Import rules with event type groups

Hi,

I have to import rules to a production SIEM. Many of these rules contains a eventType IN (Group@PH_SYS_EVENT_Group).

We have noticed those conditons are broken when imported in the new SIEM and we have to remap them manually to the event type group.

My question: Is there a quicker way to make those statements working?

Thanks,

Best answer by premchanderr

Hi @MBerube ,

Custom groups are unique to a system and upon manual import you would have to re-map them.

Unfortunately no other workaround to perform bulk re-mapping objects.

Staff & Editor

Hi @MBerube ,

Custom groups are unique to a system and upon manual import you would have to re-map them.

Unfortunately no other workaround to perform bulk re-mapping objects.

New Member

All right. Thanks.

Staff & Editor

You are welcome :)

Sign up