Hi
I have events in CEF format that the flex connector sends to ArcSight (I checked through the active channel - everything arrives exactly as it was intended). I want to add these events to the active list and for this I created a lege rule that receives events with Device Vendor AlienVault and Device Product OTX fields and adds these events to the active list. The list is event-based, but here is the rule itself - event1 : (
DeviceVendor = AlienVault
AND
Device Product = OTX
)
I can't figure out why it doesn't work, please tell me. Could the problem be in the rule or in the creation of the list?
Thanks in advance
Bohdan