Rule Activations
|
Device Event Class ID |
Audit Event Description |
|---|---|
rule:700 |
Rule has been deactivated. |
rule:701 |
Rule has been deactivated because it is unsafe. There was excessive recursion or event matching. |
rule:702 |
Rule has been activated. |
rule:703 |
Unsafe rule activation. |
Target User Name or Target User ID in the Audit Event Affected by Who Triggers Activation or Deactivation
Whether a rule was disabled or enabled by a:
- User (compact mode and distributed mode)
- System (compact mode and distributed mode)
- Correlator or aggregator (distributed mode only)
affects the target user name or target user ID shown in the resulting audit event, as shown in this table:
| Who enables or disables the rule?
|
Compact Mode | Distributed Mode | ||
|---|---|---|---|---|
| Target User Name |
Target User ID | Target User Name | Target User ID | |
|
User |
login user name |
Target User ID data |
login user name |
Target User ID data |
|
System |
Empty | Empty |
Empty |
Empty |
| Correlator or aggregator | Not applicable for compact mode. | Not applicable for compact mode. | arcsightclusteruser | Target User ID data |