Working with Rules

You can create and delete rules in the ArcSight Platform. You can create rules in your personal folder (My Rules) and also create real-time rules. You can apply conditions to rules.

Creating rules involves defining the events the rule evaluates and thresholds for triggering the rule. Conditions define which events trigger the rule and thresholds determine when a condition is met and a correlation event is generated.

When defining rules, begin by determining:

Which event occurrences do I want to be aware of? This determines what events this rule needs to monitor and the conditions to be tested.
How many times do I want the event or events to occur and within what time frame? This determines the rule's threshold.

Be specific when determining which events you want to monitor. For example, monitoring all events from a Cisco Router would not be as useful as monitoring all denied events from that Cisco Router. In addition, the more conditions you add to a rule, the more specific the rule becomes. Use the data fields to guide you in selecting and specifying conditions.

For more information about data fields:

If you are not using ArcSight Saas, in the ArcSight Console User's Guide for ESM, go to Reference Guide > Data Fields.
If you are using ArcSight Saas, in the User’s Guide for Real-time Threat Detection ArcSight Console, go to Reference Guide > Data Fields.

Note: Rules that you create in My Rules are not available to other users until you deploy them. When you deploy a rule in My Rules it becomes a real-time rule.

The dashboard provides only a subset of the functionality that is available in the ArcSight Console. Rule authoring with advanced conditions such as matches Filter, InActivelist, In Asset is not supported. Basic rule conditions with simple queries is supported. For example:

( Name endswith Failed or ( bytesIn >= 100 and bytesOut >= 1 and priority > 5 ) )

Agent Address = '10.0.0.1' and Application Protocol = UDP

To create a rule:

(Conditional) If you are not using ArcSight Saas, select ESM and then select Rules.
(Conditional) If you are using ArcSight Saas, select Detect and then select Rules.
On the Real Time Rules page or the My Rules page, click the plus (+) icon.

Provide the following information:

Rule Name

Provide a name for the rule. The name can contain up to 25 characters.

Rule Trigger

Select from the following options:

On First Event - trigger the rule the first time rule conditions are met..
On Subsequent Events - trigger the rule the second and subsequent times rule conditions are met, not the first.
On Every Event - trigger the rule every time rule conditions are met
On First Threshold -for the number of matches greater than 1, trigger the rule the first time rule conditions and threshold settings are met.
On Subsequent Thresholds - for the number of matches greater than 1, trigger the rule the second and subsequent times rule conditions and threshold settings are met, not the first.
On Every Threshold - trigger the rule every time rule conditions and threshold settings are met.

# of Matches

Select the conditions that you want to apply to the rule, and then save the rule.
If you created a rule on the My Rules page and want to add it to the real-time rules, select the rule in the grid and then click the Deploy icon.

To deactivate a rule without deleting it, select the rule and then click click the Undeploy icon.

To permanently remove a rule, select the rule and then click the trash can icon.