cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rboppidi
Level 7
Report Inappropriate Content
Message 1 of 5
‎04-19-2015 10:11 PM

How can i import and export same event to a specific data source for testing a rule that i created?

Hi all,

I am kind of new to McAfee SIEM and working on getting used to this tool. I have created a windows rule that looks for any account changes on specific group of devices. Eventually i have also created an alarm based on this SIGNATURE ID

However, i do not know if the alarm is working fine or not. May i request any assistance on creating some test event or how can i import/export and sample event that i can replay for testing.

Regards,

Raghu

0 Kudos
Reply
4 Replies
robert_dearbyte
Level 10
Report Inappropriate Content
Message 2 of 5
‎04-20-2015 07:22 AM

Re: How can i import and export same event to a specific data source for testing a rule that i created?

I see some errors in your correlation rule. You use multiple filters which will result in a correlation on one or more multiple events that match the destiantion IP. These could be coming from completly different source IPS and be totally unrelated to each other.

Best thing that you place all filters in one component to match data in one event.

Futhermore, make sure that the fields you select are the fields for the event that contain data. best thing is to use a view and find the events you want to match on in acorrelation rule. Check what fields are parsed and the values they contain.

Your alarm seems okay from what I can see in the screenshot.

Also make sure that your correlation rule is enabled on the correlation engine in the policy editor. A good document to learn all about correlation and best practices is this one:

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25633/en_US/...

0 Kudos
Reply
rboppidi
Level 7
Report Inappropriate Content
Message 3 of 5
‎04-20-2015 11:40 PM

Re: How can i import and export same event to a specific data source for testing a rule that i created?

Hi Robert,

Thank you for providing very useful document on correlation. May i request you to share if any other documents that i leverage to gain expertise on Mcafee SIEM. (finding it bit difficult in understanding as i was working on Arcsight earlier )

Raghu

0 Kudos
Reply
robert_dearbyte
Level 10
Report Inappropriate Content
Message 4 of 5
‎04-21-2015 06:30 AM

Re: How can i import and export same event to a specific data source for testing a rule that i created?

This is a very good starting place for McAfee SIEM documentation:

Regarding rule testing; there are two options

- you have a historic ACE (this allows you to replay passed evets through the correlation engine)

- or you import events/recreate events

0 Kudos
Reply
rboppidi
Level 7
Report Inappropriate Content
Message 5 of 5
‎04-20-2015 11:44 PM

Re: How can i import and export same event to a specific data source for testing a rule that i created?

Is there any document which illustrates the testing of rule in McAfee ( Like in Arcsight we install a test connector and create .event replay files )

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC