cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
rboppidi
rboppidi
Level 7
Report Inappropriate Content
Message 1 of 5
‎04-19-2015 10:11 PM

How can i import and export same event to a specific data source for testing a rule that i created?

Hi all,

I am kind of new to McAfee SIEM and working on getting used to this tool. I have created a windows rule that looks for any account changes on specific group of devices. Eventually i have also created an alarm based on this SIGNATURE ID

However, i do not know if the alarm is working fine or not. May i request any assistance on creating some test event or how can i import/export and sample event that i can replay for testing.

Regards,

Raghu

0 Kudos
Reply
4 Replies
robert_dearbyte
robert_dearbyte
Level 10
Report Inappropriate Content
Message 2 of 5
‎04-20-2015 07:22 AM

Re: How can i import and export same event to a specific data source for testing a rule that i created?

I see some errors in your correlation rule. You use multiple filters which will result in a correlation on one or more multiple events that match the destiantion IP. These could be coming from completly different source IPS and be totally unrelated to each other.

Best thing that you place all filters in one component to match data in one event.

Futhermore, make sure that the fields you select are the fields for the event that contain data. best thing is to use a view and find the events you want to match on in acorrelation rule. Check what fields are parsed and the values they contain.

Your alarm seems okay from what I can see in the screenshot.

Also make sure that your correlation rule is enabled on the correlation engine in the policy editor. A good document to learn all about correlation and best practices is this one:

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25633/en_US/...

0 Kudos
Reply
rboppidi
rboppidi
Level 7
Report Inappropriate Content
Message 3 of 5
‎04-20-2015 11:40 PM

Re: How can i import and export same event to a specific data source for testing a rule that i created?

Hi Robert,

Thank you for providing very useful document on correlation. May i request you to share if any other documents that i leverage to gain expertise on Mcafee SIEM. (finding it bit difficult in understanding as i was working on Arcsight earlier )

Raghu

0 Kudos
Reply
Highlighted
robert_dearbyte
robert_dearbyte
Level 10
Report Inappropriate Content
Message 4 of 5
‎04-21-2015 06:30 AM

Re: How can i import and export same event to a specific data source for testing a rule that i created?

This is a very good starting place for McAfee SIEM documentation:

Regarding rule testing; there are two options

- you have a historic ACE (this allows you to replay passed evets through the correlation engine)

- or you import events/recreate events

0 Kudos
Reply
rboppidi
rboppidi
Level 7
Report Inappropriate Content
Message 5 of 5
‎04-20-2015 11:44 PM

Re: How can i import and export same event to a specific data source for testing a rule that i created?

Is there any document which illustrates the testing of rule in McAfee ( Like in Arcsight we install a test connector and create .event replay files )

0 Kudos
Reply
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator