Highlighted
448 views

Correlation Events/Rules Off of Active List Entry Expired Base Events

Hi,

I've been having trouble getting a correlation rule to fire regarding active list entry expired events. I have not had issues on other instances of ESM which allowed correlation rules to fire off of the active list update/add/expired events before, but here I cannot get the simpliest rule to fire for when an entry falls off an active list. Is there a backend setting which prevents this? I can run a channel on my conditions just fine (ArcSight as device vendor and product, Name = ActiveList entry expired., File Name = $name of activelist) and see the events but the correlation event is not firing. 

 

Thanks

0 Likes
3 Replies
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Hello John

As log as your filter is correct it should work fine

Is the rule you created a standard or lightweight?

Lightweight rules don't fire correlation events

Best regards

David

0 Likes
Highlighted

David,

It is a standard rule - I am very perplexed since I've had no issue with content like this before so I was just curious if there was some sort of setting that prevents the firing of rules off of ArcSight system events. 

I've simplified the rule to fire on ALL list entries expiring and it doesn't work either, so something is definitely wonky. Not sure if it's a permissions issue either - the ArcSight base events were at one time hidden from my team by Engineering. 

Thanks.

0 Likes
Highlighted
Outstanding Contributor.
Outstanding Contributor.

That is odd indeed, and if try just for the sake of the test to use the internal event for record added to Active List?

 

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.