Popular Tags

  • Data Enrichment in ArcSight ThreatHub

    Hi, How does ThreatHub Feed enrich the IOCs data? Does it take IOCs from ingested events from ESM and then store the enriched data for those IOCs in Active Lists, or does it store generic data for all suspicious IOCs? I appreciate any insights you…

  • Creating Dashboards in ArcSight ESM Using Active List Data

    Hi, I need to create custom dashboards in ArcSight ESM using Active Lists that contain IOC-related details. How can I create custom dashboards using data from Active Lists? For reference, in ArcSight ThreatHub, enriched IOCs data is stored in Active…

  • Active lists and correlation rules

    Hi There is a Python script that receives data from an external resource, processes this data and saves it in the appropriate files. From these files, the flex connector regex file receives processed information in CEF format and sends it to ArcSight…

  • how to create a rule for an accounts with no activity for more than 60 days ?

    Hello People, i'm trying to create a rule for accounts that has not been active for more than 60 days. I tried to make a join rule but due to resource limitations i can't keep the rule open for 60 days the second attempt was to create a session list that…

  • Can't add entry to active lists

    Kindly I faced this error while manually adding entry to the active list

  • Comparing Two Active Lists

    Dear All I am stuck with two active lists which hosts and address. One of the list is a subset of the other. It means List A contains all hosts and IP addresses. The List B contains some of the hosts and IP addresses from ListA. I would like to…

  • search using list

    hello, ArcSighter's i have a file that has ~1000 IP's, i want to add it in an active list and search it as the destination IP, please provide me the steps needed to perform such action. Much appreciation

  • How does the function GetSizeOfList work?

    I want to get a count from the amount of entries in an AL, I read before that the function GetSizeOfList is a good one to use. But I can not select an active list in the arguments... How does this work? Greetings, Robin

  • Arcsight Rules, Dashboards & Correlation

    We need your support to learn about following grey areas. Areas: Reading Incident logs & Event Categorization. Complex Queries & Active channel creation. Rules & Reporting Correlation & Correlation Rule Developing Adhoc rules Developing Use Cases Creating…

  • Local Variable that gives total number of items in an Active List.

    Can I configure a local variable that gives me the total number of items in an Active List?

  • What does "Ad-hoc (in-memory) global variables" means?

    Hi, I created the Active List. I will set the Active List on "Filter" field as conditions on Global Variable. However,I found the description on page 448 of "User's Guide ArcSight Console ESM5.5". >Global variables depend on a pre-defined schema, >so…

  • Multi-mappings Active List Entry Expiration Event

    Hello All, I have a more complex scenario, which in the end I was able to bring down to the point where I need to monitor a Multi-mappings Event-Based Active List. Simplified, I have the following situation: -> Active List with only one Key Field (say…

  • Add to Active List default list options

    Hey All, When you right-click an event > Active List > Add To it displays two default active lists. Does anyone know of a way to add more AL's to this "Default" selection screen? Was looking to add some AL's there to prevent the extra clicking of other…

  • Maximum events per AL comparison?

    I'm going to try and ask this question in general, then give the specifics. I have a filter that gives me about 235k events over two hours. (for comparison purposes, I get about 26k events over 15 minutes) I have been trying to compare those events to…

  • Trouble matching events in ActiveList when changing to all lowercase

    I'm having a weird problem matching events to an active list. I have a list of windows executables that I want to monitor in lowercase in an active list called "Suspicious processes". (examples: psexec.exe, route.exe, net.exe) I then have a filter to…

  • Matching to an ActiveList with 3 key fields

    I have a Query or a Rule that I need to match an event to an ActiveList. This particular ActiveList has 3 key fields, but the event I need to match only has 1 of those fields. Is this possible? or does the match attempt always fail? For example, I have…

  • Difference between Active list and session list?

    Hi All what are the major diffrences between active list and session list? can we do operations done in session list to be done in active lists? Regards SHINEJ

  • Rule to browse through an Active List

    Hi guys, I'm trying to use a rule to browse an Active List for relevant infomation. In my case this is useful (if it works as I am expecting) because the rule doesn't need to hold aggregation information for the 24 hours it's supposed to be looking for…

  • Importing active list Last Modified Time values using archive command

    Hi, I'm working on a script to export and import active list values using the archive command. This might be a duplicate question of this thread https://protect724.hp.com/message/46959 Is there a way to force the import of "Last Modified Time" during…

  • All day old entries on active list

    OK, I have an active list that will feed a dashboard table where I need to display all entries from that list less than a day old. I thought I would simply create a query something like creation time > $now - 1d but ESM tells me '$now - 1d' is invalid…

  • Make entries in Active List case in-sensitive

    Hello All, currently the active lists that we have defined in ArcSight are case sensitive. Is there a way that the entries can be made case in-sensitive? The problem is when I refer the active list in a rule, the entries are matched in different cases…

  • Active Lists broken on .arb import

    Hi, I was wondering if anyone ever found a fix or workaround for this issue? This issue dates back at least 3-4 years and is easily repeatable in a lab environment. Export .arb from lab/DEV/staging instance, import into production instance, all active…

  • Active list export from command line

    Is there a way to export/import active lists using command line ?

  • 6.5c Active List and Sessions List Over Capacity Limit?

    Is anyone else seeing their active list and session list going over the specified capacity? For example I have an active list that is suppose to have a 10,000 entries limit but it is actually 47,000 in size. A session list with a limit of 10,000 but its…

  • Active Lists/session lists correlation with delayed events

    Hi, I have the following scenario: a radius server, that generates START and STOP events, with the ip of the user, and some aditional info. For all the firewall events for that particular IP, I have to generate a correlated event, that contains: the attacker…

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Cookies Preferences
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.