How case & stage works ?

previously, I use 4.0 which express predefine rules provide certain notifications on the user group.

is the ArcSight activate rules provide create case and modify stage to a specific user group?
how the case and stage work?

is there any reference document for schemes that can be used for the case and the stage?



  • Hi Fakhri,

    The stages within cases are part of the workflow process.  You can use the default stages that come with ESM (Queued, Initial, Follow-up, Final, Closed) or create your own and "fit" them into the rest of the 'stages' structure.  You should leave the current stages as they are and add others around them.

    The stages themselves do not tend to indicate a group of users, more a stage in the workflow.  Cases can be assigned to "case groups" to group them under certain meaningful areas, or indeed when creating a case from a rule, you can select both a case group and an owner (a username) for the case.

    Cases, stages and rules are all covered in the ArcSight Console User's Guide (p 613 - managing case groups, p527 "Applying Rule ACtions on Cases" , p280 "Creating or Editing Stages" and Chapter 22 - Case Management and Queries ).  you can find the guide here: 

    I hope that this information is useful Fakhri,

    Thanks and regards,

    Darren Hammond

    HPE ArcSight Technical Support

  • Verified Answer

    Hey ​,

    Since you asked about Activate, I would like to add to ​'s excellent response to your query.

    In Activate, we use the SOC stages based on work from our ArcSight Professional Services SIOC Team (contact ​ for more SIOC info):

    These SOC stages are for use in /All Active Channels/ArcSight Activate/Workflow/Main Channel, aka "The Triage Channel," and can be used in cases if you make the proper modifications to the manager and console properties files (we're hoping to improve that process in a future release, but I'm invoking every disclaimer I've ever seen about that comment! ).

    Generally, in the Activate Workflow, which is fairly loosely defined compared to the Official SIOC Workflow, stages are assigned to events, and when changing the stage of an event, it is often required to assign that event to a user. Almost all of the Activate rules will set the Event Annotation Stage of their correlation events to one of the stages in the /All Stages/SOC Stages/System group. If the rules is using the information for establishing or maintaining a baseline, it will use the System Monitored stage. If the rule is actionable, that is, important enough to warrant a security analyst's time to remediate or investigate, it will use the Triage stage. I'm betting you can guess the use of the Testing stage. Note, the Testing stage is only for use when there is no test and staging environment, so all content development must be done on the production environment (this is not a good idea, but budget constraints can cause all sorts of issues). We are planning to expand our documentation on the Activate Workflow in the Activate Methods section of the wiki, but unfortunately, no-one has had time to do this, yet.

    I have developed a methodology for automatic creation of cases and for sending notifications for a few customers, but I haven't yet generalized it enough to make it easily accessible to the Activate community. That is also on my "To Do" list. The obvious, simple solution is to just add that functionality to the rule, but the problem with that is that if you do it, you'll need to re-do it whenever you install an update for those rules. The methodology I have tested with those few customers has worked, and eliminates the update problem, but now it is just a matter of time and not needing to put out other fires to complete and publish them.

    Hope this helps,


    Prentice Hayes
    ArcSight Security Team Architect & Principal Consultant

    ArcSight R&D | Federal Services

    HPE Security Products

  • Hi Fakrhi,

    Good morning.   I was just following up on this question.  Did the information provided by Prentice ​, and I give you an idea of how cases, stages, rules and workflow fit together in ESM?  If so, would you mind marking this thread as answered?

    Thanks and regards,

    Darren Hammond

    HPE ArcSight ESM Technical Support

  • Hi,

    Regarding Activate Rules, some rules have 2 action.
    On First Event: set annotation stage->Triage
    On subsequent Events: set annotation stage-> Triage

    I think there is a misconfiguration here. As far as I understand, we should annotate the first event as Triage and subsequent events as "System Monitored". This way, we can establish a rule throttling mechanism, can't we?