Hi
I have a connector that sends events in CEF format to ArcSight.
I created an active list and described a rule that listens for events with the fields Device Vendor = AlienVault and Device Product = OTX and adds them to the active list. Everything works correctly, but after some time after adding the first events to the list, the image of the rule changes its appearance and stops working.
I will briefly describe my implementation steps:
Rule type - standard
Condition -
event1 : (
DeviceVendor = AlienVault
AND
Device Product = OTX
)
At each event, add to the active channel
aggregation:
of matches 1,
time frame 2 minutes
Aggregation only if these fields are identical
event1.Device External ID
event1.Name
event1.Device Event Class ID
event1.Device Custom Date1
event1.Destination Address
event1.Device Custom Number1
event1.Device Custom String4
event1.Device Custom String3
event1.Device Custom Date2
event1.Device Product
event1.DeviceVendor
After receiving the first events in the active list, after 2-3 minutes, the rule itself changes its appearance and stops working
What is the problem and how to solve it?
Thank you in advance
Bohdan