The current number of pre-built correlation rules is 178. Your ACE with 322 rules must have a fairly large number of custom rules. You can see which ones are custom, and which are from McAfee, bu applinig a filter in the Policy Editor. Set "origin" to "standard" to see the pre-built McAfee rules.
Thanks for reply
We have two running systems
One is in production with 9.2.1. The ACE have 322 rules. Off course other then 178 rules are customized.
Now the problem is that
1- until i disable or delete them i can't roll out the polcies.
2- as the polices are not rolling out the correlation should not work but some how correlation is working.
3- actual problem is that events are parsing by these customized rules so what should we do
4- our SOC team want these rules in new system9.3.2
Now come to new system9.3.2
1- i can't roll out policies until i delete those customized rules. This ESM was previously resundant of production system.
2- why the new system is not supporting those custom rules.