jayant0608 Contributor.
Contributor.
637 views

what would be the rule in ArcSight ESM for obtaining the list of devices

I have written a rule for obtaining the list of devices (Events where Device Address IS NOT NULL or Device Vendor IS NOT NULL) and called an active list in the rule. But the rule isn't working properly or my rule is incorrect? The active list is not being updated. Kindly Help.

0 Likes
5 Replies
Honored Contributor.. varunraaj Honored Contributor..
Honored Contributor..

Re: what would be the rule in ArcSight ESM for obtaining the list of devices

Hi Jayant,

You have a feature in ArcSight to monitor on the log source. Enable the "Device Status Monitoring" for each connector.

After which you can capture the audit event agent:043.

Regards,

Varun P G

0 Likes
jayant0608 Contributor.
Contributor.

Re: what would be the rule in ArcSight ESM for obtaining the list of devices

Thank You Varun, it was helpful. But is there any other way i can do the same?

Regards

Jayant M

0 Likes
Established Member.. raymond.doty
Established Member..

Re: what would be the rule in ArcSight ESM for obtaining the list of devices

Is there a reason you need a rule for this?  Depending on your hardware and the amount of data/EPS that you are processing, a rule can be very expensive in terms of performance.

Perhaps consider a report (and if looking to do this long term, a trend) where you get a sum of aggregated event count, while grouping on the device address and device hostname fields would function?

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: what would be the rule in ArcSight ESM for obtaining the list of devices

Check out this content i created which might address what you're looking for. It uses a Lightweight Rule, so it shouldn't be taxing on your system.

Attached is some content I wrote on this, I think it was ESM 6.8c that I wrote it in. It uses Lightweight Rules to write to Active Lists, and then there are reports on the Active Lists. There are some examples of what the reports look like. It reports on IP and hostname, as sometimes events might not have all of the fields like IP address populated.

https://www.protect724.hpe.com/thread/17708#comment-72271

0 Likes
JPClark
Member.

Re: what would be the rule in ArcSight ESM for obtaining the list of devices

This Link does not work. It just takes me back to the community Homepage.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.