For an introduction to Normalized-Message fields, see How does Log-Message Normalization work?.
In this optional Step, you can create a customized Normalized-Message Field and assign it as a condition in a Decision or Output in a Correlation Rule.
To create a Normalized-Message Field:
1. | In the side bar, select Resources >Configuration Manager. |
2. | In the side bar of the Configuration Manager, select Correlation >Normalized-Message Fields. |
3. | ClickAdd. |
4. | Complete the Normalized-Message Field dialog (see Fields in the Normalized-Message Field dialog) and click OK. |
5. | To add the Normalized-Message Field to a Decision or Output in a Correlation Rule, see Defining a Correlation Rule. |
Field |
Description |
---|---|
Key |
A unique ID of your choosing for the Normalized-Message field. The Key can only consist of lower-case letters, numbers, and the underscore character (_). |
Name |
A name of your choosing for the Normalized-Message field. The Name will appear in the Normalized-Message Field drop-down of both the Decision Settings tab and the Action Settings tab in the Settings panel of the Correlation Rule tab (see Table 95). |
Type |
The type of Normalized-Message field (e.g., a string, a number, an IP address, or a port number). |