Bob6 Regular Contributor.
Regular Contributor.
509 views

Arcsight Rules Example

Jump to solution

Hi,

I've been learning how to use Arcsight and I've been having an issue with rule creation. I can't seem to understand it. I have two event with the category outcome being success and failure. W

hat I'm trying to is create a correlation event if success does not occur within a 5 minute window after a single or multiple failure events have occured. 

Could someone show me how this is done or point me towards a similar example? Thanks in advance!

0 Likes
1 Solution

Accepted Solutions
Bob6 Regular Contributor.
Regular Contributor.

Re: Arcsight Rules Example

Jump to solution

Ok after a lot of trial and error, I worked it out. I have to use 2 Activelists, to act as a form of memory. 

Basic logic, because I can;t be bothered posting my code:

lightweight rule 1: when a fail event occurs, check if not in active list 1 and store fail event in active list 1, store timestamp in activelist 2

rule 2: when fail event occurs check if in active list 1 (not necessary), if it is then if get time difference in second between this and timestamp in activelist1 is between 4.5minutes and 5.5 minutes (You will have to use local and global variables to use the time difference function, and getting value from list etc). 

Hopefully this will help anyone that needs it.

View solution in original post

0 Likes
1 Reply
Bob6 Regular Contributor.
Regular Contributor.

Re: Arcsight Rules Example

Jump to solution

Ok after a lot of trial and error, I worked it out. I have to use 2 Activelists, to act as a form of memory. 

Basic logic, because I can;t be bothered posting my code:

lightweight rule 1: when a fail event occurs, check if not in active list 1 and store fail event in active list 1, store timestamp in activelist 2

rule 2: when fail event occurs check if in active list 1 (not necessary), if it is then if get time difference in second between this and timestamp in activelist1 is between 4.5minutes and 5.5 minutes (You will have to use local and global variables to use the time difference function, and getting value from list etc). 

Hopefully this will help anyone that needs it.

View solution in original post

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.