Aggregation on the basis of IP range
I have checkpoint firewall configured and I wanted to create a rule for port scans from a single source/attacker to a destination IP range. Can anyone suggest on basis of which parameters should I perform the aggregation in aggregation tab ??
Also, is there any way to change the maximum threshold of 999 in aggregation tab or is it a limitation of arcsight ??
It seems like you misunderstand how things works in ArcSight. Have you referenced document named 101? Have you tried to look in prebuilt content? There are such rules already, you don't need to reinvent the wheel.