Highlighted
aritra Absent Member.
Absent Member.
1925 views

Count in Active List

Jump to solution

Is there a way to monitor the count parameter in an Active list? Can we call it directly (something like $count.<activelistname>) in the Conditions section of a rule? From what I've seen, we can't really match the values in the "count" column of an AL against live event stream.

This would be helpful in case we have to trigger a rule which depends on the number of times an event has occurred over an extended period of time, say 30 attempts in 24 hours (in case of a possible Low and Slow Brute force attack).

Cheers!

Aritra

Labels (2)
0 Likes
1 Solution

Accepted Solutions
stefan.oancea Outstanding Contributor.
Outstanding Contributor.

Re: Count in Active List

Jump to solution

Hello Aritra,

The solution proposed for this particular scenario is much easier than what I was going to suggest, so I would implement his version from now on.

However since I already started I will write you my idea anyways, perhaps you will need it in other similar more complex scenarios, not necessarily involving the "Count" Value. My scenario involves looking for unsuccessful Login Events during a longer period of time.

Step 1: create a Fields-based active list with at least a key field where you remember the distinctive information from your events (let's say Target User Name for example) and one non-key field which you can define as Type - Double and Sub-type - SUM where you will add the number of occurrences of your desired event. Don't select "Allow multi-mappings", it doesn't work for this scenario.

Step 2: create your specific rule that populates the list and in the "Actions -> Add to Active List" part, for the SUM field select "Aggregated Event Count" - this way you will add all the relevant events.

Step 3: create a new rule that triggers when the number of events gets to your desired threshold. In this rule copy the specific conditions matching your events from the rule in Step 2, but add the following:

    1. One local variable with the function "GetActiveListValue" and select your active list defined in Step 1. For the "Field Mapping" part add the information corresponding to your key-field in the Active List (in my example Target User Name)

    2. In the conditions of the new rule you will now see in "New Condition -> Variables" the fields from your Active List. Just set the condition according to your needs (so for example when the SUM field is above a certain value)

This is more complicated but I think it is more versatile for other scenarios.

All the best,

Stefan

4 Replies
abeyaz Absent Member.
Absent Member.

Re: Count in Active List

Jump to solution

An audit event is generated every time an active list entry is updated. Audit event deviceEventClassID is activelist:103 with count value at deviceCustomNumber1.

HTH

0 Likes
stefan.oancea Outstanding Contributor.
Outstanding Contributor.

Re: Count in Active List

Jump to solution

Hello Aritra,

The solution proposed for this particular scenario is much easier than what I was going to suggest, so I would implement his version from now on.

However since I already started I will write you my idea anyways, perhaps you will need it in other similar more complex scenarios, not necessarily involving the "Count" Value. My scenario involves looking for unsuccessful Login Events during a longer period of time.

Step 1: create a Fields-based active list with at least a key field where you remember the distinctive information from your events (let's say Target User Name for example) and one non-key field which you can define as Type - Double and Sub-type - SUM where you will add the number of occurrences of your desired event. Don't select "Allow multi-mappings", it doesn't work for this scenario.

Step 2: create your specific rule that populates the list and in the "Actions -> Add to Active List" part, for the SUM field select "Aggregated Event Count" - this way you will add all the relevant events.

Step 3: create a new rule that triggers when the number of events gets to your desired threshold. In this rule copy the specific conditions matching your events from the rule in Step 2, but add the following:

    1. One local variable with the function "GetActiveListValue" and select your active list defined in Step 1. For the "Field Mapping" part add the information corresponding to your key-field in the Active List (in my example Target User Name)

    2. In the conditions of the new rule you will now see in "New Condition -> Variables" the fields from your Active List. Just set the condition according to your needs (so for example when the SUM field is above a certain value)

This is more complicated but I think it is more versatile for other scenarios.

All the best,

Stefan

aritra Absent Member.
Absent Member.

Re: Count in Active List

Jump to solution

Thanks Abe! That helps

0 Likes
aritra Absent Member.
Absent Member.

Re: Count in Active List

Jump to solution

Hi Stefan!

Thank you, this was exactly what I was looking for, because having a parameter that accounts for the number of occurrences gives me a good advantage in a plethora of situations.

Cheers!

Aritra

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.