L1-Network Monitoring - Indicators and Warnings
This is the official forum for the discussion of the L1-Network Monitoring - Indicators and Warnings package.
The installation/update package will be available from the ArcSight Marketplace. All new and updated Activate Framework packages will be made available on the ArcSight Marketplace (https://marketplace.microfocus.com/arcsight?tab=categories).
The documentation is available at https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/L1NetworkMonitoring.
Hi I have installed the package active base 2.5.2 but when I install this package all the filters have the expresion false like the picture
For what reason its happen
We recently have implemented the L1-Networking Monitoring and have come across what I think is a minor bug. The "Very High Severity IDS Event" correlated events is set with a Medium severity. It should be set to "Very High". The "High Severity IDS Event" is being set correctly.
I believe I have found another bug in this package which is resulting in the message being incorrectly set for High IDS Severity Events. The message is supposed to be set to the event name along with the Rule ID which is in device Event Class ID. This is working of Very-High events, but not High ones. I believe the reason is that the aggregation criteria is different between the two rules. In addition to the fields aggregated on for High Events, Very-High also has event1.Device Event Class ID and event1.Request Url as two additional fields.
The installation file for L1-Network Monitoring 0.2.0.0 displays the following when starting:
"This is the L2-Network Monitoring - Situational Awareness..."
Confusing but other than that it ran fine.
The Linux installer fails on Step 5 when it exports the customizations package. The line:
$CONSDIR/bin/arcsight package -q -action export -package "$customizationsPackage" -f "$customBundle" -m $manager -port $port -u $user -p "$pwvar"
$CONSDIR/bin/arcsight package -q -action export -package "$customizationsPackage" -f "$customBundlePackage" -m $manager -port $port -u $user -p "$pwvar"
checkError "Step 5: Export $customizationsPackage to $customBundlePackage"