I've got an unusual issue with our instance of ArcSight (it's quite old 6.9.1c Patch 2 version).
I've tried to create a rule for each first event, that contains a logon (or failed logon) to AD of any user. So first I've created a filter that catches all such events and it looks like below:
I have to mask sensitive data. So it excludes some number of usernames, that shouldn't be caught (like service accounts and so on). The filter itself does work and shows hundreds of events.
I have created a rule with conditions like below:
where "godzina" is a global variable with settings as follow:
Below are aggregation settings and actions. I have tried to variate them like number of matches, changing the time frame to shorter, longer, changing actions to every event or, with more matches, to first threshold, every threshold. Also I've tried to check the Active Channel with which I'm testing rules, whenever it has correct settings (and it has - set to one day past and "End Time" as a Timestamp). Absolutely none of the changes has worked and the rule doesn't fire at all.
Any help will be much appreciated. Thank you in advance.