Issue Identified:
During a recent correlation exercise, a minor bug was encountered. This was identified while working with two filters created under Event Definitions: one named “successful login” and the other named “fail login.”
Steps Taken:
Creation of Filters: Initially, two filters were created for the event definitions - “successful login” and “fail login.”
Correlation Setup: A correlation was set up using these filters, with all necessary information being inputted.
Modification Error: In the process of editing the filter for “fail login,” an unintentional addition of an “s” to the name occurred.
Correlation Update Check: After editing the filter, the correlation was checked to see if the event name change was reflected. The name update was successful in the correlation.
Test and Issue Discovery: A test was conducted on the correlation with an alert setup. Despite both events matching, the alert failed to trigger. This prompted a further investigation.
Root Cause Analysis:
Upon examination, it was discovered that the Summary tab within the correlation did not reflect the updated event name after the event definition was modified. This discrepancy between the actual event definition and the summary information appears to have disrupted the correlation’s alert mechanism.
Implications for Future:
This issue presents a potential challenge for users who may be performing maintenance or wishing to change naming conventions within their systems. If users do not thoroughly check the summary and other related areas after making updates to event definitions, similar discrepancies and failures in correlations could occur.
