Effective HP ArcSight Rules

Summary:

This document outlines strategies for enhancing Event Stream Processing (ESP) using ArcSight, focusing on creating effective rules tailored for lightweight and pre-persistence types. Key points include optimizing rule event processing through condition ordering, variable function efficiency, and utilizing the "consume after match" feature to streamline data handling within systems. The document also emphasizes best practices such as evaluating conditions from cheapest to most expensive based on type and leveraging global variables for efficient resource sharing across rules.

Details:

This document outlines tips for creating effective Event Stream Processing (ESP) rules using ArcSight with specific considerations for lightweight and pre-persistence rule types, rule event processing, condition ordering, variable processing, and the "consume after match" feature. Key points include: 1. **Lightweight Rules**: Designed for maintaining data lists without correlation or audit events, these rules are stateless and can handle a large number of events. They are processed before standard rules to allow separation of data maintenance from risk analysis logic. 2. **Pre-persistence Rules (ESM 5.5)**: These rules enrich event fields prior to persistence, using the action 'SetEventField', which processes conditions before the event is stored in a database. Enriched field values are available to subsequent rules evaluated post-persistence. 3. **Rule Event Processing**: For every received event, all deployed rules' conditions are evaluated against the event. Conditions within an AND/OR node are evaluated in order of appearance based on their cost, with cheaper conditions evaluated first. Variable functions can range from simple (e.g., string and arithmetic operations) to complex (e.g., chains involving expensive variable types). 4. **Variable Processing**: The efficiency of function execution varies; simpler functions like ToUpperCase or Add are fast, while more complex ones such as GetGroupsOfAsset or GetListValue can be expensive. Global variables (GV) are evaluated only once per event regardless of rule usage, which is efficient. 5. **Condition Evaluation and Cost**: Conditions within a node are evaluated in order until a result is determined, with conditions ordered from cheapest to most expensive based on their type (e.g., integer comparison vs. string contains). Inside AND nodes, conditions are ordered from most to least restrictive; inside OR nodes, they are ordered from least to most restrictive. 6. **Global Variables**: Utilize global variables for sharable resources that can be reused across multiple rules. Local variables are scoped to a rule and not shared with others. 7. **Consume After Match**: This feature allows an event to stay in working memory after matching a rule alias, potentially reducing the need for additional joins by consuming the matched event once it has been used to fire the rule. By following these guidelines, users can optimize their ESP rules for better performance and accuracy in data processing within ArcSight systems. This text appears to be related to event correlation in a monitoring or logging system, possibly within an IT environment. Here's a summary of the key points: 1. **Event Types**: There are two types of events - Alias A and Alias B. Both Aliases can either consume (consume = true) or not consume (consume = false) events. The text does not specify what "not consuming" an event means, but it is implied that when an event is consumed, it might be correlated or processed further. 2. **Time Window**: There is a specified time window of 2 minutes during which events are considered for correlation. This implies that within this 2-minute period, any events related to Alias A and Alias B will be looked at together. 3. **Event Examples**:

• Example where Alias A (consume = true) and Alias B (consume = false): Events A1, B1 are recorded at time T0. No correlation is performed because B's consumption status is false. At T0 + 2 minutes, events A2, B2 are recorded. Since B does not consume, no correlation occurs between A2 and B2, nor with previous or subsequent events.

• Example where both Alias A (consume = true) and Alias B (consume = true): Events A1, B1 are recorded at time T0. Correlation is performed between these two aliases using the specified time window. Additional events A3, B1 might also be recorded during this period, but they do not necessarily correlate with each other based on the provided information.

4. **Event Recording**: Events are recorded with timestamps (T0 and T0 + 2m), indicating when they were initially logged in the system. 5. **Purpose of the Text**: The text is likely part of a technical document or guide explaining how events should be correlated within a software system, specifically focusing on Alias A and Alias B under different conditions. 6. **Copyright Information**: Throughout the text, there are multiple copyright notices from Hewlett-Packard Development Company, L.P., indicating that this information is protected and subject to change without notice, which might imply that the details provided are for internal use or specific scenarios within the company's products or services. Overall, this summary assumes a role in explaining event correlation processes within an IT environment, possibly within a monitoring tool or logging system used by Hewlett-Packard Development Company, L.P., and provides examples of how events should be handled based on their aliases and consumption statuses.