Best practice for collecting historical data after getting a trigger
I have a question.
I am collecting events about email from Anti-Spam Firewall. Periodically i received events about blocked messages with a reason "Virus" from a few senders, and i noticed that few messages from them was allowed hew hours before. Whats the best way for retrieving historical data "now-1d" about all events from these senders, allowed and blocked, after receiving a first alert about blocked message?
Atm i am adding a row to an active list after receiving a first event about blocked message with a reason "Virus". After that i want to prepare query on events with a conditions "sender email in active list"+"action=allowed" and use it with trend with action "add to another active list".
Is it the only way to do it? or i can do it more simply?
Thank you for any advice!
BR, Leonid Bezrogov.
Re: Best practice for collecting historical data after getting a trigger
Is it possible for you to open a service request case directly to Arcsight please?
We need more details in order to understand your issue
What is ESM version?
ArcSight Support Team