Popular Tags

  • Comparison of a specific random event field with the active list

    Hi Maybe someone had to face a similar problem. I need help describing a rule that will compare a specific event field with a specific column in the active list. The first question: is it possible to implement? I've looked at ArcSight's built-in…

  • Use the active list to detect suspicious IP addresses in any event and change the criticality level to maximum

    Hi Help me implement the mechanics of detecting suspicious addresses in arbitrary events using an actin list. Now I'm trying to describe a rule that will compare the Indicator Value list column and the Device Address field of the event and if there…

  • The rule for adding events to the active list in real time stops working after the first run

    Hi I have a connector that sends events in CEF format to ArcSight. I created an active list and described a rule that listens for events with the fields Device Vendor = AlienVault and Device Product = OTX and adds them to the active list. Everything…

  • Rule to add events to active list

    Hi I have events in CEF format that the flex connector sends to ArcSight (I checked through the active channel - everything arrives exactly as it was intended). I want to add these events to the active list and for this I created a lege rule that receives…

  • search using list

    hello, ArcSighter's i have a file that has ~1000 IP's, i want to add it in an active list and search it as the destination IP, please provide me the steps needed to perform such action. Much appreciation

  • High Rate of ActiveList entry added in Arcsight

    Hi I have been working on adding new Rule in command center and associate may rule with active list and some of them with creating case for me and recently i notice this alert is created in my active list and it seems there is problem in my active list…

  • Problem with manually deleting entries in an Active List

    Hello, I have a couple Active Lists running, and I have all ready for the second time a problem with an Active List: I can not delete manually an entry, the entry I deleted keeps standing in the AL. It looks like it is stuck or busy....I dont know…

  • How to Export Active List entries to the notification destination email automatically?

    Hi All, I have an Active List of many IP addresses. in this case, I want to send the entries of this active list to a destination notification group automatically by a scheduled job. How can i do this task? Best Regards, Amir

  • How compare IP with multiple subnets

    Hello! I need a help. I need to compare IP with several subnets and put a comparison result in a separate field of the report. For example: there is IP 1.1.1.1 it should be compared with 1.1.1.0/24 - servers, 2.2.2.0/24 - workstations, 3.3.3.0 / 24-network…

  • Feeding active lists with key fields throught ESM REST API (addEntries)

    Dear all, I'm trying to feed active lists in ESM 6.11 throught the REST API. It works if the active list has been defined without key fields, but not if it has any key field. The problem is that I need to use a key field, because the active list is a…

  • Active list Strings Entries Conditions

    Hi, I'm new with ArcSight. I created an Active List. The entries of this Active List are words (strings). I want to excluded events with conditions (filter or rule), if the events fields contain that the words (strings) that are present in the Active…

  • Rules and active lists: direct mapping via alias

    Hi all, I've faced with interesting challenge. I wrote script to notify group of users via email, but it is no usability to write the same parameter string with emails in every rule. The best way to solve this trouble is adding to active list and mapping…

  • Rule condition for checking only 1 field in the active list which contain 2 fields

    Hi, I am currently using ESM 6.9.1. I need to create an active list which contain 2 fields say TEXT1 and TEXT2.And i need to create 2 rules.Say rule1 and rule2.Rule 1 will be searching for both the fields TEXT1 and TEXT2 in the active list.Whereas Rule2…

  • Variable to get the unique Event ID from an Active List

    I'm populating an active list from a rule with the unique Event ID(setup as a key field) from ArcSight.  When I create a filter to map the event ID, it is not listed as a choice.  Is there a way to get this value with a local or global variable, or will…

  • Active List manipulation based on one key value if multiple key is defined

    Sometime we want to find/delete rows in Active List only based on one specific column value, but Active List is created with multiple key. Is it possible to cover this feature ? How ?

  • Move rows between Active Lists with same columns

    When we use few Active Lists for one Use Case (for example device monitoring), we want to move few rows from one Active List (Critical monitored devices) to second Active List (Not monitored devices for example), both Active List use same columns. Is…

  • Having an Active Channel of IOCs

    I am trying to create an Active Channel which checks against a list of IP addresses in an Active List and showing an event when a match is found. I cannot add Active Lists to the Active Channel without getting an error. What would be the best way to go…

  • Maximum size ActiveLists?

    Is there a known or official max size of an Active list? For example if you would want to populate larger datasets from feeds, would there be a max? If so, would it be faster to cut them down into a few smaller lists? Or would that not give any benefit…

  • How to add a constant value each time a new line enter to the List?

    Hi all, I want to add a constant value each time a new line enter to the list. For example, add the number 100 to the "score" column automatically when entering a new line. Thanks

  • I have a filter on a rule that has an "inActiveList" condition. That active list has 3 fields on it but I only want to check the first one so that is the only condition I filled in. When I come back to that rule later, it sometimes will fill in t

    I have a filter on a rule that has an "inActiveList" condition. That active list has 3 fields on it but I only want to check the first one so that is the only condition I filled in. When I come back to that rule later, it sometimes will fill in the other…

  • What does "Ad-hoc (in-memory) global variables" means?

    Hi, I created the Active List. I will set the Active List on "Filter" field as conditions on Global Variable. However,I found the description on page 448 of "User's Guide ArcSight Console ESM5.5". >Global variables depend on a pre-defined schema, >so…

  • Active list doesn't display two fields I need

    Hi, I have an Active List populated by a standard rule. Two things I would like to collect are: Destination Geo Region Code Destination Geo Postal Code Destination Geo region Code, and Postal Code are not in italics. None of these three items are being…

  • Rule doesn't populate active list

    I have a rule which works fine when after setting conditions I test it using the tab in Rule Creation interface. I have used "Add to activelist" action in this rule, however after saving rule, when I go and press "show entries" in active list it doesn…

  • Scheduled Rule doesn't add to list

    I've tried light and standard rules but neither will add events to a list when scheduled. When they are enabled to just run they add fine. I've tried with Event-based and Field-based lists too. The schedule runs, I see the internal ArcSight event showing…

  • Track large time windows

    Say I want to alert on 25 failed logins over 1 minute for a single user, that's easy. Make a rule to find 25 in 1 minute. What if I want to find 25 failed logins over 1 hour? I don't think I want to have a rule with an hour time window. I thought about…

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Cookies Preferences
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.