Environment
Security Manager 6.5.2 and earlier
Situation
Correlation Rule Wizard is missing options in the drop-down menu on the Common Fields Tab
Resolution
Service Pack 3 (SP3) for Security Manager 6.5 corrects this issue.
Click the following link to download Service Packs for Security Manager (Note: requires access to locked resources)
https://www.netiq.com/support/sm/extended/sp.asp
Cause
Any field that has a translation value is excluded from the common fields drop-down, as well as any field that is tagged in the metadata as 'additional data' . This means that things like address fields (IP Lookup) and object name/etc (SID/GUID lookup) are being excluded from several event source names in the wizard.
Additional Information
Formerly known as NETIQKB72623
When you use the Correlation Wizard in SM 6.5.2 and earlier, to create a correlation rule, the Wizard does not display all possible options in the drop-down menu on the Common Fields tab. Because of this limitation, users cannot use fields that are the result of an IP address, security identifier (SID), or globally unique identifier (GUID) lookup as common fields for correlation. By installing SP3 the Correlation Wizard now displays all fields in the drop-down menu.
When you use the Correlation Wizard in SM 6.5.2 and earlier, to create a correlation rule, the Wizard does not display all possible options in the drop-down menu on the Common Fields tab. Because of this limitation, users cannot use fields that are the result of an IP address, security identifier (SID), or globally unique identifier (GUID) lookup as common fields for correlation. By installing SP3 the Correlation Wizard now displays all fields in the drop-down menu.