Frequent Contributor.. saadabdul Frequent Contributor..
Frequent Contributor..
731 views

Join Condition Rule

Jump to solution

Hi,

I have 3 events in the join condition rule and I want to do matching condition that if three of them is from the same:

1- device product

2- device vendor

3- Device Custom String1

4- Device Custom String2


How I will do that? and the rule should trigger whenever 3 events comes in 15 mins


Thanks

Labels (2)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Samour Absent Member.
Absent Member.

Re: Join Condition Rule

Jump to solution

You can add three events and then set the join condition there.

event1.deviceProduct=event2.deviceProduct

event2.deviceProduct=event3.deviceProduct

and so on and so forth for the other fields.

You should also set all these fields as identical in the aggregation tab.

0 Likes
5 Replies
Highlighted
Samour Absent Member.
Absent Member.

Re: Join Condition Rule

Jump to solution

You can add three events and then set the join condition there.

event1.deviceProduct=event2.deviceProduct

event2.deviceProduct=event3.deviceProduct

and so on and so forth for the other fields.

You should also set all these fields as identical in the aggregation tab.

0 Likes
Samour Absent Member.
Absent Member.

Re: Join Condition Rule

Jump to solution

This is assuming they are 3 "different" events. If they are all the same then you don;t need the join condition, the aggregation tab should suffice.

0 Likes
Samour Absent Member.
Absent Member.

Re: Join Condition Rule

Jump to solution

Any other conditions you need on this rule?

0 Likes
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: Join Condition Rule

Jump to solution

Hi Saad,

To be sure that I have clearly understood, you have create a rule like this with three different events:

Is-it correct?

If yes, Have-you tried to add in Aggregation tab, the following fields like this: (you add 3 on #matches in 15minutes as Time Frame)

I want that device product, device vendor, device custom string1 and device custom string 2 are identical

Do not forget that Joining Rules may generate a lots of partial matches if not properly configured.

Is-it possible to build your use case with simple rule? In using active list as memory.

I need more information about what you would like to detect.

Do not forget that in ArcSight event are not sent in the same order they are created.

If I have not understood correctly, could you give us more info.

Thanks

Kind Regards

Michael

Acclaimed Contributor.. balahasan.v1 Acclaimed Contributor..
Acclaimed Contributor..

Re: Join Condition Rule

Jump to solution

In Addition to what Michael said.Include the Matching within 15 mins under the Join Matching Event. And make sure the Action is Threshold based as well.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.