Highlighted
sjm Respected Contributor.
Respected Contributor.
588 views

Search inside of assets: Active Lists, Trends etc.

Is there a way, via the ArcSight console, to search inside of assets such as Active Lists or Trends?

I don't think there is, but it seems pretty awful to have to tell my users to export the active lists to .csv files, dump them in a Linux environment, and grep them.  What other options are there?

Labels (2)
0 Likes
9 Replies
rhope Acclaimed Contributor.
Acclaimed Contributor.

Re: Search inside of assets: Active Lists, Trends etc.

You can filter any of the columns in an ActiveList. Right click and show entries then filter by clicking in the grey area at the top where it says filter.

0 Likes
sjm Respected Contributor.
Respected Contributor.

Re: Search inside of assets: Active Lists, Trends etc.

Users want to be able to search for a string (IP, domain, whatever) and have returned to them the assets in which the string is found.

I.E. Search "domain.com"

Results:

Lists>Shared\All Active Lists\Group\baddomains

Lists>Shared\All Active Lists\Group2\Group\some list

Let's assume an ArcSight instance with many groups and subgroups and many Lists.  That's where this use-case comes from - the need to search a string across all lists the user has permissions to.

0 Likes
shadow
New Member.

Re: Search inside of assets: Active Lists, Trends etc.

Hi Stephen,

A Loose method I think is creating a query with all your requirements.You can mention all your Search String in 'OR' condition and all your multiple active list in another OR condition as well,separated  by an AND,then creating a report. I have not tried  it yet. Will be trying it right away .Thank you for your question.

0 Likes
DineshPoudel Respected Contributor.
Respected Contributor.

Re: Search inside of assets: Active Lists, Trends etc.

You can have a rule to called "Investigation", every time you want to run a query,

I.E. Search "domain.com"

You can do this, ( Destination Host Name = domain.com AND InActiveList("Bad IPs") )

Every time you want to search a active list all you have to do is edit this rule. 

0 Likes
sjm Respected Contributor.
Respected Contributor.

Re: Search inside of assets: Active Lists, Trends etc.

That's ok for one list but folks want to be able to search across ALL active lists that they have read permissions to with a single search.  I guess I could dump the contents of all the lists into a single list and then use something similar to your method to search that resulting combined list.  It's a bit awkward but should work.

0 Likes
DineshPoudel Respected Contributor.
Respected Contributor.

Re: Search inside of assets: Active Lists, Trends etc.

Or you can use OR parameter and search across ALL active lists

0 Likes
sjm Respected Contributor.
Respected Contributor.

Re: Search inside of assets: Active Lists, Trends etc.

Why isn't it possible to search the contents of all active lists (or inside trends etc.) that a user has permissions to using the search bar?  These are essentially just text files.  It should be possible to search them.  It wouldn't be too resource intensive.

Where can I request this feature be added to ArcSight?

0 Likes
shadow
New Member.

Re: Search inside of assets: Active Lists, Trends etc.

Hi Stepehen,

If you want to propose this as an idea you can do it here.I agree with you on this.

https://www.protect724.hpe.com/content?filterID=contentstatus%5Bpublished%5D~objecttype~objecttype%5Bidea%5D

0 Likes
sjm Respected Contributor.
Respected Contributor.

Re: Search inside of assets: Active Lists, Trends etc.

I did submit it as a feature request/idea.  We'll see if it comes through.  It doesn't seem terribly complicated to implement.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.