This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L1-Network Monitoring - Indicators and Warnings

This is the official forum for the discussion of the L1-Network Monitoring - Indicators and Warnings package.

 

The installation/update package will be available from the ArcSight Marketplace. All new and updated Activate Framework packages will be made available on the ArcSight Marketplace (https://marketplace.microfocus.com/arcsight?tab=categories).

 

The documentation is available at https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/L1NetworkMonitoring.

--
Prentice S. Hayes
Principal Product Manager | Cybersecurity Enterprise, Security Analytics
OpenText Cybersecurity

LinkedIn: https://www.linkedin.com/in/prenticeshayes/ 

Website: https://www.opentext.com/

Parents
  • 0

    I believe I have found another bug in this package which is resulting in the message being incorrectly set for High IDS Severity Events. The message is supposed to be set to the event name along with the Rule ID which is in device Event Class ID.  This is working of Very-High events, but not High ones. I believe the reason is that the aggregation criteria is different between the two rules. In addition to the fields aggregated on for High Events, Very-High also has event1.Device Event Class ID and event1.Request Url as two additional fields.

     

     

     

  • 0 in reply to 

    I can confirm that adding the Device Event Class ID resolves the issue with the message field.

Reply Children
No Data