Absent Member.
Absent Member.

How can I create a rule that will create Cases based on a numbering schema i.e. Case001, Case002 etc


  I am trying to have ArcSight create cases for our workflow process, and dynamically name those Cases by a Case number such as Case001, Case002, Case003. However I have discovered that ArcSight has no means to track created cases by number and then dynamically name new cases by their number. So this is the process I was developing, I just wanted to see if someone has already sucessfully done this, and if the process proposed below is viable. I will update shortly after my testing...

Thank you!

Active List: CasesNumbering ActiveList

Fields: IDS Alert Count Constant (keyfield), Null Field, Count(auto)

TTL: 365 Days

Initial Entry: Yes

Active List: Cases ActiveList

Fields: Case Number (key field), Case Name, Creation Date

TTL: 365 Days

Initial Entry: No

Rule #1

Name: Sourcefire Event

Conditions: IDS Alert conditions

Aggregation: 2 matches every 2 minutes on all local variables

Variables: $eventNameAlias, $aggregatedEventCountAlias, $transProtocolAlias

$attackerPortAlias, $deviceClassIDAlias, $deviceSeverityAlias, $targetPortAlias

Actions (on time window expiration):

        -Set Relevant Event Fields for the Sourcefire Events

        -Add an Entry into CasesNumbering ActiveList (deviceAddress, oldFileName (null))


Rule #2

Name: New Sourcefire Alert

Conditions: event 1 (deviceEventClassID= activelist:103 | fileName = CasesNumbering ActiveList)

            event 2 (generatorName= Sourcefire Alert)

            join rule (same deviceAddress)

Variables: $caseNumber(alias - event1.deviceCustomNumber1 - global variable)

Aggregation: event1.$caseNumber.event1, event2.(ALL relevant fields)

Actions (on time window expiration):

        -Set Event Field (deviceCustomNumber1= $caseNumber | deviceCustomNumber1.Label= Case Number)

        -Set Event Field (deviceProcessID= $caseNumber)

        -Set Event Field (deviceCustomString2= SOC00$caseNumber | deviceCustomString2.Label = Case Name)

        -Create New Case (Name: SOC00$caseNumber | Description: IDS Generated Case)

        -Add an Entry into SOC Cases ActiveList (deviceProcessID, deviceCustomString2, endTime)

Labels (1)
1 Reply
Absent Member.
Absent Member.

Alright so I was able to figure this situation out. I have listed out what I did:

Active List 1: This active list maintains a count of any cases that are created. This is accomplished by creating a "Fields-based" active list, with NO key fields. There is only one field, it is an "Address" type field.

With Active Lists, if you add an entry with an identical value as the previous entry, Active List increment the "count" field of that entry. So by creating a rule that adds a consistently identical value to what is already in the Active List, you can essentially keep a "count"

Rule 1: First rule to identify my events of interest

Rule 1 Conditions: Events of interest (i.e. IDS)

Rule 1 Aggregation: This rule aggregates all the fields I want for later use,

Rule 1 Actions: "Time Window Expiration" trigger. The action is to add the "deviceAddress" filed which is always unless you aggregate it (in which case you need to identify a field that will always be the same), and add this address to Active List 1, thereby incrementing my count.

Rule 2: This rule is a join rule.

Rule 2.Event 1:  is triggered when Rule 1 is fired, it looks for Rule 1 as the "Generator Name" as well as a condition of "Correlated Event Count=1." Rule number once generates a number of events, but only the actual correlated events have the "Correlated Event Count" field populated.

Rule2.Event 2: this event looks for the an ArcSight Internal event.

The internal event in particular is the "Device Event Class ID=activelist:103"

The activelist:103 event occurs when an Active List entry has been "updated"

Event 2 also has a condition to of "File Name=<Name of ActiveList1>

Rule 2 Aggregation:

Aggregate on all the Event 1 fields i need for later use (also same as Rule 1 aggregation).

Aggregate on Event 2 (Active List ArcSight internal event), on the "Device Custom Number 1" field where the activelist event has the "count" of duplicate entries. Also aggregate on the Event2.listCount (local variable see below)

Rule 2 Variables: Alias local variable for "Device Custom Number 1" field (i.e. "listCount")

Rule 2 Action: Create a new case with case name and $localVariable included to have a dynamic count of cases created based on the conditions being met.

Thats how I was able to get this to work... I am open to better suggestions.


The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.