vikas.x.kumar@a Contributor.
Contributor.
183 views

Rule modification report

How to we can pull a consolidated report/list of which user has modified the rule with time stamp?

Can we pull the report for multiple modification on the rules i.e user X modified the rule A on a day than user Y modified the same rule a week later

Can we also get the details what was modified in the rule?

The same question goes for Filters/Active list etc. as well.

Labels (1)
0 Likes
Reply
1 Reply
Highlighted
nils.guenther@t Honored Contributor.
Honored Contributor.

Re: Rule modification report

Hi Vikas,

>> How to we can pull a consolidated report/list of which user has modified the rule with time stamp?

This can be achieved using so called "Audit Events" ArcSight fires loads of those. The Device Event Class Id of Resource Events starts with "resource:" (e.g. resource updtate being "resource:101"). You'll find resource's name/uri in File Name/File Path, resource's type (e.g. Rule) in File Type and User in Source User Id. The value displayed is the unique id of the ArcSight users that are configured.

>> Can we also get the details what was modified in the rule?

Afaik, no. You'll have to adopt to a convention of using comments (similar to commit comments in programming). That's what the the Notes-Tab is for.

For further reference search for "Audit Events" in Console Help.


Cheers Nils

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.