cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

How can i import and export same event to a specific data source for testing a rule that i created?

Hi all,

I am kind of new to McAfee SIEM and working on getting used to this tool. I have created a windows rule that looks for any account changes on specific group of devices. Eventually i have also created an alarm based on this SIGNATURE ID

However, i do not know if the alarm is working fine or not. May i request any assistance on creating some test event or how can i import/export and sample event that i can replay for testing.

Regards,

Raghu

4 Replies

Re: How can i import and export same event to a specific data source for testing a rule that i created?

I see some errors in your correlation rule. You use multiple filters which will result in a correlation on one or more multiple events that match the destiantion IP. These could be coming from completly different source IPS and be totally unrelated to each other.

Best thing that you place all filters in one component to match data in one event.

Futhermore, make sure that the fields you select are the fields for the event that contain data. best thing is to use a view and find the events you want to match on in acorrelation rule. Check what fields are parsed and the values they contain.

Your alarm seems okay from what I can see in the screenshot.

Also make sure that your correlation rule is enabled on the correlation engine in the policy editor. A good document to learn all about correlation and best practices is this one:

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25633/en_US/...

Re: How can i import and export same event to a specific data source for testing a rule that i created?

Hi Robert,

Thank you for providing very useful document on correlation. May i request you to share if any other documents that i leverage to gain expertise on Mcafee SIEM. (finding it bit difficult in understanding as i was working on Arcsight earlier )

Raghu

Re: How can i import and export same event to a specific data source for testing a rule that i created?

This is a very good starting place for McAfee SIEM documentation:

Regarding rule testing; there are two options

- you have a historic ACE (this allows you to replay passed evets through the correlation engine)

- or you import events/recreate events

Re: How can i import and export same event to a specific data source for testing a rule that i created?

Is there any document which illustrates the testing of rule in McAfee ( Like in Arcsight we install a test connector and create .event replay files )

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator