To verify that the correlator is ready to receive events:
If the events that are fed into the correlator contain events that meet the correlation rule filter conditions, the events tab will show events with the DeviceVendor=Kaspersky and DeviceProduct=KUMA parameters. The name of the triggered correlation rule will be displayed as the name of these correlation events.
If correlation events were not found
You can create a simpler version of your correlation rule to find possible errors. Use a simple correlation rule and a single Output action. It is recommended to create a filter to find events that are regularly received by KUMA.
When updating, adding or removing a correlation rule, you must restart the correlator.
When you finish testing your correlation rules, you must remove all testing and temporary correlation rules from KUMA and restart the correlator.
Page top