Highlighted
Respected Contributor.
Respected Contributor.
708 views

Deleted Cases Showing Up

Jump to solution

So we recently moved from a Query Viewer that was based off of an Active List to one that is based of the cases themselves. However, after a little bit of time we notcied that there were cases from last year showing up and when you try to "Edit by CaseID" or search for them there are no results. Has anyone experienced this and/or know how to prevent this from happening?

There are not a huge amount but we would like to be as accurate as possible. Currently we're around 16000 when a case is created but the ones that are showing up are anywhere between 4000 - 7000 (Display ID). The highlighted cases below are all old cases and I believe there are more above but its very hard to tell without comparing the lists of Display ID from both the new and old query viewer.

example of old cases.PNG

Thanks in advanced!

Edit: Forgot to mention that above is an image of filtered results so there are more than what is shown above.

Labels (1)
Tags (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Respected Contributor.
Respected Contributor.

We actually never did figure out why this was happening but we're currently in the process of moving away from query viewers/cases and instead using Active Channels/annotating events. We ended up just filtering them out since there was a limited number of older cases that did this.

View solution in original post

0 Likes
14 Replies
Highlighted
Respected Contributor.
Respected Contributor.

I hope bumping isn't against the rules on this forum but we're still unsure why this is happening and need to start finalizing our new query viewier for our third party vendor. We're unable to move them until we get this resolved.

0 Likes
Highlighted
Absent Member.
Absent Member.

Are the deleted cases showing up in the AL, or only in the query viewer?

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Well we have two query viewers.

How each is set up when editing them:

1. Uses a query that "query on" an Active List

2. Uses a query that "query on" Cases

Only the one that queries on Cases shows the old/deleted cases that we're unable to find by searching or trying to edit by case ID.

0 Likes
Highlighted
Absent Member.
Absent Member.

Is there a resource ID associated with the cases that are old/deleted? If there is, I wonder what a resvalidate would show.

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Well when setting up the query for the query viewer I dont see resource ID but I do see just ID which seems to be some sort of unique identifier. I also see Group ID which seems to be dependent on which rule ran/what folder the case went into as they are repeating for the same rule running such as all host IPS cases have the same group ID.

For the old/deleted cases I see an ID for each one but for Group ID they are blank. Now I believe I mentioned this but maybe not, these old/deleted cases also do not show up on the Navigator tab for cases so the only place we're able to identify them are on our new query viewer.

0 Likes
Highlighted
Absent Member.
Absent Member.

Is this still unresolved?

Can you post a screenshot of your query conditions?

Have you tried using a condition like (Case Modification Time > $Now - 12 months)?

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

We actually never did figure out why this was happening but we're currently in the process of moving away from query viewers/cases and instead using Active Channels/annotating events. We ended up just filtering them out since there was a limited number of older cases that did this.

View solution in original post

0 Likes
Highlighted
Absent Member.
Absent Member.

Okay, just be careful with using only annotations/active channels.

If you annotate an event what endTime from 30 days old, you MUST perform a query on $Now - 30d to retrieve that event, which can be very time consuming. This gave us huge headaches on one of my projects.

Cases are good because you can instantly query on events stored within the case, as events in cases are stored on a special DB partition.

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Thank you for the heads up!

We have realized that making the channels that span that long will be time consuming to load but we had a similar issues with cases as if a case has 1000 events which is the max number of events a case can hold it would freeze our ArcSight consoles for about 20+ minutes. One thing to be weary of is once the case reaches 1000 events no more events can be added which means even if an attack is still going on nothing more will be added so you will miss a lot of events or wont know its still going on.

0 Likes
Highlighted
Absent Member.
Absent Member.

From page 424 of ESM_ArcSightConsole_UserGuide_6.8c.pdf, you can increase the number of events allowed percase by adjusting rules.max_events_in_case.

I'm not sure why 1000 events would freeze your case details channel. It doesn't cause any issue for me.

You can use the "Add to Existing Case" action and use event fields to try to limit the number of events in the case. Perhaps, a new case for every 1 hour of events (by adjusting substring on $endTime) or source address ($sourceAddress)? Try playing around with it. I tried a lot, but I think we can't use local variable in the case name >.<

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Those are some ideas we didn't think about/try but it wasn't the case details channel it was when we opened a case into the Inspect/Edit windows so we could see all of the correlation/base events was when it would freeze if it was anywhere near 1000 events.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.