Highlighted
New Member.
870 views

active list -- active channel

is it advisable to use active list in active channel?

I asked my arcsight admin in my team and he said it should not be done ..

Labels (1)
0 Likes
Reply
12 Replies
Highlighted
Respected Contributor.
Respected Contributor.

Re: active list -- active channel

As far as I know, it is not possible to use "inActiveList" conditions in defining an Active Channel. It is also not possible to use filters that are using "in Active list" conditions.

0 Likes
Reply
Highlighted
Super Contributor.
Super Contributor.

Re: active list -- active channel

You can't use inActiveList condition directly in ActiveChannel.

But you can create a variable GetActiveList Value inside your channel. And then use this variable in ActiveChannel's filter - check it for NULL (variable.<some_field> is not NULL).

Of course this will work only with FieldBased AL with Keys.

0 Likes
Reply
Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

Re: active list -- active channel

Maxim:  Could you explain or illustrate this technique a bit more, as I am not getting it to work.

For example, I want to place a list of userIDs in an Active List, and use that as criteria in an active channel (source user id).

Thanks!


0 Likes
Reply
Highlighted
Super Contributor.
Super Contributor.

Re: active list -- active channel

Hi,

1. Create an ActiveList with KeyFields and fill it with data

AL_Config.png

2. Create ActiveChannel. Inside active channel create new local variable that will pull data from your ActiveList:

Var_Creation.png

3. Finally, put this variable in ActiveCannel's filter. If you specify "is NOT NULL" condition - you will get all events with usernames in this ActiveList.

AC_Condition.png

0 Likes
Reply
Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

Re: active list -- active channel

Thank you Maxim -- I will test this out later today.  Just wanted to  give thanks in a timely fashion!

d.

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: active list -- active channel

This is a pretty interesting idea, I have tested this for a corner use case I was building and found it was actually quite effective!

0 Likes
Reply
Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

Re: active list -- active channel

Just wanted to follow up again, this is a great example MAXIM. Turns out this techinque works for filters, too.

I plan on writing this all up and reposting in a way to make this easier to find (giving full credit) , but I wanted to thank you again for you help with this technique.

0 Likes
Reply
Highlighted
New Member.

Re: active list -- active channel

can we create a active list in filter and then use it in the active channel.i see the option is there

0 Likes
Reply
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: active list -- active channel

Rakesh Mishra wrote:

is it advisable to use active list in active channel?

I asked my arcsight admin in my team and he said it should not be done ..

Hi Rakesh,

To answer your original question specifically, your arcsight admin is correct, it should not be done in the general sense. There are ways around it, as others have mocked up in solid detail for you (i.e. here), but you need to be aware of the consequences.

-Richard

0 Likes
Reply
Highlighted
Established Member..
Established Member..

Re: active list -- active channel

Good write-up.  I will mention that this is not necessarily best practice and it can cause some unintended consequences.  I would suggest double checking your event data when looking at continuously evaluating Active Channels.  We have found some unfortunate bugs which essentially cause events to not be visible without a channel restart (specifically related to active list variables in active list filters).  I can't add much more detail because we haven't yet found root cause, case has been open for quite some time now

0 Likes
Reply
Highlighted
Contributor.
Contributor.

Re: active list -- active channel

Hi Rakesh,

What is your use case?
Why do you want the active list to be displayed in active channel?

Active channel is a very good investigation tool for SOC team to monitor suspicious network events in real time.  It will allow them to perform actions like drill down or annotations and so on.

If you just want to display the contents in the active list, using the active channel might be overkill.  There are many ways of doing this.

If you do have a good use case, please open a support ticket and ask for a feature request.

In the support ticket, please include this discussion (or URL) because the product team performs their own assessment based on the direction that arcsight roadmap is taking.

I hope this makes sense.

Best regards,

-Alan

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.