I am trying to trouble shoot high number of denied traffic events. In one of the fields from Raw logs I found the following
for all the denied traffic. My guess is this is the reason why the traffic is denied but I have failed to find any documentation reagarding this.
Is this custom made or have some predefined meaning in Arcsight?
Any help is appreciated
Devicecustomstring is often used to map certain names or references to the logsource, the information itself is not something that is normally populated by ArcSight itself.
For example traffic logs from Cisco firewalls might include the rule number, policy name, outcome name etc, and same with web application firewalls which might have certain App rules, populating the name of the rule that was hit.
Each supported application normally have specific documentation either provided by the vendor from their site, or in our Connector Documentation section, which usually has a list of all fields that are mapped and the meaning behind their value
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.