Filter does work, but the rule - not
I've got an unusual issue with our instance of ArcSight (it's quite old 6.9.1c Patch 2 version).
I've tried to create a rule for each first event, that contains a logon (or failed logon) to AD of any user. So first I've created a filter that catches all such events and it looks like below:
I have to mask sensitive data. So it excludes some number of usernames, that shouldn't be caught (like service accounts and so on). The filter itself does work and shows hundreds of events.
I have created a rule with conditions like below:
where "godzina" is a global variable with settings as follow:
Below are aggregation settings and actions. I have tried to variate them like number of matches, changing the time frame to shorter, longer, changing actions to every event or, with more matches, to first threshold, every threshold. Also I've tried to check the Active Channel with which I'm testing rules, whenever it has correct settings (and it has - set to one day past and "End Time" as a Timestamp). Absolutely none of the changes has worked and the rule doesn't fire at all.
Any help will be much appreciated. Thank you in advance.
What is the exact use case ? I'm saying because so far the content your wrote looks inefficient and can harm your system.
This might not harm the system depend of your EPS IN.
You should read about the Arcsight Best Practices and the Activate Framework.
Thank you Edouard,
and to add on, here is the link to the corresponding best practices article, incl. video:
Thank you for your input. The case is to catch and notify about the each logon, that employees has performed during non-working hours. So if during the time between 6PM and 6AM someone will login at least once - there will be a correlation event created and a notification send to set destination group (there is 2 people set to receive it for instance - it's not set there for sake of testing, but it would be).
Thank you for recommendation, I'm going to check the article, that you've mentioned. I've read the Best Practices, so that's why there are some "like" entries in the filter. But probably I didn't optimize it enough, as far as I understand, what are you saying.
Please also at least start each rule with type != correlation just as a safeguard to prevent your ESM in creating alerts exponentially if the rule conditions matches a correlation rule.
Also specify deviceVendor and deviceProduct and work with building blocks to build your content modular and object oriented as per Activate Framework Best Practices