New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Commander Commander
Commander
2665 views

How case & stage works ?

Jump to solution

previously, I use 4.0 which express predefine rules provide certain notifications on the user group.

is the ArcSight activate rules provide create case and modify stage to a specific user group?
how the case and stage work?

is there any reference document for schemes that can be used for the case and the stage?

Thanks,

Fakhri

0 Likes
1 Solution

Accepted Solutions
Highlighted
Vice Admiral
Vice Admiral

Hey ​,

Since you asked about Activate, I would like to add to ​'s excellent response to your query.

In Activate, we use the SOC stages based on work from our ArcSight Professional Services SIOC Team (contact ​ for more SIOC info):

These SOC stages are for use in /All Active Channels/ArcSight Activate/Workflow/Main Channel, aka "The Triage Channel," and can be used in cases if you make the proper modifications to the manager and console properties files (we're hoping to improve that process in a future release, but I'm invoking every disclaimer I've ever seen about that comment! ).

Generally, in the Activate Workflow, which is fairly loosely defined compared to the Official SIOC Workflow, stages are assigned to events, and when changing the stage of an event, it is often required to assign that event to a user. Almost all of the Activate rules will set the Event Annotation Stage of their correlation events to one of the stages in the /All Stages/SOC Stages/System group. If the rules is using the information for establishing or maintaining a baseline, it will use the System Monitored stage. If the rule is actionable, that is, important enough to warrant a security analyst's time to remediate or investigate, it will use the Triage stage. I'm betting you can guess the use of the Testing stage. Note, the Testing stage is only for use when there is no test and staging environment, so all content development must be done on the production environment (this is not a good idea, but budget constraints can cause all sorts of issues). We are planning to expand our documentation on the Activate Workflow in the Activate Methods section of the wiki, but unfortunately, no-one has had time to do this, yet.

I have developed a methodology for automatic creation of cases and for sending notifications for a few customers, but I haven't yet generalized it enough to make it easily accessible to the Activate community. That is also on my "To Do" list. The obvious, simple solution is to just add that functionality to the rule, but the problem with that is that if you do it, you'll need to re-do it whenever you install an update for those rules. The methodology I have tested with those few customers has worked, and eliminates the update problem, but now it is just a matter of time and not needing to put out other fires to complete and publish them.

Hope this helps,

--

Prentice Hayes
ArcSight Security Team Architect & Principal Consultant

ArcSight R&D | Federal Services

HPE Security Products

View solution in original post

0 Likes
4 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Hi Fakhri,

The stages within cases are part of the workflow process.  You can use the default stages that come with ESM (Queued, Initial, Follow-up, Final, Closed) or create your own and "fit" them into the rest of the 'stages' structure.  You should leave the current stages as they are and add others around them.

The stages themselves do not tend to indicate a group of users, more a stage in the workflow.  Cases can be assigned to "case groups" to group them under certain meaningful areas, or indeed when creating a case from a rule, you can select both a case group and an owner (a username) for the case.

Cases, stages and rules are all covered in the ArcSight Console User's Guide (p 613 - managing case groups, p527 "Applying Rule ACtions on Cases" , p280 "Creating or Editing Stages" and Chapter 22 - Case Management and Queries ).  you can find the guide here: 

I hope that this information is useful Fakhri,

Thanks and regards,

Darren Hammond

HPE ArcSight Technical Support

ArcSight Support
If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution.
0 Likes
Highlighted
Vice Admiral
Vice Admiral

Hey ​,

Since you asked about Activate, I would like to add to ​'s excellent response to your query.

In Activate, we use the SOC stages based on work from our ArcSight Professional Services SIOC Team (contact ​ for more SIOC info):

These SOC stages are for use in /All Active Channels/ArcSight Activate/Workflow/Main Channel, aka "The Triage Channel," and can be used in cases if you make the proper modifications to the manager and console properties files (we're hoping to improve that process in a future release, but I'm invoking every disclaimer I've ever seen about that comment! ).

Generally, in the Activate Workflow, which is fairly loosely defined compared to the Official SIOC Workflow, stages are assigned to events, and when changing the stage of an event, it is often required to assign that event to a user. Almost all of the Activate rules will set the Event Annotation Stage of their correlation events to one of the stages in the /All Stages/SOC Stages/System group. If the rules is using the information for establishing or maintaining a baseline, it will use the System Monitored stage. If the rule is actionable, that is, important enough to warrant a security analyst's time to remediate or investigate, it will use the Triage stage. I'm betting you can guess the use of the Testing stage. Note, the Testing stage is only for use when there is no test and staging environment, so all content development must be done on the production environment (this is not a good idea, but budget constraints can cause all sorts of issues). We are planning to expand our documentation on the Activate Workflow in the Activate Methods section of the wiki, but unfortunately, no-one has had time to do this, yet.

I have developed a methodology for automatic creation of cases and for sending notifications for a few customers, but I haven't yet generalized it enough to make it easily accessible to the Activate community. That is also on my "To Do" list. The obvious, simple solution is to just add that functionality to the rule, but the problem with that is that if you do it, you'll need to re-do it whenever you install an update for those rules. The methodology I have tested with those few customers has worked, and eliminates the update problem, but now it is just a matter of time and not needing to put out other fires to complete and publish them.

Hope this helps,

--

Prentice Hayes
ArcSight Security Team Architect & Principal Consultant

ArcSight R&D | Federal Services

HPE Security Products

View solution in original post

0 Likes
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Hi,

Regarding Activate Rules, some rules have 2 action.
On First Event: set annotation stage->Triage
On subsequent Events: set annotation stage-> Triage

I think there is a misconfiguration here. As far as I understand, we should annotate the first event as Triage and subsequent events as "System Monitored". This way, we can establish a rule throttling mechanism, can't we?

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
0 Likes
Micro Focus Expert
Micro Focus Expert

Hi Fakrhi,

Good morning.   I was just following up on this question.  Did the information provided by Prentice ​, and I give you an idea of how cases, stages, rules and workflow fit together in ESM?  If so, would you mind marking this thread as answered?

Thanks and regards,

Darren Hammond

HPE ArcSight ESM Technical Support

ArcSight Support
If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.