Configuration Manager. For an introduction to Normalized-Message fields, see How does Log-Message Normalization work?.
In this optional Step, you can create a customized Normalized-Message Field and assign it as a condition in a Decision or Output in a Correlation Rule.
To create a Normalized-Message Field:
| 1. | In the side bar, select Resources >Configuration Manager. |
| 2. | In the side bar of the Configuration Manager, select  Correlation > Normalized-Message Fields. |
| 3. | Click Add. |
| 4. | Complete the Normalized-Message Field dialog (see Fields in the Normalized-Message Field dialog) and click OK. |
| 5. | To add the Normalized-Message Field to a Decision or Output in a Correlation Rule, see Defining a Correlation Rule. |
|
Field |
Description |
|---|---|
|
Key |
A unique ID of your choosing for the Normalized-Message field. The Key can only consist of lower-case letters, numbers, and the underscore character (_). |
|
Name |
A name of your choosing for the Normalized-Message field. The Name will appear in the Normalized-Message Field drop-down of both the Decision Settings tab and the Action Settings tab in the Settings panel of the Correlation Rule tab (see Table 92). |
|
Type |
The type of Normalized-Message field (e.g., a string, a number, an IP address, or a port number). |