Highlighted
Frequent Contributor.
Frequent Contributor.
533 views

Cross Device Correlation

Hello,

Scenario:

I have a connector (Akamai) feeding logs to ArcSight. The logs just URL details.

I have another custom device, that has the IP Address on which is the URL is hosted. This device has only IP Address and not the URL details;

I am trying to build a cross device correlation, to detect an attack scenario; when the URL is down, I want an alert so that I can if any other device hosted on the IP is running or not.

Attached is snapshot of my rule.  This rule isnt working, please share your inputs.

Thank and Regards,
Siddarth

 

0 Likes
1 Reply
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Hello

You can try to achive this with a negation rule

Means if event A occures and event B doesnt occure within X time range than fire rule

Best regards

David

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.