You can determine whether the rule is working as expected by testing a rule on the events that are already in the system before deploying it to monitor real-time events.
Log in to the Sentinel Main interface.
In the navigation panel, click Correlation.
In the Correlation panel, click any rule that you want to test, then click .
Click Test Rule.
Specify the time frame during which you want to test the rule.
(Optional) Click to filter events that the rule should process.
Click Test Rule.
The test takes some time, depending on the specified criteria. After the test is complete, the test results are displayed.
The test results display the rule details:
Status: Indicates whether the test is running, stopped, or completed. The test stops when the rule has fired at least 20 times during the test process. This ensures that the rule is working as expected and saves time when there are many events.
Started at: The date/time when the rule started to fire.
Finished at: The date/time when the test stopped.
The indicators (dots) indicate when the rule fired. The white dot indicates a single correlation event. The black dot indicates multiple correlation events generated within a short period of time. Click the indicator to see the event details.
Click the Close icon to close the test results.