
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
How can I create a rule that will create Cases based on a numbering schema i.e. Case001, Case002 etc
Hello,
I am trying to have ArcSight create cases for our workflow process, and dynamically name those Cases by a Case number such as Case001, Case002, Case003. However I have discovered that ArcSight has no means to track created cases by number and then dynamically name new cases by their number. So this is the process I was developing, I just wanted to see if someone has already sucessfully done this, and if the process proposed below is viable. I will update shortly after my testing...
Thank you!
Active List: CasesNumbering ActiveList
Fields: IDS Alert Count Constant (keyfield), Null Field, Count(auto)
TTL: 365 Days
Initial Entry: Yes
Active List: Cases ActiveList
Fields: Case Number (key field), Case Name, Creation Date
TTL: 365 Days
Initial Entry: No
Rule #1
Name: Sourcefire Event
Conditions: IDS Alert conditions
Aggregation: 2 matches every 2 minutes on all local variables
Variables: $eventNameAlias, $aggregatedEventCountAlias, $transProtocolAlias
$attackerPortAlias, $deviceClassIDAlias, $deviceSeverityAlias, $targetPortAlias
Actions (on time window expiration):
-Set Relevant Event Fields for the Sourcefire Events
-Add an Entry into CasesNumbering ActiveList (deviceAddress, oldFileName (null))
Rule #2
Name: New Sourcefire Alert
Conditions: event 1 (deviceEventClassID= activelist:103 | fileName = CasesNumbering ActiveList)
event 2 (generatorName= Sourcefire Alert)
join rule (same deviceAddress)
Variables: $caseNumber(alias - event1.deviceCustomNumber1 - global variable)
Aggregation: event1.$caseNumber.event1, event2.(ALL relevant fields)
Actions (on time window expiration):
-Set Event Field (deviceCustomNumber1= $caseNumber | deviceCustomNumber1.Label= Case Number)
-Set Event Field (deviceProcessID= $caseNumber)
-Set Event Field (deviceCustomString2= SOC00$caseNumber | deviceCustomString2.Label = Case Name)
-Create New Case (Name: SOC00$caseNumber | Description: IDS Generated Case)
-Add an Entry into SOC Cases ActiveList (deviceProcessID, deviceCustomString2, endTime)

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Alright so I was able to figure this situation out. I have listed out what I did:
Active List 1: This active list maintains a count of any cases that are created. This is accomplished by creating a "Fields-based" active list, with NO key fields. There is only one field, it is an "Address" type field.
With Active Lists, if you add an entry with an identical value as the previous entry, Active List increment the "count" field of that entry. So by creating a rule that adds a consistently identical value to what is already in the Active List, you can essentially keep a "count"
Rule 1: First rule to identify my events of interest
Rule 1 Conditions: Events of interest (i.e. IDS)
Rule 1 Aggregation: This rule aggregates all the fields I want for later use,
Rule 1 Actions: "Time Window Expiration" trigger. The action is to add the "deviceAddress" filed which is always 127.0.0.1 unless you aggregate it (in which case you need to identify a field that will always be the same), and add this address to Active List 1, thereby incrementing my count.
Rule 2: This rule is a join rule.
Rule 2.Event 1: is triggered when Rule 1 is fired, it looks for Rule 1 as the "Generator Name" as well as a condition of "Correlated Event Count=1." Rule number once generates a number of events, but only the actual correlated events have the "Correlated Event Count" field populated.
Rule2.Event 2: this event looks for the an ArcSight Internal event.
The internal event in particular is the "Device Event Class ID=activelist:103"
The activelist:103 event occurs when an Active List entry has been "updated"
Event 2 also has a condition to of "File Name=<Name of ActiveList1>
Rule 2 Aggregation:
Aggregate on all the Event 1 fields i need for later use (also same as Rule 1 aggregation).
Aggregate on Event 2 (Active List ArcSight internal event), on the "Device Custom Number 1" field where the activelist event has the "count" of duplicate entries. Also aggregate on the Event2.listCount (local variable see below)
Rule 2 Variables: Alias local variable for "Device Custom Number 1" field (i.e. "listCount")
Rule 2 Action: Create a new case with case name and $localVariable included to have a dynamic count of cases created based on the conditions being met.
Thats how I was able to get this to work... I am open to better suggestions.
Thanks!