Have you ever wanted to create a rule that has the ‘Contain From Active List’ condition in ArcSight?
Before starting – consider the following:
- Be aware of the Resources’ costs
- Plan how to adapt the variables to your needs.
Use case Example:
We want to check if at least one of file types in the Active List is found in a string that contains many file types.
Part A – Define the Active List content:
Step 1 – Create an Active List with 2 columns:
- Flag (as a key field) – Should be the same value for all the strings that need to be checked.
- StringToCheck
Note: Check the Allow multi-mapping checkbox.
Step 2 – Add to the Active List the file types you want to find (Flag value has to be the same):
Step 3 – Define the rule’s variables:
Define the variables as follows:
a) Flag
b) AL
c) ALList2String
d) StripApostrophe
$ALList2String.replaceAll(“\””,””)
e) ReplaceComma
$StripApostrophe.replaceAll(“,”,”|”)
f) ReplaceFound
$fileType.replaceAll($ReplaceComma,”*”)
g) YESorNO
View the results after each variable’s processing:
Wow! You made it!
You may challenge me with ArcSight complex scenarios, and I will post them in that blog.
ArcSight can do everything for you!
For specific requirements and customized solutions – please contact me: [email protected]
0
147
0
