Correlation Events/Rules Off of Active List Entry Expired Base Events
I've been having trouble getting a correlation rule to fire regarding active list entry expired events. I have not had issues on other instances of ESM which allowed correlation rules to fire off of the active list update/add/expired events before, but here I cannot get the simpliest rule to fire for when an entry falls off an active list. Is there a backend setting which prevents this? I can run a channel on my conditions just fine (ArcSight as device vendor and product, Name = ActiveList entry expired., File Name = $name of activelist) and see the events but the correlation event is not firing.
As log as your filter is correct it should work fine
Is the rule you created a standard or lightweight?
Lightweight rules don't fire correlation events
It is a standard rule - I am very perplexed since I've had no issue with content like this before so I was just curious if there was some sort of setting that prevents the firing of rules off of ArcSight system events.
I've simplified the rule to fire on ALL list entries expiring and it doesn't work either, so something is definitely wonky. Not sure if it's a permissions issue either - the ArcSight base events were at one time hidden from my team by Engineering.