Can you explain the objective of the report in detail?

As Arcsight is used by a SOC, we need to provide statistics on the total of events received by ESM, the total of event Reviewved (Ctrl+R), and also the stat of rules wich trigger an alert during the day. And also the number of case open and closed in ESM.

For exemple

Today in ESM we should have:

- 1 500 000 events receiveds from all collectors

- 250 000 has been mark as revieved and manually investigated (the Ctrl+R option in the cative channel)

- the rules have triggered

Login account ==> 14 000

Login during out of business ==> 1200

Sensitive files accessed ==> 3

...

- 3 cases have been opened

- name 1

- name 2

- name 3

- Some case have been closed

- name1

- name2

For the case stats I could make something, but for the total number of event and event reviewved I don't know.

No idea?

Try to creat a Pie-Chart dispaying how many have been reviewed and how many have not been reviewed.

YesI know that.

But I don't know what is the best method.

I know, that I need to select type base event and the count function.

But I think it took a very very long time to count the events for one day for exemple, as we receive more than million on event each day.

If I select one day period, ESM will query the database to retrieve all events reveived during the day.

Do you understand what I try to explain?

Did you get an answer to this?

Unfortunately I don't receive anyvaluable answer.

I had a case opened with the support.

But their anwers was: " Arcsight ESM is not able to make a such thing, it requires new feature"

I'm always searching a sokution for this.

I found a ways, using rules.

When a event come in ESM , it trigger a rule, the action of the rule will write a count in a file, using a script.

To detect and count a correlation rule, I made the same thing, each time a correlation trigger an alert, in the same time the rule will make a count in a file.

Same way for an annoted event

Regarding cases, I run a csv report

However this solution is ressource consumming.

Actually,I've another solution, which require to parse the server.log file.

This file contain a very big line, which is comma separated. You need to split the line using the comma, you have two value, the first can be moved in trash, the scond should be parsed wih the second token which is the pipe char. Then you can have the first wo information

Event received bu the connector

Event transmitted to ESM after filter out.

However this solution seems to miss some events. so the total count is not very precise (+- 20%)

I never received any great answer from the support... as all cases I've opened....