Contain from Active List

Contain from Active List

Have you ever wanted to create a rule that has the ‘Contain From Active List’ condition in ArcSight?

Before starting – consider the following:

  • Be aware of the Resources’ costs
  • Plan how to adapt the variables to your needs.

Use case Example:

We want to check if at least one of file types in the Active List is found in a string that contains many file types.

Part A – Define the Active List content:

Step 1 – Create an Active List with 2 columns:

  1. Flag (as a key field) – Should be the same value for all the strings that need to be checked.
  2. StringToCheck

Note: Check the Allow multi-mapping checkbox.

 

 

Step 2 – Add to the Active List the file types you want to find (Flag value has to be the same):

 

Step 3 – Define the rule’s variables:

 

Define the variables as follows:

a) Flag

b) AL

c) ALList2String

d) StripApostrophe

$ALList2String.replaceAll(“\””,””)

e) ReplaceComma

$StripApostrophe.replaceAll(“,”,”|”)

f) ReplaceFound

$fileType.replaceAll($ReplaceComma,”*”)

g) YESorNO

View the results after each variable’s processing:

Wow! You made it!

 

You may challenge me with ArcSight complex scenarios, and I will post them in that blog.

ArcSight can do everything for you!

For specific requirements and customized solutions – please contact me: eli@cybersiem.com

 

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email