Active list Strings Entries Conditions
I'm new with ArcSight.
I created an Active List. The entries of this Active List are words (strings).
I want to excluded events with conditions (filter or rule), if the events fields contain that the words (strings) that are present in the Active List.
How can I do this?
Re: Active list Strings Entries Conditions
Whitelisting or blacklisting with active lists can be done in several ways
The most straight forward one is create a condition in the rule that states in or not in active list and set the field to compare to the Lists key field
the field you want to compare in the event is source user name
create this condition
source user name not in active list
if you want the rule to include the user names in the list create the condition
source user name in active list
Other issue you can consider, making your lists case insensitive in case the field you are referring to may change from being uppercase to lowercase
Also you may need to manipulate you reference field using a variable
for example the source user name field contents is "yourdomain\youruser" and you are interested only comparing "youruser" to the list, in this case you can use a variable to cut out "yourdomain". This can be achieved with an substring variable or a velocity template variable