• RE: Filter does work, but the rule - not

    Thank you Edouard, and to add on, here is the link to the corresponding best practices article, incl. video: How to create an Activate Framework Product Package - Video
  • P-Pulse Secure

    This is the official forum for discussing the basic ArcSight Activate P-Pulse Secure product package as described in the wiki .
  • ArcSight Content Brain Assessment

    We have a new Content Brain tool to help you navigate all of the free content packages available in the Activate Framework and Marketplace. More details here! The ArcSight ESM SIEM sits at the cent er of an intelligent SOC. It’s often the only tool…
  • P-HPE Atalla HSM

    This is the official forum for discussing the P-HPE Atalla HSM Product package, as described in the Activate Wiki .
  • L2-Entity Monitoring - Situational Awareness

    This is the official forum for discussing the ArcSight Activate L2-Entity Monitoring - Situational Awareness package, as described in the Activate Wiki ​
  • L1-Entity Monitoring - Indicators and Warnings

    This is the official forum for discussing the ArcSight Activate L1-Entity Monitoring - Indicators and Warnings package, as described in the Activate Wiki ​
  • Activate 2.0.0.0 Export now available on marketplace!

    If you want offline access to the current content in the wiki go over to the marketplace to download it! Install instructions (this is assuming you already have foswiki installed): Download the tarball from marketplace If you want to keep the…
  • Activate Install Scripting

    Great next steps on the Package Install Script -- the inclusion of a shell script and the obfuscation of the password are excellent ideas. I got one more -- adding a prompt for the local ESM console directory. That way we can limit interacting with…
  • When creating content for ArcSight Activate, can you prevent others from accessing the content you have created?

    I am researching ArcSight Activate, and I am curious if the content you create is available to everyone who uses Activate, is access restricted based on deployment with the option to publish to ALL Activate users, or at the time that you publish your…
  • L2-Data Security Monitoring - Encryption - Situational Awareness

    This is the official forum for discussing the basic ArcSight Activate L2-Data Security Monitoring - Encryption - Situational Awareness package, as described in the Activate Wiki . Roadmap : Data at Rest Suspicious Encryption Activities …
  • L1-Data Security Monitoring - Encryption - Indicators and Warnings

    This is the official forum for discussing the basic ArcSight Activate L1-Data Security Monitoring - Encryption - Indicators and Warnings package, as described in the Activate Wiki . Roadmap: Below are the initial use case and user story ideas…
  • Missing dcString1 GV

    Unfortunately, /All Fields/ArcSight Activate/Core/Field Manipulation/Convert Case/dcString1 global variable (GV) disappeared in one of the recent updates. Here is a package with the missing GV. We will be posting Activate Base 2.5.0.0 soon, but…
  • P-Blue Coat Proxy

    This is the official forum for discussing the basic ArcSight Activate P-Blue Coat Proxy product package as described in the Activate Wiki .
  • P-Sourcefire FireSIGHT

    This is the official forum for discussing the basic ArcSight Activate P-Sourcefire FireSIGHT product package as described in the Activate Wiki .
  • P-Linux

    This is the official forum for discussing the basic ArcSight Activate P-Linux product package as described in the Activate Wiki .
  • L2-User Monitoring - Situational Awareness

    This is the official forum for discussing the ArcSight Activate L2-User Monitoring - Situational Awareness package, as described in the Activate Wiki .
  • L1-User Monitoring - Indicators and Warnings

    This is the official forum for discussing the ArcSight Activate L1-User Monitoring - Indicators and Warnings package, as described in the Activate Wiki .
  • Palo Alto Networks Forum and Change Lists

    This is the official forum for discussing the basic ArcSight Activate P-Palo Alto Networks product package.
  • L2-Host Monitoring - Situational Awareness

    This is the official forum for discussing the basic ArcSight Activate L2-Host Monitoring - Situational Awareness package, as described in the Activate Wiki .
  • L1-Host Monitoring - Indicators and Warnings

    This is the official forum for discussing the basic ArcSight Activate L1-Host Monitoring - Indicators and Warnings package, as described in the Activate Wiki .
  • P-Palo_Alto_Networks.arb

    P-Palo_Alto_Networks Activate package Built around Activate 1.0.0.1 and PAN OS 6.x Mostly Filters for inclusion in other global Activate filters Includes 3 pre-persistence rules built to extract user/device login/logoff info from PA logon/logoff events…
  • P-Symantec_EndPoint_Protection.arb

    P-Symantec_Endpoint_Protection Build around Activate 1.0.0.1 and Symantec v12.x, mostly filters.
  • Problem with event annotation and mark similar events

    I've set a mark similar events with the criteria of name EQ "test correlation event". Events that match this criteria will be placed in the Level 1 Investigating stage. If the "test correlation event" triggers with the default Queued stage. This mark…
  • Activate Development

    Hey everyone, Here is all the information I have on what packages are being developed or have been requested. It is incomplete, and probably out of date. Please update accordingly. I've made a few changes to match changes to Activate, such as changing…
  • P-McAfee_ePO_1.0.0.2.arb

    The McAfee ePO package is to be used in conjunction with the Malware Solution Pack . Installation instructions are provided within the wiki under the Security Technology Monitoring section. Note: If you have access to McAfee ePO and are well…