01-2017

I'm not sure if that was a follow-up question? If you configure a white list via the White List tab under Correlation it's akin to creating a correlation rule. It doesn't do anything by itself. To have the White List evaluated against the target hosts and generate correlation events you need to create a correlation policy and add the White List to it, then activate the policy. So, back to my original answer. You set the priority in the correlation policy.

View solution in original post

atatistc · ‎05-31-2017

You mean a correlation whitelist? In your correlation policy when you add a rule you select the priority which can be None or 1-5. This will set the priority of the resulting correlation event.

evan.chadwick1 · ‎05-31-2017

Configuring a whitelist via the whitelist tab within the correlation section.

atatistc · ‎06-01-2017

I'm not sure if that was a follow-up question? If you configure a white list via the White List tab under Correlation it's akin to creating a correlation rule. It doesn't do anything by itself. To have the White List evaluated against the target hosts and generate correlation events you need to create a correlation policy and add the White List to it, then activate the policy. So, back to my original answer. You set the priority in the correlation policy.

whitelist violation change from priority 1