The ArcSight Activate Workflow Metrics Method

Part of the Software Development Life Cycle for Activate content depends on tracking how your security team is handling their workload.



Indicators and Warnings

This is the link for the Indicators and Warnings Worksheet.

Correlation Events

Whenever you need to have a rule for an I&W, this worksheet tells you how to set the fields in the rule's Set Event Fields action. All Activate rules should be properly categorized by following this process. See the Rules Best Practices page for more details.

Working with Events

The Real Time Workflow Method provides information about the stages. As analysts work through the Triage events, Tracking how many correlation events are still in the Triage stage after hours could be a good way to gain insight on how well your team is able to keep up with the workload. There is, however, a minor issue.

Some rules can consume the correlation events from other rules. These correlation events become correlated, and encapsulated by the correlation events up the rule chain. Additionally, the Main Channel is filtered to not show correlation events that have been correlated:

When you are building metrics content based on the Triage stage, be sure to use /All Filters/ArcSight System/Event Types/Non-Categorized Events to exclude the correlation events that were consumed by a higher-order rule. These correlation events are effectively being processed along with the higher-order correlation events.

-- PrenticeHayes - 24 May 2017
Topic revision: r2 - 06 Feb 2018, PrenticeHayes


Activate Wiki

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback