Highlighted
K_Szenfeld-Allianz Contributor.
Contributor.
569 views

Filter does work, but the rule - not

I've got an unusual issue with our instance of ArcSight (it's quite old 6.9.1c Patch 2 version).

I've tried to create a rule for each first event, that contains a logon (or failed logon) to AD of any user. So first I've created a filter that catches all such events and it looks like below:filter.JPG

 

 

 

 

 

 

 

 I have to mask sensitive data. So it excludes some number of usernames, that shouldn't be caught (like service accounts and so on). The filter itself does work and shows hundreds of events.

I have created a rule with conditions like below:conditions.JPG

 

 

 

where "godzina" is a global variable with settings as follow:

variable.JPG

 

 

 

 

 

 

Below are aggregation settings and actions. I have tried to variate them like number of matches, changing the time frame to shorter, longer, changing actions to every event or, with more matches, to first threshold, every threshold. Also I've tried to check the Active Channel with which I'm testing rules, whenever it has correct settings (and it has - set to one day past and "End Time" as a Timestamp). Absolutely none of the changes has worked and the rule doesn't fire at all.

Any help will be much appreciated. Thank you in advance.

actions.JPGaggregation.JPG

0 Likes
5 Replies
Edouard Pernot Trusted Contributor.
Trusted Contributor.

Re: Filter does work, but the rule - not

What is the exact use case  ?  I'm saying because so far the content your wrote looks inefficient and can harm your system. 

This might not harm the system depend of your EPS  IN. 

You should read about the Arcsight Best Practices and the Activate Framework. 

0 Likes
Community Manager COEST Community Manager
Community Manager

Re: Filter does work, but the rule - not

Thank you Edouard,

and to add on, here is the link to the corresponding best practices article, incl. video:

How to create an Activate Framework Product Package - Video 

 

0 Likes
K_Szenfeld-Allianz Contributor.
Contributor.

Re: Filter does work, but the rule - not

Coest,

Thank you for the link, I'm going to watch it right away.

0 Likes
K_Szenfeld-Allianz Contributor.
Contributor.

Re: Filter does work, but the rule - not

Edouard,

Thank you for your input. The case is to catch and notify about the each logon, that employees has performed during non-working hours. So if during the time between 6PM and 6AM someone will login at least once - there will be a correlation event created and a notification send to set destination group (there is 2 people set to receive it for instance - it's not set there for sake of testing, but it would be).

Thank you for recommendation, I'm going to check the article, that you've mentioned. I've read the Best Practices, so that's why there are some "like" entries in the filter. But probably I didn't optimize it enough, as far as I understand, what are you saying.

0 Likes
Knowledge Partner
Knowledge Partner

Re: Filter does work, but the rule - not

Please also at least start each rule with type != correlation just as a safeguard to prevent your ESM in creating alerts exponentially if the rule conditions matches a correlation rule.

Also specify deviceVendor and deviceProduct and work with building blocks to build your content modular and object oriented as per Activate Framework Best Practices

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.