Comparison of a specific random event field with the active list

Hi

Maybe someone had to face a similar problem. I need help describing a rule that will compare a specific event field with a specific column in the active list.

The first question: is it possible to implement?

I've looked at ArcSight's built-in rules that interact with active lists in some way, but I still don't understand how it works.

I've read that this may require defining local variables for the rule, or is it possible to do without them?

Can someone explain this with an example?

I just need to take a certain field from the incoming events and compare it to a column in the active list.

Mostly it is an IP address


Thank you in advance!

Bohdan

  • 0  

    Hey Bohdan, list lookups require you to specify all the key fields you want to lookup (for Lists with keys). You can edit the list and have a look at the list definition to find out which ones are the keys.
    For lists without keys you need to specify all fields to determine if the record is in the list or not.
    If it is a Event Based List, you would need the event to have the fields populated in the same fields as written to the list.
    If it is a Field Based List, there is a bit more flexibility and you need to specify which event field to use to lookup each field in the list.

    Have a go, it makes sense once you try it out.

    Cheers!