05-31-2017 05:01 PM
Hi,
is it possible to change whitelist violation severity? I believe by default they are priority 1 events. I'd like to test whitelist violations without causing incident tickets which are generated on P1 events.
Solved! Go to Solution.
06-01-2017 06:52 PM
I'm not sure if that was a follow-up question? If you configure a white list via the White List tab under Correlation it's akin to creating a correlation rule. It doesn't do anything by itself. To have the White List evaluated against the target hosts and generate correlation events you need to create a correlation policy and add the White List to it, then activate the policy. So, back to my original answer. You set the priority in the correlation policy.
05-31-2017 08:08 PM
You mean a correlation whitelist? In your correlation policy when you add a rule you select the priority which can be None or 1-5. This will set the priority of the resulting correlation event.
05-31-2017 08:40 PM
Configuring a whitelist via the whitelist tab within the correlation section.
06-01-2017 06:52 PM
I'm not sure if that was a follow-up question? If you configure a white list via the White List tab under Correlation it's akin to creating a correlation rule. It doesn't do anything by itself. To have the White List evaluated against the target hosts and generate correlation events you need to create a correlation policy and add the White List to it, then activate the policy. So, back to my original answer. You set the priority in the correlation policy.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide