I see some errors in your correlation rule. You use multiple filters which will result in a correlation on one or more multiple events that match the destiantion IP. These could be coming from completly different source IPS and be totally unrelated to each other.
Best thing that you place all filters in one component to match data in one event.
Futhermore, make sure that the fields you select are the fields for the event that contain data. best thing is to use a view and find the events you want to match on in acorrelation rule. Check what fields are parsed and the values they contain.
Your alarm seems okay from what I can see in the screenshot.
Also make sure that your correlation rule is enabled on the correlation engine in the policy editor. A good document to learn all about correlation and best practices is this one:
Thank you for providing very useful document on correlation. May i request you to share if any other documents that i leverage to gain expertise on Mcafee SIEM. (finding it bit difficult in understanding as i was working on Arcsight earlier )
Is there any document which illustrates the testing of rule in McAfee ( Like in Arcsight we install a test connector and create .event replay files )
This is a very good starting place for McAfee SIEM documentation:
Regarding rule testing; there are two options
- you have a historic ACE (this allows you to replay passed evets through the correlation engine)
- or you import events/recreate events