Moved to SIEM for faster handling.
We have the exact same issue with 9.5.0 MR4.
Ref: SR: <4-8619802951>
We had to go through 2x upgrade cycles to addresses various bugs that kept popping up agfter each upgrade.
80% of our priv group monitoring alerts but the other 20% just does not work and the data is there etc.
We upgraded from 9.4.2 to 9.5 so we didn't have to go through any of the upgrade cycles. As of right now, the issue is still persisting. If you come across any workaround that may be beneficial to share; please do so
Not sure if it will help or is an option, but we found that the MR5 patch cures a number of issues in the SIEM. This may be one of them....
We have been told that this issue is fixed in MR6 and there is no release date for MR6 yet. I am always hesitant to jump to the latest version, knowing that there a ton of bugs in every new release
MR5 has significant fixes for both memory and performance. Since the release of 8.5.x, there has been a concerted effort to provide long term stability and performance. I can;t give a date for MR6, as it has to go through QA.
We are also having sporadic watchlist, alarm, and rules issues with 9.5.0 MR4 (SR # <4-10352845161>). Our issues get magically fixed overnight for no reason. I've got a McAfee engineer checking things out in my support case, though I imagine the end result will be a recommendation to upgrade to MR5.
I would recommend MR6. MR5 solves many of the issues you are describing, such as watchlist and rules.
The problem with upgrading to the newest (least tested) version is always introducing new bugs. We've definitely had our share of that through the past couple years of upgrades, where updates might break everything.
Of course, right now we run into these situations where things break anyway, so what do we have to lose...
I'll wait to hear back on my case to see if an upgrade is recommended by the support engineer.