ArcSight Rule Testing Tip

One thing I learned today is patience when testing an ArcSight rule on old events.  This has always sort of been voodoo to me.  Maybe everyone knows this already, but I thought I'd share. When testing a new rule using the "Test" button (see image to left) in the Rule definition window there is a behavior difference.   It essentially uses an Active Channel and inserts your test rule into that stream of events.

So, it looks like any other active channel with one exception.  The channel will speed through messages (examples below) such as  showing you "Percentage Complete", telling you it is Retrieving events, and may even show a message saying "No data matches this query".    This does not necessarily mean your rule does not work.

Just let the Active Channel sit there for a few minutes and you may get results.  Apparently, when ESM says it is done, it is not done.

This has tripped me up many times and I finally figured out it was lying to me today when my ADHD kicked in.  I came back to the channel later and had results.

So, I learned something new today after seven years of using ESM.   Sort of embarrasing, but hopefully it can help you test your rules better before putting them in production.

Until next time... Wyman