Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
anurjai Absent Member.
Absent Member.
2535 views

Need help to Understand Rule Trigger

Jump to solution

Hello,

I have been reading multiple Rule Trigger option in "Arcsight Console User Guide" but didn't understand these terms.

I appreciate it if someone help me to understand below mentioned Rule Trigger with any example.

1. On First Event

2. On Subsequent Events

3. On Every Event

4. On First Threshold

5. On Subsequent Thresholds

6. On Every Threshold

7. On Time Unit

8. On Time Window Expiration

Best Regards,

Anurag

Labels (2)
0 Likes
1 Solution

Accepted Solutions
chris.allen3@hp1 Super Contributor.
Super Contributor.

Re: Need help to Understand Rule Trigger

Jump to solution

If you provide your use case we can help point you in the right direction.

The "On Threshold" and "On Time" can be a little confusing.

For instance - if a rule is matching conditions every 20 seconds with a matching threshold of 2 in a time frame of 60 seconds:

On First Threshold - will take action after the second match and then never again until 60 seconds passes without any matching events. (This would fire in 40 seconds and then never again)

On Subsequent Threshold - will take action after the fourth match and will continue to take action every other match until 60 seconds passes without any matching events. (This would fire in 80s, 120s, 160s etc..)

On Every Threshold - will take action on every other match every time. (This would fire every 40 seconds)

On Time Unit - will take action on the second match and will reset the counter after 60 seconds from the first matching event. This would take action 60 times in one hour for this example but would exclude the first 2 base events under the correlation event while retaining the third and successive base events.  (This would fire every 60 seconds with 1 base event)

On Time Window Expiration - will take action in 60 seconds after the first match as long as there is a second match within 60 seconds from the first match.  This would take action 60 times in one hour for this example.  With "Cumulative Rule Chain Is On" would save all events during the 60 second window.  With "Cumulative Rule Chain Is Off" would save events after the threshold is met during the 60 second window.  Unique aggregation cannot be used with this action type.  (This would fire every 60 seconds with 3 base events in "Cumulative Rule Chain Is On") or (This would fire every 60 seconds with 1 base event in "Cumulative Rule Chain Is Off")

On First Event - will take action on the first match and never take action again until 60 seconds passes without any matching events. (This would fire on the first event and then never again)

On Subsequent Events - will take action after the second match and will continue to take action on every match until 60 seconds passes without any matching events. (This would fire in 40s, 60s, 80s etc..)

On Every Event - will take action on every event...

-Chris

3 Replies
Honored Contributor.. brian.chong@hpe Honored Contributor..
Honored Contributor..

Re: Need help to Understand Rule Trigger

Jump to solution

The information you seek is in the ArcSight Console User guide. You can go to "Help -> Browse Documentation" and type in "threshold" or manually open the pdf documentation and search the string "threshold". We have done a lot in our documentation guide including plethora of information. I've took a partial snapshot of the documentation, but I couldn't capture all in once single screen. Hope this helps.

thanks,

Brian Chong

0 Likes
pbrettle Acclaimed Contributor.
Acclaimed Contributor.

Re: Need help to Understand Rule Trigger

Jump to solution

Also, I recommend taking a look at the ESM 101 guide - page 59 and later:

0 Likes
chris.allen3@hp1 Super Contributor.
Super Contributor.

Re: Need help to Understand Rule Trigger

Jump to solution

If you provide your use case we can help point you in the right direction.

The "On Threshold" and "On Time" can be a little confusing.

For instance - if a rule is matching conditions every 20 seconds with a matching threshold of 2 in a time frame of 60 seconds:

On First Threshold - will take action after the second match and then never again until 60 seconds passes without any matching events. (This would fire in 40 seconds and then never again)

On Subsequent Threshold - will take action after the fourth match and will continue to take action every other match until 60 seconds passes without any matching events. (This would fire in 80s, 120s, 160s etc..)

On Every Threshold - will take action on every other match every time. (This would fire every 40 seconds)

On Time Unit - will take action on the second match and will reset the counter after 60 seconds from the first matching event. This would take action 60 times in one hour for this example but would exclude the first 2 base events under the correlation event while retaining the third and successive base events.  (This would fire every 60 seconds with 1 base event)

On Time Window Expiration - will take action in 60 seconds after the first match as long as there is a second match within 60 seconds from the first match.  This would take action 60 times in one hour for this example.  With "Cumulative Rule Chain Is On" would save all events during the 60 second window.  With "Cumulative Rule Chain Is Off" would save events after the threshold is met during the 60 second window.  Unique aggregation cannot be used with this action type.  (This would fire every 60 seconds with 3 base events in "Cumulative Rule Chain Is On") or (This would fire every 60 seconds with 1 base event in "Cumulative Rule Chain Is Off")

On First Event - will take action on the first match and never take action again until 60 seconds passes without any matching events. (This would fire on the first event and then never again)

On Subsequent Events - will take action after the second match and will continue to take action on every match until 60 seconds passes without any matching events. (This would fire in 40s, 60s, 80s etc..)

On Every Event - will take action on every event...

-Chris

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.