Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
Super Contributor.. steven.m.weber Super Contributor..
Super Contributor..
1073 views

Join rule?

Jump to solution

ArcSight peeps,

I've got a flex connector that is generating events on oracle access management. I'm attempting to get the login failure events (which have the user name used in the sourceUserName field) and the account locked events (which do not have the actual user name used, but are generated at the exact time the last login failure) to correlate using a join rule and generate a correlation event (user account locked) that has the locked account name as the source user name.

I can't seem to get the rule to fire.

Here's a snip of the rule:

Can anyone assist with any suggestions on how to get it working?

Thanks,

Steve

0 Likes
1 Solution

Accepted Solutions
tomas.prokes1 Trusted Contributor.
Trusted Contributor.

Re: Join rule?

Jump to solution

This is the problém: "The rule is deployed, but not activated yet until I can successfully test". You can´t test a deactivated rule.

For testing the rule has to be un-deployed and enabled.

View solution in original post

0 Likes
4 Replies
chris.allen3@hp1 Super Contributor.
Super Contributor.

Re: Join rule?

Jump to solution

Hey Steve,

Have you verified that your "AccountLocked" and "AuthFail" conditions are matching your desired events?

For the matching event condtions "AccountLocked.EndTime >= AuthFail.EndTime" can you check that the "endTime" fields are in correct succession in both events.

Is your rule action set to "On Every Event"?

If not, are your aggregation settings set to alert on your desired threshold?

Is your rule enabled and under the "/All Rules/Real-time Rules/" folder?

Are there any partial matches for this rule in the Rules Status Dashboard? (/All Dashboards/ArcSight Administration/ESM/System Health/Resources/Rules/)

-Chris

0 Likes
Super Contributor.. steven.m.weber Super Contributor..
Super Contributor..

Re: Join rule?

Jump to solution

Thanks for the reply, Chris.

I have an active channel full of auth fail and account locked events using the same conditions:

event1 : ( Device Product = OAM AND ( Device Event Class ID = UserAccountLocked: true OR Device Event Class ID = Authentication: false ) )

I'm using this active channel to test the rule.

The rule action is set to every event.

The rule is deployed, but not activated yet until I can successfully test it via the active channel. (I don't want to blow up the ESM accidentally.)

The end time for the last auth fail and the account locked events are identical in ESM, hence the ">=".

Thanks again!

0 Likes
tomas.prokes1 Trusted Contributor.
Trusted Contributor.

Re: Join rule?

Jump to solution

This is the problém: "The rule is deployed, but not activated yet until I can successfully test". You can´t test a deactivated rule.

For testing the rule has to be un-deployed and enabled.

View solution in original post

0 Likes
Super Contributor.. steven.m.weber Super Contributor..
Super Contributor..

Re: Join rule?

Jump to solution

Well, there's that lack of sleep making me look silly again.

Thanks for the assistance, that got the correlation events to flow. Now, my problem is that there's too many correlation events generated, but I think that's an issue with my aggregation settings.

Thanks again for everyone's help!

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.