3 Replies Latest reply on Jul 17, 2013 12:25 PM by michoudi

    Rule creation in LEM is confusing...

    gjones4

      I've been trying to take some the the filters I've created in LEM and are now looking to use the same logic and us it as a rule. My filter is as follows:

       

      ( "Event Name" = PolicyAccess ) AND ( ( "Event Name" = PolicyAccess ) AND ( SourceAccount = username" ) ) AND ( ( "Event Name" = PolicyAccess ) AND ( EventInfo = "\"username\" running \"CLI\" executed a command that modified the configuration" ) )

       

      This returns results that I would like to use to build a rule against. However, when I go into the rule builder, I can't seem to translate the filter into a rule with all the AND statements/blocks. Under Correlations, I see the same AND arrow on the right side of the block, but I cannot add an item next to it to create the AND condition (I hope I'm explaining this correctly). How do I chain correlation items together to create the rule?