L1-Entity Monitoring - Indicators and Warnings
This is the official forum for discussing the ArcSight Activate L1-Entity Monitoring - Indicators and Warnings package, as described in the Activate Wiki
To reduce partial matches, it would be good to add a condition to the brute force rules requiring the destinationUserName be non-null. Rule fires on empty user names are probably not going to be missed.
Hi What is the reason when I install all the package which L1 nomenclature, all the filters have the contition false, but in the process of installation I don't have any error.
You will need to hook in the product packages to the L1 content. When L1 packages are installed, by default, no product packages are hooked in and that's why the filter conditions are false. A link to the Wiki and docs is under Resources on Marketplace. Here is a link to how to do this: https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/L1EntityMonitoring#Content_Hooks_for_Product_Packages.
The rules set the Category Device Group to /User, but that is not a type of Device Group.. It wouldn't be perfect, but /Operating System would be close enough.