Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
Highlighted
vdor Absent Member.
Absent Member.
890 views

Internal Audit event for event annotation stage name change?

My goal is to setup a rule that fires when someone changes a correlated event to a particular stage, but I can't seem to find the internal audit event associated with such an action.

Labels (1)
0 Likes
Reply
10 Replies
julien Absent Member.
Absent Member.

Re: Internal Audit event for event annotation stage name change?

I'm looking for the exact same thing.  I was hoping to use an Event Annotation Stage change to notify a group of people in the stage it was changed to.  From what I've seen of previous posts, you can't do this.

Hey ArcSight, this sounds like a good product enhancement.

0 Likes
Reply
Acclaimed Contributor.. balahasan.v1 Acclaimed Contributor..
Acclaimed Contributor..

Re: Internal Audit event for event annotation stage name change?

Hi Evan,

Ya That is true. No Audit Events found for it. But as an alternative u can try Notifications :

And have you checked the Data fields Annotation Group may be u can define a rule based on the Fields which ll be Modified or Populated

And below statement also

0 Likes
Reply
vdor Absent Member.
Absent Member.

Re: Internal Audit event for event annotation stage name change?

I tried setting it up so that I had a rule trigger when an event was seen with a certain annotation stage name. The conditions I used worked properly in an active channel, but would not cause a rule to fire, presumably because the event wasn't being reintroduced as a new record, just had an existing field switched over. My use case is the same as Erics, I want to notify a group if something has been assigned to their stage..

0 Likes
Reply
Acclaimed Contributor.. balahasan.v1 Acclaimed Contributor..
Acclaimed Contributor..

Re: Internal Audit event for event annotation stage name change?

Hi Evan,

Have u got any Annotation details in the ArcSight Audit Event. It might capture those Event Fields Modifications...

0 Likes
Reply
michael.selph Absent Member.
Absent Member.

Re: Internal Audit event for event annotation stage name change?

First off, Hi Evan, long time

Do you have pattern discovery? I don't have it where I'm at now, but I'm wondering if you could use that? Maybe have pattern discovery kick off once an hour or so to see what's been annotated? Just a thought.

Are you trying to do some near-real time alerting on an annotation stage? If it doesn't have to be near real time, you could always trend it out.

If none of those work, you could always try a workflow change. You could have the analyst add the events to an AL instead/in addition to anotating them. (right click on the events -> add to active list).

0 Likes
Reply
mjohnston Absent Member.
Absent Member.

Re: Internal Audit event for event annotation stage name change?

It doesn't appear that this is audited, or at least, if it is, the user ID of the changer isn't logged. I set up a channel looking for my user ID, then changed the assignee and stage for an event. No event was found (although my login and manipulations of the channel were logged).

0 Likes
Reply
vdor Absent Member.
Absent Member.

Re: Internal Audit event for event annotation stage name change?

Hey Mike,

Good to hear from you. How much snow is on the ground up there so far? . Unfortunately, no Pattern discovery here. The requirement actually is close to real-time, but I may play around with a trend and see how close I can get it. It's a shame there isn't some sort of functionality that allows for this behavior, you'd think it would be a higher priority. As mentioned above, I can get a channel to show the migrated events at new annotation stages, but I'm guessing the rules engine is only evaluating them the first time they are seen in ArcSight , which makes sense.

Thanks for the suggestions!

0 Likes
Reply
mjohnston Absent Member.
Absent Member.

Re: Internal Audit event for event annotation stage name change?

So, if you REALLY need to make this work, you could create a DB FlexConnector to read the arc_event_annotation table, and create events from it.  This obviously won't include any details of the original event (source, target, etc). If you need that detail, two avenues you could pursue are: retrieve the events from arc_event table (this will be very slow - you'll need to manage the latency - you prob shouldn't just join arc_event), or 2) see if you can populate the event references the same way as correlated events do (see if you can have it populate arc_event.base_event_ids). 

0 Likes
Reply
Frequent Contributor.. ji52hale1 Frequent Contributor..
Frequent Contributor..

Re: Internal Audit event for event annotation stage name change?

This is, sadly, not available.  I submitted a feature request back in August of 2012 for this, but it has yet to be added.

0 Likes
Reply
vaish_11 Absent Member.
Absent Member.

Re: Internal Audit event for event annotation stage name change?

Your best bet would be the Event Annotation Audit Trail field. It logs all annotation changes including the time stamp. The only disadvantage is that the timestamp is in epoch.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.