Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
karl2k1 Absent Member.
Absent Member.
303 views

Having trouble with thresholds and too many alerts / how to temp stop alerts while investigating?

I'd like to setup a notification to be sent out if perhaps the machine has a virus.  however, I only need one notification sent.  i don't need an email sent for each file that it finds infected. 
same thing with port scans, if someone is port scanning the device it will create multiple events - but i only need one email sent out.  I don't need it to fire each time it hits that threshold.  I'm not sure how I can tell arcsight that I am investigating the event and to stop firing off alerts.  Acknowledgements maybe?

maybe I could set a condition within the rule to not fire if that particular rule was acknowledged...hmm

Labels (1)
0 Likes
Reply
3 Replies
Acclaimed Contributor.. Volker Michels Acclaimed Contributor..
Acclaimed Contributor..

Re: Having trouble with thresholds and too many alerts / how to temp stop alerts while investigating?

Work with lists and specify the conditions ...

Rule feeds the list --> Event "ActiveList entry updated" (with your conditions) --> notification

or

use aggreagtion conditions in the first rule

Volker

0 Likes
Reply
karl2k1 Absent Member.
Absent Member.

Re: Having trouble with thresholds and too many alerts / how to temp stop alerts while investigating?

gotcha
If i had it add something like the attacker hostname to the list, it would only fire on the first event in theory.

however, what happens is that we get maybe 50 events that all occur at the exact same time.  i'll have to test how it fires then.

also, its not really ideal to manually remove it from a list.  i guess i could put a TTL on it, but i'd like a way of telling arcsight that it has been acknowledged and to not fire any more alerts.  once it has been fixed, I'd like to have a way of telling arcsight to resuming potential alerts on the specific machine

perhaps have it fire and add the hostname to a list.  then it remove from the list when the case is resolved?  tips?

0 Likes
Reply
Acclaimed Contributor.. Volker Michels Acclaimed Contributor..
Acclaimed Contributor..

Re: Having trouble with thresholds and too many alerts / how to temp stop alerts while investigating?

Hello,

it depends what you want to achieve and what your use case is, maybe this works:

first rule adds the event to the list and second rule that fires on "ActiveList entry updated" removes the entry from the list or you will have another condition in a rule that has the action to remove the entry from the list ... or a very short TTL?

Volker

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.