Verifying Rules with Events
This topic applies to standard rules. ArcSight Console provides two different ways to test or verify rules before deploying them. These options are somewhat similar. They differ in the navigation paths to select or set up the channels, and more importantly in that from the rule editor you can test only the selected rule but from the navigation tree you can test several selected rules or rule groups.
The first method is discussed in Testing Rules. This topic explains how to test multiple rules or rule groups from the navigation tree using the Verify Rule(s) with Events option.
You can test rules by running them against a set of captured events for historical analysis. Now you can replay events to verify rules in existing active channels or create new channels for this purpose. Also, you can select a single rule, multiple rules, or a rule group to verify.
Tip: About Test Channels: A lightning bolt on a channel indicates it is a test channel created as a result of choosing Verify Rules with Events on a rule. Test channels cannot be re-used, even for the same rule. Remove test channels from the Active Channels folder in the Navigator.
Alternatives to Test Channels: If you would like to re-use a channel to test various rules, create a standard active channel, for example, “My Rules Test Channel” (see Creating or Editing an Active Channel), then send rules test results to that channel. You can re-use a standard channel as many times as you want to test rules (that is, verify rules with events).
To verify rules with events:
-
In the Rules resources tree, right-click an appropriate rule group or a specific rule and choose Verify Rule(s) with Events.
-
From the sub-menu, choose More or New Active Channel:
-
More. This displays the Active Channel Selector dialog. Use this dialog to navigate to the channel you want.
If you want to redefine or further narrow the stream of events in the selected channel, click the Override Channel Filter tab to add filters to it. The Override Channel Filter tab shows the conditions on the currently selected channel. You can add, remove, or modify the filters here.
Click OK to choose the selected channel with filter modifications (if any). The selected channel is displayed in the Viewer panel.
Note: Filters shown on rule verification channels are not designed for copying and re-use outside of these special rule testing channels. Rule verification channels show rule-triggered events and other non-correlation events in the channel, but the complete filtering logic that accomplishes this is not exposed.
Filter conditions on these channels display the original filter (if one is applied) and “Session ID > 0". The session ID statement is a simplified representation of the back-end filtering taking place in the special rule verification channel to limit this particular channel to show only new rule-triggered events.
-
New Active Channel...
Selecting this option brings up a dialog where you can set up the parameters for the active channel that displays the rules in action. Provide a name for the new channel and set the other channel options as described in Creating or Editing an Active Channel.
Click OK to create the new channel with your chosen settings. The new channel is displayed in the Viewer panel.
-
Unlike existing active channels, channels created as for rule verification purposes have a fixed time window (they become static) for qualifying events, and the events are those that qualify under the rules in the selected group. These active channels incorporate the conditions, aggregation characteristics, and actions defined for the rules in the selected group.
Note: Rules tested against pre-existing active channels are actually executed on copies of active channels the system automatically generates for this purpose. Rules run in verify mode do not generate real rule actions correlated with live or historical system events and, therefore, when they are triggered no real rule actions are impacting the system state. Only real-time rules or scheduled rules (set up to capture batched and other types of historical data) trigger real rule actions.
Once you have created and verified rules and are ready to deploy them on real-time events, move or copy the rules to your user folder under Real-time Rules. For more information, see Deploying Real-time Rules and Scheduling Rules.