How to prevent your SIEM from being blind

How to prevent your SIEM from being blind Getting logs from multiple systems also requires correct permissions, network settings, proper resources, and perfect KeepAlive alerts. But what happens if something goes wrong? Apparently, the logs will not arrive. We will focus on a problem that can cause peripheral blindness with minimal effort: Disable SIEM service […]

Rules based on aggregate SUM

Rules based on aggregate SUM

How to create a data monitor which will collect the information from the last X time, and sum the quantity and create a rule that use the audit events of the Data Monitor to check if the value is more than a specific threshold.

Contain from Active List

Contain from Active List

Have you ever wanted to create a rule that has the ‘Contain From Active List’ condition in ArcSight?