Does anyone know of a way to manage rule updates on the CE engine?
I have a lot of correlation rules that we have copied and tuned to fit our environment. However, every time we get a rule update I have to copy the old rule, paste it, open the pasted rule and compare it to our tuned rule and adjust it as needed.
When there are a lot of rule updates this gets very tedious.
Any help with this would be appreciated.
I believe we already have a planned PER to let users view the correlation rule details without forcing users to copy/paste correlation rules and go to edit mode to see rule logic. I will double check and add this PER if it does not already exist.
Presently we have rule filters like Time, Rule Status (updated, new), Origin (user defined) that you can use to find and filter rules.
I also think there are more opportunities to improve policy manager usability. Color coding & icons, sorting, qwik buttons (new, user-defined), etc. being some that are easy to implement that we will try to prioritize in upcoming releases.
Feel free to make additional suggestions based on your experience using Policy Manager.
- Product Manager, McAfee SIEM
You have a couple of tools available in the policy editor. If you go onto correlation, then select the Real-Time Correlation Engine. Under the Tools menu, there is an option to Compare Rules Files. It pops up something like this:
You can compare staged (downloaded) and current (tuned) rules all at once. Also the Rule Change History might provide additional information. I don't know from your post what all of your tuning needs are, but you can also use the New Rule Configuration to override some defaults, some are tuning related.
If there is more functionality needed/desired, please feel free to submit as a Product Enhancement Request (PER). There is link on the SIEM community home page.
SIEM Product Manager
Thank you for the information.
I haven’t looked at the Compare Rules Files option before. I'll check it out when I get a chance.
The rule change history is almost completely useless as far as i can tell. It only lets you know that a rule has changed. Not what changed about the rule.
I’ll also take a look at the New Rule Configuration