New Member.

Active list Strings Entries Conditions



I'm new with ArcSight.


I created an Active List. The entries of this Active List are words (strings).


I want to excluded events with conditions (filter or rule), if the events fields contain that the words (strings) that are present in the Active List.


How can I do this?

Tags (2)
1 Reply
David Bau Outstanding Contributor.
Outstanding Contributor.

Re: Active list Strings Entries Conditions

Hello Philippe

Whitelisting or blacklisting with active lists can be done in several ways

The most straight forward one is create a condition in the rule that states in or not in active list and set the field to compare to the Lists key field

For example

the field you want to compare in the event is source user name

create this condition

source user name not in active list



if you want the rule to include the user names in the list create the condition 

source user name in active list


Other issue you can consider, making your lists case insensitive in case the field you are referring to may change from being uppercase to lowercase

Also you may need to manipulate you reference field using a variable

for example the source user name field contents is "yourdomain\youruser" and you are interested only comparing "youruser" to the list, in this case you can use a variable to cut out "yourdomain". This can be achieved with an substring variable or a velocity template variable 

Best regards


The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.