If “Deny Any Any” rules was disabled or “Permit Any Any ”deleted .
i think this question is more like a firewalling question. You could know about it and do all the ArcSight stuff with such an event if it is created within your firewall audit protocols.
So question is, does your firewall support this level of granularity to write rule enabling/disabling/creation including all the details you need to know (in your case, which rule was modified and which objects - like any/any/any drop - are bound within this rule).
Check with your firewall vendors documentation where such events get recorded and if arcsight smartconnector does map that log source and event fields.
If not, check, if your firewalls audit events are stored in a fashion, a flex connector could get to it (xml, database, file, trap creation on firewall....).
Possibly not your expected solution, but i think, best, one could say on that question.
Hope, that helps you a step further,
Thank you so much for replying, yeah its regarding firewall auditing we have in our organization Sidewinder, Cisco and Juniper firewalls.I will ask for the documention and check if auditing supports these events or not. One of my known ArcSight admin also suggested me to check ACS logs as he can check access-list through ACS logs only. I will have to integrate ACS with ArcSight first. I will let you know once I finish it.