• Executing Integration Command with Parameters Using a Rule

    Hello, I'm new to the ArcSight platform and need assistance with a requirement. Specifically, I want to execute a script and store the results in a lookup file. Here's the overall workflow: I have created a rule that is scheduled to trigger every…
  • Executing Integration Command with Parameters Using a Rule

    Hello, I'm new to the ArcSight platform and need assistance with a requirement. Specifically, I want to execute a script and store the results in a lookup file. Here's the overall workflow: I have created a rule that is scheduled to trigger every…
  • Incorrect encoding of the event fields in the mail

    ArcSight is installed on CentOS 7 The console interface is in English, but I use the names of rules and filters in Ukrainian. Letters to the post office are sent using our own velocity templates and additionally the letter contains fields with the names…
  • Comparison of a specific random event field with the active list

    Hi Maybe someone had to face a similar problem. I need help describing a rule that will compare a specific event field with a specific column in the active list. The first question: is it possible to implement? I've looked at ArcSight's built-in…
  • Active lists and correlation rules

    Hi There is a Python script that receives data from an external resource, processes this data and saves it in the appropriate files. From these files, the flex connector regex file receives processed information in CEF format and sends it to ArcSight…
  • Use the active list to detect suspicious IP addresses in any event and change the criticality level to maximum

    Hi Help me implement the mechanics of detecting suspicious addresses in arbitrary events using an actin list. Now I'm trying to describe a rule that will compare the Indicator Value list column and the Device Address field of the event and if there…
  • The rule for adding events to the active list in real time stops working after the first run

    Hi I have a connector that sends events in CEF format to ArcSight. I created an active list and described a rule that listens for events with the fields Device Vendor = AlienVault and Device Product = OTX and adds them to the active list. Everything…
  • Rule to add events to active list

    Hi I have events in CEF format that the flex connector sends to ArcSight (I checked through the active channel - everything arrives exactly as it was intended). I want to add these events to the active list and for this I created a lege rule that receives…
  • Intentional delay in the connector destination?

    Hi everyone, I have a native 365 Defender connector, it is looking for incidents in the API. I noticed that I have 2 types of events in the eventOutcome field, "New" and "Resolved" incidents, resolved events are incidents automatically handled by Defender…
  • Rules for DDOS attack

    Hi, How can I create a rule in ESM for DDOS attack. What conditions and correlation I can use? Thanks
  • Creating a DcSync Detection rule

    I'm working on a rule to detect DcSync Attacks, I did The Following: External ID = 4662 Target Username Not Endswith $ device vendor include Microsoft original agent type = winc but i found other values on the internet which i have to include…
  • how to create a rule for an accounts with no activity for more than 60 days ?

    Hello People, i'm trying to create a rule for accounts that has not been active for more than 60 days. I tried to make a join rule but due to resource limitations i can't keep the rule open for 60 days the second attempt was to create a session list that…
  • ESM rules best practises

    Hello, what is better to have: 100 rules with simple logic like 1 filter and 1 field condition) or 1 rule with 1 filter but 100 OR statements. Vendor is same but we want alert on each CustomString1 value.
  • Notification When A Device Stops Sending Logs To connector

    Hello, Can someone help with a rule that can be created when a device stops sending logs to a connector on Arcsight Console even when the connector is active and running
  • Manually trigger rules

    Good morning, i want to know if there's a way to manually trigger a rule instead of waiting an event to happen. Is this possible? Thanks
  • Search ESM for Rules and Filters using specific conditions

    I'm trying to avoid having someone open and review hundreds of rules manually to find some mistaken criteria used in a number of modified over over a long period of time. I have a need to search an ESM 6.9..1 instance for rules or filters that use a specific…
  • Sigma rules guide: threat hunting for ESM, ArcSight Command Center and Logger

    Hello dear community, As you know ArcSight ESM is only as smart as the content that we build there. After sharing hundreds of rules through last 2 years in response to WannaCry, NotPetya, Bad Rabbit etc. we quickly came to realization that there is a…
  • Where did rule testing go to?

    I have events that should be matching a simple rule., but are not. Its been a while, and I don't rember the specifics, but it was possible to choos an event, and then see what parts of a rule (or filter) was matched --- it would show a rule or filter…
  • ESM 6.9 REST API - Is there a way to get Conditions and Actions for a specific Rule?

    Hi I want to get Conditions and Actions from specific Rule via REST API to generate a report with this information so we can compare changes and differences on each generated report. It'd be good to have the information displayed as when editing 'Rule…
  • Question: How to export rule definition automatically in HTML or XML formatted file

    Dear All, I need to find a way to export the rule definitions of all our rules in the ArcSight ESM6.91 content in a structured format into a HTML or XML file. Currently I can achieve this manually via the rule context menue. When I select a rule I can…
  • Use Local Variables On Set Event Field Within A Join Rule

    Hello, I have a rule question about using variables from two events. Overview I wish to create one event which has the information of several other events contained within it. With the help of other Protect724 users i have achived this to some degree…
  • Historical Correlation

    What if I deployed or designed new Use Case and I want to know if my company was exposed to the threat in the past? While working with ArcSight a lot of people are wondering whether there is a way to realize historical correlation. They even have several…
  • rule to monitor devices in reporting in particular time frame

    Hi Team, I want to create a rule to monitor device reporting to esm within last 1 hour. and if any device is not reporting then rule will trigger an alert. anyone is having such kind of idea to create a rule. Thanks & regards, Kalpesh Satardekar
  • Attribute "ManagerID" must be declared for element type "Resource"

    I am getting the following error while creating a Rule (Standard Rule) in ESM which has an action "Add to Active List" on every event com.arcsight.server.rules.resource.a: com.arcsight.rulesengine.opsj.OPSJRulesBuilderException: com.arcsight.tools.query…
  • Why is my rule only working in test (Verified Rules)?

    I made a Rule, and when i click Test, i can create an active channel that is very limited (read only fields) and based on a replay. The Correlation events are being shown, but when i create a regular active channel with condition Generator ID: [ruleGeneratorId…