Hi,

nice catch I had same issue with queries therefore also reports can be affected by this. Also search in command center can find result from rules testing.

To prevent this you can use following filter as part of your query or command center search:

• Session ID = 0  -  this will match correlated events created by real-time rules

OR

• Session ID is null  -  this will match base events

Cheers!

Lukas

It might be worth noting here that if you use the "Verify Rule(s) with Events" function within the ArcSight console it's possible that you'll skew your trend data. I had issues where my trend found data that my team never saw hit their work queue. Digging deeper into this, Active Channels have a session id back end filter that isn't visible and the reporting engine does not. When you verify rules, it's writing real rule fires into the database with a session id > 0 that a query is able to find. You can match the filter by adding "NOT session id > 0" as a condition in the query to avoid pulling any of these events into event trends.

Worth noting this as a tip / trick if anyone is tracking all production alert data and also testing production alerts before deploying to real-time.

Very well-written. Helped our team a lot!

Brilliant!