Showing results for 
Search instead for 
Did you mean: 

CE Rule update managment.

Does anyone know of a way to manage rule updates on the CE engine?

I have a lot of correlation rules that we have copied and tuned to fit our environment. However, every time we get a rule update I have to copy the old rule, paste it, open the pasted rule and compare it to our tuned rule and adjust it as needed.

When there are a lot of rule updates this gets very tedious. 

Any help with this would be appreciated.

3 Replies
Level 7
Report Inappropriate Content
Message 2 of 4

Re: CE Rule update managment.

I believe we already have a planned PER to let users view the correlation rule details without forcing users to copy/paste correlation rules and go to edit mode to see rule logic.  I will double check and add this PER if it does not already exist.

Presently we have rule filters like Time, Rule Status (updated, new), Origin (user defined) that you can use to find and filter rules. 

I also think there are more opportunities to improve policy manager usability.  Color coding & icons, sorting, qwik buttons (new, user-defined), etc. being some that are easy to implement that we will try to prioritize in upcoming releases.

Feel free to make additional suggestions based on your experience using Policy Manager.

- Product Manager, McAfee SIEM

Re: CE Rule update managment.

You have a couple of tools available in the policy editor.  If you go onto correlation, then select the Real-Time Correlation Engine.  Under the Tools menu, there is an option to Compare Rules Files.  It pops up something like this:

compare rules.png

You can compare staged (downloaded) and current (tuned) rules all at once.  Also the Rule Change History might provide additional information.  I don't know from your post what all of your tuning needs are, but you can also use the New Rule Configuration to override some defaults, some are tuning related.

new rule config.png

If there is more functionality needed/desired, please feel free to submit as a Product Enhancement Request (PER).  There is link on the SIEM community home page.


Grant Babb

SIEM Product Manager

Re: CE Rule update managment.

Thank you for the information.

I haven’t looked at the Compare Rules Files option before. I'll check it out when I get a chance.

The rule change history is almost completely useless as far as i can tell. It only lets you know that a rule has changed. Not what changed about the rule.

I’ll also take a look at the New Rule Configuration


More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community