Greater detail in ArcSight content auditing

Idea ID 2774980

Greater detail in ArcSight content auditing

0 Votes

Here is advice for feature request to include additional information for the ArcSight Internal Event relating to the updating of resources, where Device Event Class ID = resource:101. The type of change to the resource be noted within the event, such as “Filter”, “Aggregation”, “Local Variables”, etc. In order to enable they to develop rules and reports around said event. It will be good to see this for Filters and Rules, but also Reports, Queries, Active Lists and Users if possible. Ideally to add to an existing event processed by ESM to understand what part of the resource has changed, as opposed to retaining a version history between changes, so that we are able to identify which element of a resource has changed.
In terms of resources, we would be looking for this change on the following resource types: filters, rules, reports, queries, active lists and users.

Scenario
When updating a resource such as a rule, the clarity of what element was changed is not recorded just that the rule was updated in some capacity

Workaround
Comparison with another system which is not always ideal.

Unacceptable
No idea what part of a resource was changed e.g. a rule changed but not sure if it was the aggregation, the filter conditions the output etc.

Required
Also include what element of the rule or any resource was changed so there is a greater knowledge what a person did with the resource.

Before was created NGS-28716

Tags (1)
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.