Cafeaua cu sare

Have you ever wondered why ArcSight put those little buttons in rule actions?! This is not accidental and they have a subtle purpose. Only a real-time example can clarify why they are needed and how much they matter. Let's say we have events coming in the ESM at a high rate, and we have a Use Case that basically uses 2 rules and 2 active lists to get what we needed. R1 evaluates base events and if NotInAL2 then actions by adding an entry in AL1 R2 evaluates against conditons DeviceEventClassID=activelist:103 & DCN1>=10 and if they match, then actions by removing from first list and add in second one. And this is where the order counts. Picture above displays the right order. Let's think for a second what would be the implications if it was the the other way around. If we were to first choose to add to AL2 then to remove from AL1, what happens is in matter of miliseconds in the Correlation Engine although it may seem the entry was added to AL2 and that won&#