Active Lists in ArcSight, Automatic Clearing. Part 2

[post-views]
November 16, 2017 · 3 min read
Active Lists in ArcSight, Automatic Clearing. Part 2

A very common task for all ArcSight content developers is cleaning active lists on a scheduled basis or on-demand automatically.
In the previous post I have described how to clear Active Lists on scheduled basis using trends: https://socprime.com/en/blog/active-lists-in-arcsight-automatic-clearing-part-1/

Today I will show you another two ways how this can be achieved.

Automatic clearing of Active Lists based on command line commands on the ESM

The main idea is that at first, we will uninstall the content package and after that reinstall it from the command line.

First, we need to create the content package with ‘export’ format and add to this package all Active Lists that you want to be cleared on schedule or on demand and also other resources that interact with these Active Lists. After that we need to create a simple bash script on the ESM with following commands:

  1. The first command will uninstall package. ‘echo “1” |’ at the beginning of the line will automatically choose option ‘1: Create new archive for package’ in case if package content has changed.
    echo “1” | /opt/arcsight/manager/bin/arcsight package -action uninstall -package “/All Packages/Personal/admin’s Packages/Clear Active Lists” -u adminuser -p password -m esm-hostname
  2. The second command will reinstall package:
    /opt/arcsight/manager/bin/arcsight package -action install -package “/All Packages/Personal/admin’s Packages/Clear Active Lists” -u adminuser -p password -m esm-hostname

Please note that this method is not suitable if you are using trends in the use case since after reinstalling content package all your trend data will be querying from the very beginning from the Trend’s schedule time range parameter ‘Start’ and this can make performance impact.

When the script is ready, test it at first to make sure it is working as expected and after that schedule it or add as an action ‘Execute Command’ in rule trigger.

Automatic clearing based on rules

If you need for example to reset counters in the Active List for the specific line or simply delete this line in a new day, you need to add to the Active List fields ‘Last Event Time’ and ‘Event Count’. In ‘Last Event Time’ field insert ‘End Time’ from the event, in ‘Event Count’ insert ‘Aggregated Event Count’. Add to rule variables to compare ‘End Time’ (current event time) and ‘Last Event Time’ from the Active List with the help of a variable ‘GetDayOfYear’. In case if ‘GetDayOfYear(End Time)’ is greater than ‘GetDayOfYear(Last Event Time)’ then you need to reset event counters or delete the entry in Active List depending on requirements. Don’t forget to add check whether the new year has come or not.

I believe that there are other possible ways of Active Lists automatic clearing and I hope these posts will get you the basic understanding of possible ways and will open new opportunities for building new excellent use cases.

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts