Post on 25-Jun-2020
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India)
Building Active Rules in ESM
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 2
HP ESP University Course title: Building Active Rules in ESM Description: Upon successful completion on this Lab, you will be able to: •Describe the different rule types •Configure Rules using Conditions, Aggregation and Actions •Create and test rules aggregating base events Course Length: Two days, Instructor Led
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 3
Table of contents
Day 2
• Reports
• Queries
Day 1
• Rules
• Active Lists
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India)
Rules
Rules (a.k.a. correlation rules or alerts) are used to detect specific events or situations and take appropriate actions.
Creating rules involves defining the events the rule evaluates, thresholds, and actions the rule to trigger. Conditions define which events trigger the rule, thresholds determine when a condition is met and a correlation event is generated, and actions state what responses are taken when a rule is fired.
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 5
HP ArcSight ESM Rules
• Sometimes referred to as “Alerts” or “Correlation Rules”
• Real Time Operations
• 3 Rule types: • Standard ……....... Include all features for rule creation
• Lightweight ………Small set of features for faster and simpler rule processing
• Pre persistence … Enable basic event analysis before the events themselves are persisted in CORR-Engine
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 6
ArcSight Correlation 1/3 Basic Rules or Simple Correlation a.k.a. Events Aggregation
Correlation
Unique Event
Multi-Events
(same base event)
• Most basic correlation
• Single event type or category
• Basic conditions
• De-duplicates events (many-to-one)
• Catch and accumulates events in memory
• Single source, single target
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 7
ArcSight Correlation 2/3
Correlation
Unique Event
Multi-Events
(multiple events, multiples sources, targets)
• Inter-Relates (joins) diverse events (from different devices) with any combination of common field values: e.g. source IP, target IP, port, protocol, username, domain, location, zone, etc.
• Compare any event fields using flexible Boolean logic (AND, OR, NOT)
• Good for cross event matching of complete end-to-end sessions
• E.g: correlating when an attacker is detected by a NIDS, crossing the firewall, compromising a host, creating a back connection to steal confidential data
Advanced Correlation – a.k.a. Joining Events
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 8
Sequence 1 Events combination
Active List “Suspect”
Sequence 2 Events combination
Sequence3
Active List “Hostile”
Unique correlated event
Action: write in Active list “Suspect”
Events combination
Action : write in Active list “Hostile”
Action : ALERT
1. Inter-relates events across sessions using Active Lists (or memory tables)
2. Any field or combination of event fields may be persisted from base events
3. Long & short -term state machines
4. Good or tracking logical sequences of events
Rule1
Rule2
Rule3
ArcSight Correlation 3/3 Complex Scenarios Engineering – a.k.a. Chaining Rules
1-Attacker is probing a network
2-Minutes or days or even weeks after that same attacker starts login challenge sessions (unauthorized accesses) onto a system and fails
3-Eventually the attacker has successfully accessed a system. Compromised resource
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 9
Creating Rules Creating Rules is a 3 step process
1. Define the “Conditions”
Which event occurrences do I want to be aware of?
Filtering matching events to be evaluated
2. Define “Aggregation”
How many times do I want the event or events to occur and within what time frame?
The number of times an event or events (threshold) need to occur before the rule triggers
3. Define “Actions”
What actions should automatically occur when an event is generated?
When should those actions occur?
What steps will be taken as a response when a rule is fired
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 10
Rule Editor
ATTRIBUTES TAB contains typically the Rule Name & defines the Rule type
CONDITIONS TAB is where filters are defined for matching events to be evaluated
AGGREGATION TAB is where events aggregation and number of matches (thresholds) are defined
ACTIONS TAB is where appropriate actions after a rule is fired are defined
LOCAL VARIABLES tab is where variables (functions) can be used to increased data processing
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 11
Conditions Tab
• Allow for re-use of content
• Best practice
• Greater consistency
• Reduce errors and save time
Filters
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 12
Conditions Tab
• Increase rules accuracy
• Best practice
Assets
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 13
Conditions Tab Vulnerabilities
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 14
Conditions Tab
• InActiveList Condition
Active Lists
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 15
Conditions Tab Active Lists (continued)
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 16
Conditions Tab
-Event 1 LABEL « DATA CENTER FIREWALL EVENT »
-Event 2 LABEL « DATA CENTER APPLICATION EVENT »
Joining different events from different sources
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 17
Actions Sets Actions are triggered upon rule firing • Actions run automatically
• Actions triggers only once or many times
• Actions can be:
− Setting of Event Fields into correlated events display
− Send triggered rule's associated events to HP OpenView
− Send notifications to ArcSight User Groups
− Execute command locally / at connector level
− Export case/data to an external system (using XML)
− Manage a case (open a new one, add to existing case, …)
− Add/remove information to/from Active/Session Lists
− Modify Assets Categories
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India)
Use Case Example
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 19
Simple Correlation a.k.a. Events Aggregation • Example #1: multiple login attempts (failures) on the same user account
• How do we do ?
• Rule detects repeated login failures within a given timeframe (minutes) then triggers alarm
• What content do we need?
Conditions will search (filter) for authentication failure events
We can use categorization: categoryBehavior and categoryOutcome will do the job
Aggregation mechanism will accumulate aggregated events until a threshold is crossed
Aggregation operates on recurrent fields: source IP, destination IP and Login username will make sense
Corresponding CEF fields to aggregate being used are:
sourceAddress or attackerAddress
destinationAddress or targetAddress
destinationUserName or targetUserName
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 20
Creating Rules
• Select “Rules” from the Navigator Panel
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 21
Creating Rules
• Right Click on “<admin>’s Rules”
• Select “New Rule”
• Standard Rule
By selecting ‘Standard Rule’ we have all features
available for building a rule
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 22
Creating Rules: Attributes
Provide a Rule Name
o This will be the name you see in any Alerts or Correlation Events
o It is possible to change this with Actions Sets (will see later)
o Select the Conditions Tab
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 23
Creating Rules: Conditions
First we need to filter Login Failures events
We use here ArcSight CEF categories
• Right click “Event1” in Conditions Edit Panel
• Chose ‘New Condition’
• Select ‘Category’ then ‘Category Behavior’
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 24
Creating Rules: Conditions Here we go with a first condition in Filter
• Select /Authentication/Verify as filter term from
the scroll down list; the logical operator is equal (=)
• Click OK in Edit Tab
Now we add a second condition in Filter
• Right click “Event1”
• Chose New Condition
• Select “Category” then “Category Outcome”
• Select /Failure as filter term and the logical
operator is equal (=)
• Click OK in Edit Tab
• Click Apply in Rule Editor (lower right corner)
We now have build the needed filter
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 25
Creating Rules: Aggregation A threshold as trigger is necessary now
• Select Aggregation Tab
Select #of Match and type 3 (number of occurrence's)
Select Time Frame and type 2 minutes
*By the way, note how long a time frame can be!
We define the fields to aggregate
• Select “Add” for the “Aggregate only if these fields are identical”
section (lower half of Inspect/Edit panel)
• A window opens
• Add the following CEF Fields:
AttackerAddress, TargetAddress and TargetUserName
Click OK then Click Apply
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 26
Creating Rules: Aggregation
You will be prompted to add some extra fields
• In more complex environments this is
important, in this case, it does not matter
• Select either
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 27
Creating Rules: Actions
Now we define actions that follow up the rule
outbreak
• Select “Actions” tab
• By default rule will always be set to “On First Event”
• We need to Change this*:
Right click On First Event and select De-Activate Trigger
Right click On First Threshold and select Activate Trigger
It’s important in this case to de-activate ‘on first event’. ‘On first
threshold’ should be used instead. Otherwise an action would take place
for every event (which is not what we want).
Remember we are expecting 3 events before any action.
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 28
Creating Rules
• Right click on “On First Threshold”
• Select “Add”
• Select “Set Event Field”
• A window opens
This is where we can define CEF Fields to display for
correlated rule. Here we define the text for event
name.
• Select Event | Name
• Type “Repeated Login Failure on same user account”
A same user account is being accessed multiple
times
• Click OK and Apply
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 29
Setting Rule in Motion
• Rule is now complete
• It must be activated
• Select the new rule
• Left Click and Hold
• Drag it to “Real-Time Rules” Folder
• You can choose to Copy, Link or Move the Rule
• Select “Link”
• This is a best practice
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 30
Did the Rule Fire? ….Yes
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 31
Did We Cross The Threshold Successfully ?
• In viewer Right click the correlated event
• Select Correlation Options
• Select Detail Chain
• A new Window Opens
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 32
Yes ! Threshold @3 fired the rule
EVENT 1 EVENT 2
Fired Rule
EVENT 3
ACTION HAS SET CORRECTLY A NAME FIELD WITH THE EXPECTED TEXT TO THE CORRELATED EVENT
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 33
Ignoring Case in Conditions evaluation, is a
two steps process, first select the condition
line by either:
• Left click the condition line you’re interested
in the editor
or
• Type the corresponding CEF field in the
‘Search for’ space, down the window.
Then ….
Tips for Creating Rules
Some conditions will need to ignore Case simply because one don’t know how is written the evaluated Field (e.g. a username starting either with upper case or lower case letter)
!
Will Philippe or philippe or PHILIPPE work in this condition evaluation?
!
THE LINE WILL HIGHLIGHT IN THE LOWER
PANEL OF THE INSPECT/EDIT PANEL
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 34
Then secondly:
• Uncheck the A-a box to activate ignore case
• Ignoring case will make it working whatever
the case is Upper or lower in the event Field
being evaluated
Tips for Creating Rules
Some conditions will need to ignore Case simply because one don’t know how is written the evaluated Field (e.g. a username starting either with upper case or lower case letter)
! Philippe or philippe or PHILIPPE
will work now !
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 35
Adding a NOT operator in a Condition line
• Select the Conditions line you’re interested
in by left clicking on it
• The line will show up in the lower panel of
the Inspect/Edit Panel
• Tick the [] box corresponding to that line
• A NOT has been added before the logical
operator
Not
Tips for Creating Rules
Some conditions will need to add a NOT preceding a logical operator (e.g. an IP Address is NOT part of a subnet)
!
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 36
To see only correlated events:
• In the Active Channel from the viewer panel
double click ‘Inline Filter’
or
• Click the Pen icon
Tips Sometimes it’s not that easy to see if a rule has fired correctly among a large number of events into an Active Channel. The ‘In Line Filter’ feature makes it easier.
!
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 37
To see only correlated events:
• In the Active Channel from the viewer
panel double click ‘Inline Filter’
• The ‘Inline Filter’ windows will open
• Tick the check box
• Click on ‘Apply” in the right end of the
‘InLine Filter’
Apply
Tips Sometimes it’s not that easy to see if a rule has fired correctly among a large number of events into an Active Channel. The ‘In Line Filter’ feature makes it easier.
!
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 38
Lab 1 Create and Test a Simple Rule Aggregating Events Use Case: Detect Login Failures with Root as User Account
What is expected ? A rule is fired after 5 login failures with the Root user account and failures are taking place within a 3 minutes time frame
What Content do we need here ? • Conditions : At least 3 Conditions are required for this rule to be fired
• We need 2 categories (1 will filter Authentications + 1 will filter Failures) and we should select only Root as target user
• Aggregation: • A threshold is necessary to get the rule fired (set after 5 matches within 3 minutes)
• Aggregate identical Fields : attackerAddress, targetAddress, targetUserName
Open An Active Channel and check if your rule has Fired (wait mns) • Might be good to use the ‘InLine’ Filter to do so
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India)
Cross Devices Correlation
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 40
Correlation
Unique Event
Multi-Events
(multiple events, multiples sources, targets)
• Inter-Relates (joins) diverse events (from different devices) with any combination of common field values: e.g. source IP, target IP, port, protocol, username, domain, location, zone, etc.
• Compare any event fields using flexible Boolean logic (AND, OR, NOT)
• Good for cross event matching of complete end-to-end sessions
• E.g: correlating when an attacker is detected by a NIDS, crossing the firewall, compromising a host, creating a back connection to steal confidential data
Cross Device Correlation
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 41
Cross Device Correlation illustrated
Firewall L2 Switch IP camera
@
DSL
FIREWALL EVENT DEVICE EVENT
Use Case: detect external login onto an IP camera behind a Firewall
2nd event 1st event
T0 Max time windows
T0+2MNS TIME WINDOW
Threshold is crossed, therefore
the rule is fired !
T1
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 42
Advanced Correlation • Example #1: FTP session is open from Internet
1. A firewall is configured to allow incoming passive FTP connections
2. Behind this firewall is a NAS with the FTP service turned on (credentials required to open sessions)
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 43
Cross Device Correlation Scenario
Firewall
L2 Switch
FTP server
@
DSL
Use Case is to detect FTP passive sessions opened from any external IP address
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 44
Advanced Correlation • Rule example #2: FTP session is open from Internet
1. A firewall is configured to allow incoming passive FTP connections
2. Behind this firewall is a NAS with the FTP service turned on (credentials required to open sessions)
• How do we do?
• Rule fires when 2 different events (Joined) occur AND a threshold matches within a time frame
• What content do we need?
Event 1 {Firewall} has the following Conditions:
Accepted connections on port 21 and also in range 55536-56559 from “outside” (not from the LAN)
Event coming from device that is a ‘firewall’ (with a know address would be nice to have)
Category Behavior is ‘Access Successful’
Event 2 {NAS} has the following Conditions:
FTP login from “outside” (not from the LAN) and onto a NAS server
Event from a device that is a NAS server (with a know address is nice to have)
• Joined Condition:
Source IP the same in Event 1 and Event 2 AND time in Event 1 is before time in Event 2
Aggregation: Number of match is 1 within 2 minutes
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 45
Creating Advance Rule
We give Rule a Name
• Then click on “Conditions”
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 46
Conditions with Joined Events
FIREWALL EVENT CONDITIONS FILTER • Successful Network Access • Device type is Firewall • Internal Target Address is the NAS server address • Destination Ports is 21 or port range 55536-56559 • Attacker (Source IP) is not in our LAN – it’s outside
NAS SERVER FILTER CONDITIONS • Successful User Authentication • We could add Device address to make sure • Attacker (Source IP) is not in LAN – it’s outside
JOINS FILTER CONDITION • Attacker (Source IP) is same in Firewall and NAS events • Firewall event precedes NAS server event
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 47
Advanced Rule: Aggregation
We need to fire rule with a threshold
• Unusual aggregation as we just need 1 occurrence
• Select Aggregate Tab
Select #of Match and type 1
Select Time Frame and type 2 minutes
• Click Apply
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 48
Actions
What are we doing here ?
We Set in Correlation Event some Fields
This is what will be displayed in the console viewer
We send a notification to the CERT Team with internal
messages (Within ArcSight Workflow) and also with e-
mails
We define a category to Assets
We add and hold the source IP address to an Active List
We add and hold the username being used in FTP
session into a Session list
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 49
Did the Rule Fire? ….Yes
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 50
Yes ! Threshold @1 fired the rule
EVENT 2
EVENT 1
Fired Rule
TEXT WAS CORRECTLY SET IN THE "NAME" FIELD
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India)
Thank You Questions ?
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India)
Active Lists Active lists are data store that can hold information derived from events, or other sources.
The main uses of active lists are to maintain information, and check for the existence of particular information in lists using the InActiveList condition in rules.
For example, active lists are very useful for tracking suspicious or hostile IP addresses as well as targets of attacks that may be compromised.
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 53
Active Lists
• Data Source for resources (Rules, Reports, Query Viewers, …)
• ‘Memory tables’ with fields that can be dynamically added or removed or updated by rules
• Can also be populated manually or by importing CSV files
• Informations in list have life time (Lists configured with TTL: Time to Live)
Example: “Worm Infected Systems” Active Lists tracks Zones and IP Addresses of systems exhibiting worm-like behavior along with port that the Worm is attempting to target
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 54
Creating Active Lists
• Select “Lists” from the Navigator Panel
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 55
Creating Active Lists
• Select ”Active Lists” tab in Navigator Panel
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 56
Anatomy of Active Lists
Item Description
NAME Specifies Name of Active List
OPTIMIZE DATA Reduces memory usage consumed by the Active List by using hashes
CAPACITY Number of entries in Active List
TTL Dictates how long an entry remains in Active List
ALLOW MULTI-MAPPING
Allow multiple instances of key pairings
DATA Events or Fields included in Active List
KEY FIELD Allows rules to look up value fields
ArcSight creates audit events for all aspects of Active Lists statistics
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 57
Anatomy of Active Lists
Item Description
NAME Specifies Name of Active List
OPTIMIZE DATA Reduces memory usage consumed by the Active List by using hashes
CAPACITY Number of entries in Active List
TTL Dictates how long an entry remains in Active List
ALLOW MULTI-MAPPING
Allow multiple instances of key pairings
DATA Events or Fields included in Active List
KEY FIELD Allows rules to look up value fields
ArcSight creates audit events for all aspects of Active Lists statistics
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 58
Creating Active Lists
• When configured Click APPLY
CAUTION Once saved, Active List parameters cannot be modified
!
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 59
Populating Active Lists
Importing CSV Files
• Select « Active Lists » in Navigator
• Right click desired Active List
• Select Import CSV Files
• Chose file and click OK
Manually
• Select « Active Lists » in Navigator
• Right click desired Active List
• Select « Edit Active List »
• Click « Add Entry » in Inspect /edit panel
• Add entry and click
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India)
Use Case Examples
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 61
Populating Active Lists with Rules
• Example #1: Firewall blocked IP address added to a list and maintained for 2 hours
• How do we do ?
• Rule detects Firewall events with blocked IP address (inbound connections)
• Action in rule adds blocked IP Address to a previously created Active List
• IP Address is hold in that list for 2 hours (if not updated, entry in the list will be deleted)
• What content do we need ?
A Field based Active List holding blocked IP address during 2 hours
A rule with the following:
Conditions filtering access failures from Firewall point of view
Aggregation is necessary to get the rule fired (event though we just need 1 occurrence of such event)
Action adds Attacker Address, Device Address, Device Product and Device Vendor as 1 entry in the list
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 62
Creating Active List
• Select “Lists” from the Navigator Panel
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 63
Creating Active Lists
• Right Click on “admin’s Active Lists”
• Select “New Active List”
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 64
Creating Active Lists
• Provide a name for the List (e.g External Firewall
Blocked IP address)
• Select a Time To Live (TTL) period
Means the time during which data will
be hold in the list
0 means the data will not expire
Here we hold each entry during 2 hours
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 65
Creating Active Lists
We will create a Field based Active List
• Select the “Fields Based” Radio button
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 66
Creating Active Lists
• Check the “Key Fields”
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 67
Creating Active Lists • Define the fields* that each entry in the List will
be comprise of
• Here we define/create 4 fields/columns*:
Source IP address
Firewall IP IP address
FW Product Name
FW Vendor
• Define the field type
• Check the “Key Fields” for “Source IP” and
“Firewall IP”
• Click “Apply” to save the changes
The Active is now created and ready for use
*Think about fields defined in Active List as columns like in a table
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 68
Populating Active Lists with Rules
• Select “Rules” from the Navigator Panel
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 69
Populating Active Lists with Rules
• Right Click on “<admin>’s Rules”
• Select “New Rule”
• Standard Rule
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 70
Populating Active Lists with Rules
• Provide a Name
• Select the Conditions Tab
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 71
Populating Active Lists with Rules
• Left Click on the “Filters” button
• Select “Firewall filter” we created previously
Using filters is best practice
It creates consistency
If you have previously tested the filter you know it will work
You can enter the conditions directly if preferred
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 72
Populating Active Lists with Rules
We need add something to filter blocked accesses
• Right click “Event1”
• Select “Category” then “CategoryBehavior”
• Select “StartsWith” as logical operator
• Select “/Access” as filter term
• Click OK
• Add the second line with categoryOutcome=« /Failure »
• Click Apply
The filter is now ready
• Click « Aggregation tab
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 73
Populating Active Lists with Rules
• Select “Add” for the “Aggregate only if these fields are
identical” section (in the lower half of the Inspect/Edit
panel)
• We select Attacker Address…….blocked IP Address
Device Address……….firewall IP Address
Device Product………..firewall model
Device Vendor…………firewall brand name
In this example we are looking for one event but
aggregation is still needed
• Apply the changes you have made
• Select either Yes or No when prompted for any extra fields
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 74
Populating Active Lists with Rules
• Select the “Actions” Tab
• By default the rule will always be set to “On First Event”
• Meaning (with an Aggregation of 1) this rules will
always fire when an event is seen
The online help explains the other options in detail...
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 75
Populating Active Lists with Rules
• Right click on “On First Event”
• Select “Add”
• Select “Active List”
• Select “Add To Active List”
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 76
Populating Active Lists with Rules
• Right Click on “On First Event”
• Select to add to an Active List
• Select the created Active List “External Firewall Blocked
Addresses”
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 77
Populating Active Lists with Rules
We map Event Fields with the Active List
Fields
• In the pop-up box we map the fields we
aggregated on to the fields you defined in
the Active List
• Click OK
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 78
Populating Active Lists with Rules
• Click “OK” to save the rule
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 79
Populating Active Lists with Rules
• Rule is now complete
• It must be activated
• Select the new rule
• Left Click and Hold
• Drag it to “Real-Time Rules” Folder
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 80
Populating Active Lists with Rules
• You can choose to Copy, Link or Move the Rule
• Select “Link”
• This is a best practice
• The rule is created under a project folder but active
on the system
• This is the most common reason for rules not
triggering!
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 81
Populating Active Lists with Rules
• You will see the new rule listed in both Folders
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 82
Did the Rule Fire? ….Yes
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 83
What happened to the Active List
• Go to the “Lists” -> “Active Lists” Resource under the
Navigator Panel
• Right Click on the Active List created
• Select “Show Entries”
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 84
What happened to the Active List?
• The Active List now has data in it
• Refresh is not automatic
• To refresh click the recycle icon
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 85
Chaining Rules using Active Lists
Example #1: Compromised user accounts detection
We want to detect Login Failures followed by Successful logins with same user account
• How do we do ?
• By creating 1 Active list and 2 Rules
• Rule #1 detects Repeated Login Failures then add IP + Username in Active List
• Rule #2 detects successful logins AND check if IP + Username is already in Active List
• What content do we need ?
Create a Field based Active List with the needed fields (Source IP + User Account Name)
Create a rule #1
“Conditions” will filter login failures then add to Active List after 3 failures
Create a rule #2
Condition will filter successful logins then check If InActiveList
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 86
Complex Scenarios Detection - Chaining Rules
Sequence 1 Events combination
Active List “Suspect”
Sequence 2 Events combination
Sequence3
Active List “Hostile”
Unique correlated event
Action: write in Active list “Suspect”
Events combination
Action : write in Active list “Hostile”
Action : ALERT
1. Inter-relates events across sessions using Active Lists (or memory tables)
2. Any field or combination of event fields may be persisted from base events
3. Long & short -term state machines
4. Good for tracking logical sequences of events
E.g. Reconnaissance, attack formation, progression & conclusion, Low Level signals follow-up
Chaining Rules
1-Attacker is probing a network
2-Minutes or days or even weeks after that same attacker starts login challenge sessions (unauthorized accesses) onto a system and fails
3-Eventually the attacker has successfully accessed a system. Compromised resource
Rule1
Rule2
Rule3
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 87
Chaining Rules using Active Lists
Rule #1
• We can use the Rule from Lab 7-1
Remove any reference to Root user account
Click Apply
Then we click on Aggregation tab
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 88
Chaining Rules using Active Lists
Rule #1 To make sure the rule is fired is this demo we define a
low threshold level
• Select Aggregate Tab
Select #of Match and type 3 (number of occurrence's)
Select Time Frame and type 2 minutes
Select “Add” for the “Aggregate only if these fields
are identical” section (lower half of Inspect/Edit panel)
Add the following CEF Fields:
AttackerAddress, TargetAddress and TargetUserName
Click OK then Click Apply
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 89
Chaining Rules using Active Lists
Now we define actions that follow up the rule
outbreak
• Select “Actions” tab
• By default rule will always be set to “On First Event”
• We need to Change this :
Right click On First Event and select De-Activate Trigger
Right click On First Threshold and select Activate Trigger
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 90
Chaining Rules using Active Lists
• Right click on “On First Threshold”
• Select “Add”
• Select “Active List” then Select “Add to Active List”
We select the Active List “Repeated Login Failures”
we just created.
• Map the required Fields
• “Username” map events Fields “Target User Name”
• “Target Host” maps events Field “Target Address”
• “Source IP” maps events Field “Attacker Address
Click OK and Apply
RULE #1 is ready now
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 91
Chaining Rules using Active Lists
Rule #2
• Will do:
• Detect Successful Logins
• Check if username is in Active List
“Repeated Login Failures”
• If so will fire an alarm
• 3 conditions needed here:
1. categoryBehavior=/Authentication/Verify
2. categoryOutcome=/Success
3. “InActiveList
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 92
Chaining Rules using Active Lists
Rule #2
• Select the “Repeated Login Failures” we just
created from the drop down list
• Map the Event Fields with the Active Lists
Defined Field Fields
• Click OK
• Click APPLY in the “InActiveList” windows
• Click APPLY lower right corner
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 93
Rule #2 We need Aggregate to fire the rule
• Select Aggregate Tab
Select #of Match and type 1
Select Time Frame and type 2 minutes
Select “Add” for the “Aggregate only if these fields
are identical” section (lower half of Inspect/Edit panel)
Add the following CEF Fields:
AttackerAddress, TargetAddress and TargetUserName
Click OK then Click Apply
Chaining Rules using Active Lists
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 94
Chaining Rules using Active Lists
Action will Set Name Field to:
• “Compromised User Account ?”
• Rule is complete now and must be copied to the
Real Time Rules directory
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 95
Did the Rule Fire? ….Yes
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 96
Lab 2 Create and Test a Chaining Rule Aggregating Events Use Case: Detect Successful login followed immediately after Multiple failed logins for ‘administrator’ account
What is expected ? A rule is fired if multiple failures logins observed for ‘administrator account. And immediately after that success login event observed.
What Content do we need here ?
• Conditions : At least 2 Conditions & 1 Active List is required for this rule to be fired
Open An Active Channel and check if your rule has Fired (wait mns)
• Might be good to use the ‘InLine’ Filter to do so
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 97
Lab 3 Chain 2 rules with Active List
Use Case: Detect an already denied address that is seen in a network Firewall denied access to an IP address. That same IP address is seen later on another part of network indicating that a breach has occurred (improbable scenario apparently but let’s do it)
• What Content do we need here?
• 1 Active List – Field based (attacker IP, Firewall IP, Firewall Type and Vendor)
• 2 Rules
• Rule 1: Detects denied IP addresses by Firewall then Add IP to an Active List
• Rule 2: Detects permit IP addresses by firewall and search if IP is in Active List
• Action: Set Event Field to “Potential Breach !!!”
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India)
Thank You Questions ?
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India)
Reports
Reports are captured views or summaries of data that can be printed or viewed in the ArcSight Console or ArcSight Command Center viewer in a variety of formats. A report binds one or more queries with a report template.
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 100
Reports
• Can be viewed with:
• ESM Console or Arcsight Command Center
• 3rd party utilities: PDF, Excel and CSV
• Report overall workflow:
1. Gather Report data (Active Lists, Session Lists, Notifications, Cases, Assets, Events, Trends)
2. Develop Report in Reports templates
3. Run as Scheduled Report or On Demand
• Data can be collected by :
• Running Queries on the ESM Database
• Using Trends
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 101
Creating Reports - Templates
• Basic report templates are provided as standard
• For testing and basic reporting they are effective !
• Custom report templates can be created
• Very flexible
• Meet most report design requirements
• Requires extended knowledge of template editor
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 102
Creating Reports
• Minimum 2 Steps Required
• Recommend 3 Steps
1. Minor edit of template to apply customer logo
2. Create Query that will supply data to the report engine
Resourced based SQL logic intended to gather information from data sources
3. Associate the Query with a Report
THE FOLLOWING EXAMPLE WILL ILLUSTRATE HOW TO BUILD A REPORT SHOWING TOP 10 FIREWALL EVENTS
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 103
Creating Reports
• Use the Navigator panel to Open the REPORTS resource
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 104
Creating Reports - Templates
• Reports resource has 5 tabs
• Let us customize the template
• Select “Templates tab”
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 105
Creating Reports - Templates
• Browse the resources tree
• Select “ArcSight System”
• - “1 Chart”
• - “With Table”
• - “Chart and Table Portrait”
• Left Click and Drag to Admin’s report templates
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 106
Creating Reports –Templates
• Select to “Copy”
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 107
Creating Reports - Templates
• Copy to “Admin’s Templates”
• Right Click, select “Edit Template”
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 108
Creating Reports - Templates
• Select “Open in Designer” from “Inspect/Edit”
panel
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 109
Creating Reports - Templates
• Report Designer opens as a separate (embedded) application
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 110
Creating Reports - Templates
• Select the “ArcSight” Logo
• Right Click
• Select Properties
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 111
Creating Reports - Templates
• In the dialogue box
• Uncheck “None”
• Allows to select another Logo
• Select “Browse”
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 112
Creating Reports - Templates
• Select an appropriate logo
• PNG format is recommended
• Smaller images work best
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 113
Creating Reports - Templates
• Check the “Embed” option
• Click OK
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 114
Creating Reports - Templates
• Exit the Report Designer
You will be prompted to save the edit!
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 115
Creating Reports - Templates
• Select “Yes” to save the template
• When back in the Console Inspect/Edit panel select “Apply”
Changes are not saved until you Apply the changes
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 116
Creating Reports - Queries
• STOP!
• Before building reports
• Know what you want to report on!
• It may sound obvious but think about the data you are going to report on
• How much will there be
• 1000 page reports do not look sexy
• Consider Fields you will use
!
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 117
Creating Reports - Queries
• We’ve a template, now let us build the Query
to be run on the ESM Data base
• Under “Reports” in the Navigator Panel
• Select the “Queries” Tab
• Right Click and select “New Query”
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 118
Creating Reports - Queries
• Provide a query Name
• Select Query on Events
• Select Start and End Time
• Select the Fields tab
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 119
Creating Reports - Queries
• Queries are based on SQL logic:
• Select
• Group by
• Order by
• Functions available for grouping and sorting:
• Count
• Max
• Min
• Average
• Sum
• Time (grouping by time frame)
• Left Click on “Add ‘SELECT’ columns”
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 120
Creating Reports - Queries
• Select from the Fields that you want included in
the report
• This can (and should) be multiple selections
Use as many fields as required but not too many.
4 or 5 fields will look best in A4 Portrait
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 121
Creating Reports - Queries
• Event ID will be used for aggregation
• Double Click it
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 122
Creating Reports - Queries
• Select the drop down
• Select “Count”
• Click the Green icon
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 123
Creating Reports - Queries
• Left click on “Add ‘ORDER BY columns”
• Choose the field to order the report by
• Event ID in the example
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 124
Creating Reports - Queries
• Apply the same aggregation as for the Select
component
• Select for the report to Ascend (ASC) or Descend
(DESC)
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 125
Creating Reports - Queries
• Now we need a filter to select
the event data to report on
• Select the “Conditions” Tab
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 126
Creating Reports - Queries
• We could add a new condition
• It’s better here to use (or reuse) a Filter
• Select from Admin’s Filters
• Firewall Events
• Click OK
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 127
Creating Reports - Queries
• Apply the changes
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 128
Creating Reports
• We now have:
• a template customized
• a Query
• Now we need to associate our template and our Query
• This will actually create the report
• In the Navigator Panel under Reports
• Select “Reports”
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 129
Creating Reports
• Right Click and Select “New Report”
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 130
Creating Reports
• Provide a Name for the report
This will appear in the report title
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 131
Creating Reports
• Select the “Template” tab
• Select the Template that you created earlier
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 132
Creating Reports
• Select the “Data” tab
• Select the Query that you created
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 133
Creating Reports
• Select the “Chart” tab
• Select the Query that you created
The same in this example but can be different
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 134
Creating Reports
• Select a “Chart Type” from the drop down box
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 135
Creating Reports
• Move the appropriate field(s) for the X-Axis
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 136
Creating Reports
• Move the appropriate field(s) for the Y-Axis
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 137
Creating Reports
• Select the “Parameters” tab
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 138
Creating Reports
• Unselect the “Use Default” option for “Row
Limit” for both Table and Chart
• Edit the “Row Limit” to show “10”
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 139
Creating Reports
• “Apply” the changes to the report
• Select “Preview”
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 140
Creating Reports
• Change the “Start Time” to “$Now – 1h”
• Make sure that data matching the report is in this time window!
• Try to keep the time window short so you are not kept waiting for the result
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 141
Creating Reports
• Confirm the report present the data
you expected in the format you
wanted
• Make appropriate changes and
retest
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 142
Lab 1 Create a report showing Top 10 Firewall Events
• Include a Chart and Table
• Run the report for all data today
• Group the data by Destination Address or Hostname
• Schedule the report to run every day
• What time should reports run at?
• What factors need to be considered?
© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India)
Thank You Questions ?