Super Contributor.. cristian.chimbe1 Super Contributor..
Super Contributor..
271 views

Count total lines from an active list

Hi,

I want to create a rule that send an alert when the total number of lines from an active list reach a certain threshold.

I don't want to reinvent the wheel because arcsight already has this parameter, but I don't know how to access it.

Thanks

0 Likes
Reply
5 Replies
joao.farias Absent Member.
Absent Member.

Re: Count total lines from an active list

You may use the deviceEventClassID = activelist:105 event. It fires when the list reached its limit.

0 Likes
Reply
Super Contributor.. cristian.chimbe1 Super Contributor..
Super Contributor..

Re: Count total lines from an active list

Hi,

This will not help me because I want to set the threshold up to 50 lines, and the minimum number of lines in an active list is 1000.

If you know a way to lower the number of lines bellow 1000, the event activelist:105 can help me with my task

Regards

0 Likes
Reply
Highlighted
binkie_jhs1 Absent Member.
Absent Member.

Re: Count total lines from an active list

Create an extra activelist with the total count at that moment. Add or substract whenever added or removed to/from ActiveList, Alert on count of 50?

Or better yet try the variable 'GetSizeOfList':

For example, suppose you have a session  list set up to show user names and IP addresses associated with login  sessions. You could get user names from the session list via the GetSessionData  variable. If there are three user names on the list (e.g., darren, samantha, and  endora), the GetSizeOfList variable will return the number of names on the list  (e.g., [3]). You could do the same with the IP  addresses.
That should work. Let me know how this works out for you.
Laters..
0 Likes
Reply
Super Contributor.. cristian.chimbe1 Super Contributor..
Super Contributor..

Re: Count total lines from an active list

Hi binkie_jhs,

The only way I know to populate another activelist  with the total count from my activelist is with trends, but that it would be resource consuming for nothing. It's frustrating to reinvent the wheel when arcsight already has an internal param that shows the total number of lines in a list but I cannot access it.

In my ESM console I don't have 'GetSizeOfList' so I cannot use it.

What I want to do is to populate a list with the AD accounts locked out (Security:644)

When this list reaches a certain threshold, let's say 50 in a period of a day, I want to be notified on my email.

0 Likes
Reply
binkie_jhs1 Absent Member.
Absent Member.

Re: Count total lines from an active list

Using v. 4.5. :

GetSizeOfList.JPG

OR

Build a rule with 50 matches in 24 hour for event security:644 and alert on triggering.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.