• Creating Custom E-mails Using Velocity Templates

    Hi I have a rule that triggers when a certain event is found and sends information about the found event to the mail. I used the ESM Administrator's Guide, section Appendix C: Creating Custom E-mails Using Velocity Templates In <ARCSIGHT_HOME>/Manager…
  • Rule notification via email with attached report

    Is there a possibility when an alert is triggered, in addition to sending an email with the fields, also sending an attached report? It would be like running a query as soon as the alert is triggered and the query result goes to the attached alert itself…
  • Rule action to create case

    Hi Guys, need some help if you have similar setup. We have modified the case types and other fields within the cases. Now we have different "Ticket types" in the case, and whenever a rule is fired the rule action is configured to open a case but with…
  • Using Regex in 'Set Event Field Actions' of a Rule

    event Message: Name : ERRPT: Core file was generated in /home/cores/coreE_xx##xxx#_string.1544326 from the process string . I'm trying to capture "xx##xxx#_string" and have it in dcs4 Set Event Field Actions > deviceCustomString4 = $message.replaceAll…
  • cannot retain the empty value of the field from the base event to correlated event

    Hi, I saw so many posts on retaining the actual value from the base event to the correlated event. My requirement is little bit different I need to retain the actual value from the base event to the correlated event even if the field is empty. The field…
  • Aggregating multiple correlated events(identical) into single Case?

    Hi All, This seems like a really simple question and probably I am missing something real simple. But still I would like to ask you this:::::: How to aggregate multiple correlated events into just one case if they are identical in nature. When I tried…
  • Check if active list entry matches with event

    Dear Community, I want to know if it is possible to create a rule, which checks if an active list entry matches with incoming filtered events. Currently, I have active list of all monitored, log sending devices. And I want to make a rule which checks…
  • Rule Action To Run PSEXEC not working

    Hey! I have a rule that i want to run some batch script which use PSEXE at the and to run command on remote computer. the script is running fine, but the psexec filed. the connector's log says: java.io.IOException: Cannot run program "c:\windows\system32…
  • Execute Connector Command - Dynamically choose Connector

    Hello, I'm creating some rules that use "Execute Connector Command" Action. I do not want to choose a specific connector to the "Connector" field: Instead, i want to pick it dynamically, depending on the event that triggered the rule. Is there any way…
  • Insider Threat Content Assistance

    Does anybody have some rules or content they can share for insider threat? Is there any reference documentation that would help me to build some correlation rules for Insider Threat that I could reference? I am trying to keep Arcsight here in this network…
  • Mail notifications based on outcome's result

    Hi, I would like to create a rule that fire every time a specific event is gereated. eg: "Access denied by access control list" Further more, I have to check if the attacker address that generated that event, is present in one or more active list on the…
  • Rule to identify any new devices

    Hi, We provide services to multiple customers. I need to create a rule to identify if any new device is integrated to send logs to ESM. I have an active list which contains list of all the devices that are authorized for monitoring. Now I wish to create…
  • Automate rule creation for checkpoint from Arcsight when event trigger

    Hi, anyone come across to automate rule creation for checkpoint firewall from arcsight when event is trigger? appreciate can share the function to call the variable and sample script for that? thank you. Regards, Chris
  • Correlation rule creation.

    In the field "message"contains ip address. How do I get the address from the field "message" and then use it to compare with the destination address field of another event? Second Embodiment. I have a active list that contains the corresponding domain…
  • Event field contained in activelist

    Hi guys, I'm trying to run a query based on a filter. My filter is supposed to grab all events with a specific name field AND, in addition to that, I want to filter the events that have a destination user name equal to one of the entries of (contained…
  • 30 Second Timeout for Rule Action - Execute Command

    Perhaps someone has run into this before and/or can help me with this: I've noticed that, when executing a command as a rule action, any scripts that take longer than 30 seconds will not finish executing and the ESM will report the results with the event…