• Global variables in ArcSight

    Hello. Perhaps a slightly incorrect question, but nevertheless. Can I use global variables in ArcSight - is this a best practice? Thank you in advance Bohdan
  • Match event to two Active List columns

    I wanted to know if anyone has ever been successful matching two active list fields (one key and one non-key) to one event field for a report. In a nutshell, if I have an active list showing domain location and domain name(mapping to attacker or target…
  • Out of hours login variable logic

    Hello Comunity, I am hoping someone could assist with a logic problem i am having. Overview I would like to create a rule that alerts me if a use has logged in outside of the hours of 06:00-18:00 and if they login on at any time during Saturday and Sunday…
  • Use Local Variables On Set Event Field Within A Join Rule

    Hello, I have a rule question about using variables from two events. Overview I wish to create one event which has the information of several other events contained within it. With the help of other Protect724 users i have achived this to some degree…
  • Personal Active Channel Using Variables

    Hi, I would like to create Active Channels for L1 and L2 Analysts based on Event Stages. The following conditions work great: ( Event Annotation Stage User Name = myusername AND Event Annotation Stage = (" Level 1 Investigating ") ) However, instead creating…
  • Is it possible to display a variable in a custom column?

    I am creating Custom Columns for an Active Channel. I don't want to display msec. I have created a variable that converts to minutes.seconds. Is it possible to display my variable in a custom column? It wasn't available for selecting (no variable appear…
  • Maximum number of variables in Rules

    Hi All Did any know, the maximum number of variables in Rules ? Thanks
  • Trying to convert a list intersection result into a string?

    Using ArcSight Console Version 6.8.0.2108.2 Problem: I am using a rule to populate an active list. Using local variables I am trying to find the intersection between two lists and display that in the active list after converting it to a string. Example…
  • Accessing the $CurrentUser variable

    Hi there, Has anyone figured out how to resolve the $CurrentUser variable anywhere other than in a Query AND anything other than the one time you hit 'apply'. The variable exists but its not usable like other variables in channels etc. I have attempted…
  • Using local variable If statement to populate field

    Maybe i'm going about this the wrong way. I have syslog that is coming in but it isn't parsing well. When a user has a failed login this event ends with Failure. Since these aren't parsing well so my categoryOutcome field doesn't populate Failure. So…
  • Filed Braking into parts question

    Hi, I need some help in braking one field data into several, to be able later to enter this data to active list. In exchange mail tracking log I have Destination User Name where I get recipients emails in the following format: user1@hotmail.com ; t.user2…
  • global variable selector problem

    Hi, I created a query that matches a filter i created. Bu i want to add a global variable (TotalBytes) to this query. When i select the variable and add to fields it adds however, when i click the apply button in query it disappears. Tried several times…
  • Is it Possible to Extract a Substring using Evaluate Velocity Template Variable

    Hi All, I am looking forward to extract an "IP Address" from the filed named "File name" using Evaluate Velocity Template variable. The event in the field looks like "UseCase - 1.1.1.1 xxxxxx" where "xxxxx" may be any random string which may/may not be…
  • Can a global variable be incorporated in an email body message?

    Hello guys, Can a variable be incorporated in the body of an email message? Instead of populating event fields (deviceCustom fields for example) with the variable value. Alternatively, is it possible to change the display name of the arcsight event fields…
  • Auto-assign arcsight user to a case

    So ive got a usecase where it would be beneficial to have the ability to automatically assign cases to whoever is on call for the day rather than doing it the manual way.  Has anyone ever looked into doing something like this using a variable, active…
  • How can I use the count value from an AL in a variable

    I'm trying to get the count value from an Active List, to calculate the Average value of a field. Active List has 3 fields: Destination Address; Total Traffic (numeric); Average Traffic; The math i'd like to do , using variables, is : Total Traffic/COUNT…
  • How to convert day number to date

    How I can convert day number to date on flexConnector level or using Global Variable?
  • Manipulate $CurrentUser and $Now in a Global Variable

    Does anyone know if there is a way to manipulate $CurrentUser and $Now in global variables? I tried to access them in String->EvaluateVelocityTemplate but I get an error saying they aren't defined. Related to this, is it possible to extract any of the…
  • Adding Variables to Active Lists via Lightweight rules

    Anybody know if this is possible? Cheers
  • Function GetHour gives incorrect Time Zone

    In a query, we are using a local variable GetHour and GetDayofYear functions. When we run the report, it is getting the hour and day of year based on GMT vs local time. Our local time zone is HST. Timestamp: End Time I have tried all the time zone options…
  • Expression for local variables in ESM rules

    Hi, would anyone know where I can find what functions and operands are available in expression for local variables in ESM rules. Is it simply REGEX? Thanks. Johnny
  • Trouble with function get active list value

    I'm having trouble with function GetActiveListValue, I have a List with 3 fields one Number(Long), and 2 Strings, but when I use this function and I want to use the values that are on the list I apply this function I dont get the values and I get an empty…
  • ArcSight Variables And Operators HOWTO

    Hi guys, Another in the series of HOWTO's this time talking about ArcSight Variables and Operators. In this series we look at: EvaluateVelocityTemplate JavaMathematicalExpression Like Operator Matches Operator As always, please feel free to provide any…
  • Referencing "get_activelist_value" variable

    I have to be doing something silly, so I'm hoping that folks out there can help me figure this one out. I'm trying to use the values retrieved from a get_activelist_value variable within some variable assignments for a rule I am building, but I can't…
  • Using $CurrentUser

    All, I am trying to create a central dashboard for my team. I would like this dashboard to load cases that are owned by the individual logged in and accessing that dashboard by dynamically populating their user account in the "Owner=" field condition…