1 Reply Latest reply on Oct 4, 2010 7:07 AM by Sweep

    Display filters in NSM 5.1

      Hi,

       

      I m new to this forum and was finding out an way to find exactly where does the "Display Filters" created from the Alerts in Real Time TA get saved in the local hard drive.

       

      I could find the saved views from the " C:\Documents and Settings\USERNAME\McAfee\NetworkSecurityManager\NAMEOFNSMMGR\ThreatAnalyzer" as "savedviews.xml" and preferences as "preference.xml"

       

      I know, If Display filters properly configured can reduce the task of digging into the thousands of alerts.

       

      But every time with the local java cache and the NSM folder being deleted for some reason, the created display filters seems to be disappearing.

       

      If i could find the file where the display filters get saved, then i could manually backup the file and import back if the cache is deleted for some reason.

       

       

      thx

      srini

       

       

      Message was edited by: srinivasang06 on 6/30/10 3:30:37 PM CDT
        • 1. Re: Display filters in NSM 5.1

          Hi Srini,

           

          You may have solved this issue already but here are a few pointers that may help:

           

          This is something that we have looked at as well and have little success in finding where these settings are saved. Like you we looked into the settings folder and backed up the XML files but as you say they don't work.

           

          You say that you have to dig through thousands of alerts?

           

          Surely if you are swamped in alerts then investigating them and finding out which are false positives due to normal network traffic would be the best way forward?

          If you have a policy on your devices that encompasses the "All inclusive with audit" rule set then this is a must!

           

          A quicker way to "filter" the events though if tuning is not an option, is to right click on an event that you do not wish to see and select the "hide" option. This will filter the view and present you with the view minus the hidden alert.

           

          Alternatively, try the "group by" option on the top right of the TA and sort them by attack name, Source IP etc...

           

          Hope this helps...