Building Active Rules in ESM - Micro Focus Community · Rules Rules (a.k.a. correlation rules or...

© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India)

Building Active Rules in ESM

© Copyright 2015 Hewlett-Packard – HP Enterprise Security University – Course presentation (Institute of Information Security-India) 2

HP ESP University Course title: Building Active Rules in ESM Description: Upon successful completion on this Lab, you will be able to: •Describe the different rule types •Configure Rules using Conditions, Aggregation and Actions •Create and test rules aggregating base events Course Length: Two days, Instructor Led


Table of contents

Day 2

• Reports

• Queries

Day 1

• Rules

• Active Lists


Rules

Rules (a.k.a. correlation rules or alerts) are used to detect specific events or situations and take appropriate actions.

Creating rules involves defining the events the rule evaluates, thresholds, and actions the rule to trigger. Conditions define which events trigger the rule, thresholds determine when a condition is met and a correlation event is generated, and actions state what responses are taken when a rule is fired.


HP ArcSight ESM Rules

• Sometimes referred to as “Alerts” or “Correlation Rules”

• Real Time Operations

• 3 Rule types: • Standard ……....... Include all features for rule creation

• Lightweight ………Small set of features for faster and simpler rule processing

• Pre persistence … Enable basic event analysis before the events themselves are persisted in CORR-Engine


ArcSight Correlation 1/3 Basic Rules or Simple Correlation a.k.a. Events Aggregation

Correlation

Unique Event

Multi-Events

(same base event)

• Most basic correlation

• Single event type or category

• Basic conditions

• De-duplicates events (many-to-one)

• Catch and accumulates events in memory

• Single source, single target


ArcSight Correlation 2/3

Correlation

Unique Event

Multi-Events

(multiple events, multiples sources, targets)

• Inter-Relates (joins) diverse events (from different devices) with any combination of common field values: e.g. source IP, target IP, port, protocol, username, domain, location, zone, etc.

• Compare any event fields using flexible Boolean logic (AND, OR, NOT)

• Good for cross event matching of complete end-to-end sessions

• E.g: correlating when an attacker is detected by a NIDS, crossing the firewall, compromising a host, creating a back connection to steal confidential data

Advanced Correlation – a.k.a. Joining Events


Sequence 1 Events combination

Active List “Suspect”


Sequence3

Active List “Hostile”

Unique correlated event

Action: write in Active list “Suspect”

Events combination

Action : write in Active list “Hostile”

Action : ALERT

1. Inter-relates events across sessions using Active Lists (or memory tables)

2. Any field or combination of event fields may be persisted from base events

3. Long & short -term state machines

4. Good or tracking logical sequences of events

Rule1

Rule2

Rule3

ArcSight Correlation 3/3 Complex Scenarios Engineering – a.k.a. Chaining Rules

1-Attacker is probing a network

2-Minutes or days or even weeks after that same attacker starts login challenge sessions (unauthorized accesses) onto a system and fails

3-Eventually the attacker has successfully accessed a system. Compromised resource


Creating Rules Creating Rules is a 3 step process

1. Define the “Conditions”

Which event occurrences do I want to be aware of?

Filtering matching events to be evaluated

2. Define “Aggregation”

How many times do I want the event or events to occur and within what time frame?

The number of times an event or events (threshold) need to occur before the rule triggers

3. Define “Actions”

What actions should automatically occur when an event is generated?

When should those actions occur?

What steps will be taken as a response when a rule is fired


Rule Editor

ATTRIBUTES TAB contains typically the Rule Name & defines the Rule type

CONDITIONS TAB is where filters are defined for matching events to be evaluated

AGGREGATION TAB is where events aggregation and number of matches (thresholds) are defined

ACTIONS TAB is where appropriate actions after a rule is fired are defined

LOCAL VARIABLES tab is where variables (functions) can be used to increased data processing


Conditions Tab

• Allow for re-use of content

• Best practice

• Greater consistency

• Reduce errors and save time

Filters


Conditions Tab

• Increase rules accuracy

• Best practice

Assets


Conditions Tab Vulnerabilities


Conditions Tab

• InActiveList Condition

Active Lists


Conditions Tab Active Lists (continued)


Conditions Tab

-Event 1 LABEL « DATA CENTER FIREWALL EVENT »

-Event 2 LABEL « DATA CENTER APPLICATION EVENT »

Joining different events from different sources


Actions Sets Actions are triggered upon rule firing • Actions run automatically

• Actions triggers only once or many times

• Actions can be:

− Setting of Event Fields into correlated events display

− Send triggered rule's associated events to HP OpenView

− Send notifications to ArcSight User Groups

− Execute command locally / at connector level

− Export case/data to an external system (using XML)

− Manage a case (open a new one, add to existing case, …)

− Add/remove information to/from Active/Session Lists

− Modify Assets Categories


Use Case Example


Simple Correlation a.k.a. Events Aggregation • Example #1: multiple login attempts (failures) on the same user account

• How do we do ?

• Rule detects repeated login failures within a given timeframe (minutes) then triggers alarm

• What content do we need?

Conditions will search (filter) for authentication failure events

We can use categorization: categoryBehavior and categoryOutcome will do the job

Aggregation mechanism will accumulate aggregated events until a threshold is crossed

Aggregation operates on recurrent fields: source IP, destination IP and Login username will make sense

Corresponding CEF fields to aggregate being used are:

sourceAddress or attackerAddress

destinationAddress or targetAddress

destinationUserName or targetUserName


Creating Rules

• Select “Rules” from the Navigator Panel


Creating Rules

• Right Click on “<admin>’s Rules”

• Select “New Rule”

• Standard Rule

By selecting ‘Standard Rule’ we have all features

available for building a rule


Creating Rules: Attributes

Provide a Rule Name

o This will be the name you see in any Alerts or Correlation Events

o It is possible to change this with Actions Sets (will see later)

o Select the Conditions Tab


Creating Rules: Conditions

First we need to filter Login Failures events

We use here ArcSight CEF categories

• Right click “Event1” in Conditions Edit Panel

• Chose ‘New Condition’

• Select ‘Category’ then ‘Category Behavior’


Creating Rules: Conditions Here we go with a first condition in Filter

• Select /Authentication/Verify as filter term from

the scroll down list; the logical operator is equal (=)

• Click OK in Edit Tab

Now we add a second condition in Filter

• Right click “Event1”

• Chose New Condition

• Select “Category” then “Category Outcome”

• Select /Failure as filter term and the logical

operator is equal (=)

• Click OK in Edit Tab

• Click Apply in Rule Editor (lower right corner)

We now have build the needed filter


Creating Rules: Aggregation A threshold as trigger is necessary now

• Select Aggregation Tab

Select #of Match and type 3 (number of occurrence's)

Select Time Frame and type 2 minutes

*By the way, note how long a time frame can be!

We define the fields to aggregate

• Select “Add” for the “Aggregate only if these fields are identical”

section (lower half of Inspect/Edit panel)

• A window opens

• Add the following CEF Fields:

AttackerAddress, TargetAddress and TargetUserName

Click OK then Click Apply


Creating Rules: Aggregation

You will be prompted to add some extra fields

• In more complex environments this is

important, in this case, it does not matter

• Select either


Creating Rules: Actions

Now we define actions that follow up the rule

outbreak

• Select “Actions” tab

• By default rule will always be set to “On First Event”

• We need to Change this*:

Right click On First Event and select De-Activate Trigger

Right click On First Threshold and select Activate Trigger

It’s important in this case to de-activate ‘on first event’. ‘On first

threshold’ should be used instead. Otherwise an action would take place

for every event (which is not what we want).

Remember we are expecting 3 events before any action.


Creating Rules

• Right click on “On First Threshold”

• Select “Add”

• Select “Set Event Field”

• A window opens

This is where we can define CEF Fields to display for

correlated rule. Here we define the text for event

name.

• Select Event | Name

• Type “Repeated Login Failure on same user account”

A same user account is being accessed multiple

times

• Click OK and Apply


Setting Rule in Motion

• Rule is now complete

• It must be activated

• Select the new rule

• Left Click and Hold

• Drag it to “Real-Time Rules” Folder

• You can choose to Copy, Link or Move the Rule

• Select “Link”

• This is a best practice


Did the Rule Fire? ….Yes


Did We Cross The Threshold Successfully ?

• In viewer Right click the correlated event

• Select Correlation Options

• Select Detail Chain

• A new Window Opens


Yes ! Threshold @3 fired the rule

EVENT 1 EVENT 2

Fired Rule

EVENT 3

ACTION HAS SET CORRECTLY A NAME FIELD WITH THE EXPECTED TEXT TO THE CORRELATED EVENT


Ignoring Case in Conditions evaluation, is a

two steps process, first select the condition

line by either:

• Left click the condition line you’re interested

in the editor

or

• Type the corresponding CEF field in the

‘Search for’ space, down the window.

Then ….

Tips for Creating Rules

Some conditions will need to ignore Case simply because one don’t know how is written the evaluated Field (e.g. a username starting either with upper case or lower case letter)

!

Will Philippe or philippe or PHILIPPE work in this condition evaluation?

!

THE LINE WILL HIGHLIGHT IN THE LOWER

PANEL OF THE INSPECT/EDIT PANEL


Then secondly:

• Uncheck the A-a box to activate ignore case

• Ignoring case will make it working whatever

the case is Upper or lower in the event Field

being evaluated


Some conditions will need to ignore Case simply because one don’t know how is written the evaluated Field (e.g. a username starting either with upper case or lower case letter)

! Philippe or philippe or PHILIPPE

will work now !


Adding a NOT operator in a Condition line

• Select the Conditions line you’re interested

in by left clicking on it

• The line will show up in the lower panel of

the Inspect/Edit Panel

• Tick the [] box corresponding to that line

• A NOT has been added before the logical

operator

Not


Some conditions will need to add a NOT preceding a logical operator (e.g. an IP Address is NOT part of a subnet)

!


To see only correlated events:

• In the Active Channel from the viewer panel

double click ‘Inline Filter’

or

• Click the Pen icon

Tips Sometimes it’s not that easy to see if a rule has fired correctly among a large number of events into an Active Channel. The ‘In Line Filter’ feature makes it easier.

!


To see only correlated events:

• In the Active Channel from the viewer

panel double click ‘Inline Filter’

• The ‘Inline Filter’ windows will open

• Tick the check box

• Click on ‘Apply” in the right end of the

‘InLine Filter’

Apply

Tips Sometimes it’s not that easy to see if a rule has fired correctly among a large number of events into an Active Channel. The ‘In Line Filter’ feature makes it easier.

!


Lab 1 Create and Test a Simple Rule Aggregating Events Use Case: Detect Login Failures with Root as User Account

What is expected ? A rule is fired after 5 login failures with the Root user account and failures are taking place within a 3 minutes time frame

What Content do we need here ? • Conditions : At least 3 Conditions are required for this rule to be fired

• We need 2 categories (1 will filter Authentications + 1 will filter Failures) and we should select only Root as target user

• Aggregation: • A threshold is necessary to get the rule fired (set after 5 matches within 3 minutes)

• Aggregate identical Fields : attackerAddress, targetAddress, targetUserName

Open An Active Channel and check if your rule has Fired (wait mns) • Might be good to use the ‘InLine’ Filter to do so


Cross Devices Correlation


Correlation

Unique Event

Multi-Events

(multiple events, multiples sources, targets)

• Inter-Relates (joins) diverse events (from different devices) with any combination of common field values: e.g. source IP, target IP, port, protocol, username, domain, location, zone, etc.

• Compare any event fields using flexible Boolean logic (AND, OR, NOT)

• Good for cross event matching of complete end-to-end sessions

• E.g: correlating when an attacker is detected by a NIDS, crossing the firewall, compromising a host, creating a back connection to steal confidential data

Cross Device Correlation


Cross Device Correlation illustrated

Firewall L2 Switch IP camera

@

DSL

FIREWALL EVENT DEVICE EVENT

Use Case: detect external login onto an IP camera behind a Firewall

2nd event 1st event

T0 Max time windows

T0+2MNS TIME WINDOW

Threshold is crossed, therefore

the rule is fired !

T1


Advanced Correlation • Example #1: FTP session is open from Internet

1. A firewall is configured to allow incoming passive FTP connections

2. Behind this firewall is a NAS with the FTP service turned on (credentials required to open sessions)


Cross Device Correlation Scenario

Firewall

L2 Switch

FTP server

@

DSL

Use Case is to detect FTP passive sessions opened from any external IP address


Advanced Correlation • Rule example #2: FTP session is open from Internet

1. A firewall is configured to allow incoming passive FTP connections

2. Behind this firewall is a NAS with the FTP service turned on (credentials required to open sessions)

• How do we do?

• Rule fires when 2 different events (Joined) occur AND a threshold matches within a time frame

• What content do we need?

Event 1 {Firewall} has the following Conditions:

Accepted connections on port 21 and also in range 55536-56559 from “outside” (not from the LAN)

Event coming from device that is a ‘firewall’ (with a know address would be nice to have)

Category Behavior is ‘Access Successful’

Event 2 {NAS} has the following Conditions:

FTP login from “outside” (not from the LAN) and onto a NAS server

Event from a device that is a NAS server (with a know address is nice to have)

• Joined Condition:

Source IP the same in Event 1 and Event 2 AND time in Event 1 is before time in Event 2

Aggregation: Number of match is 1 within 2 minutes


Creating Advance Rule

We give Rule a Name

• Then click on “Conditions”


Conditions with Joined Events

FIREWALL EVENT CONDITIONS FILTER • Successful Network Access • Device type is Firewall • Internal Target Address is the NAS server address • Destination Ports is 21 or port range 55536-56559 • Attacker (Source IP) is not in our LAN – it’s outside

NAS SERVER FILTER CONDITIONS • Successful User Authentication • We could add Device address to make sure • Attacker (Source IP) is not in LAN – it’s outside

JOINS FILTER CONDITION • Attacker (Source IP) is same in Firewall and NAS events • Firewall event precedes NAS server event


Advanced Rule: Aggregation

We need to fire rule with a threshold

• Unusual aggregation as we just need 1 occurrence

• Select Aggregate Tab

Select #of Match and type 1


• Click Apply


Actions

What are we doing here ?

We Set in Correlation Event some Fields

This is what will be displayed in the console viewer

We send a notification to the CERT Team with internal

messages (Within ArcSight Workflow) and also with e-

mails

We define a category to Assets

We add and hold the source IP address to an Active List

We add and hold the username being used in FTP

session into a Session list


Yes ! Threshold @1 fired the rule

EVENT 2

EVENT 1

Fired Rule

TEXT WAS CORRECTLY SET IN THE "NAME" FIELD


Thank You Questions ?


Active Lists Active lists are data store that can hold information derived from events, or other sources.

The main uses of active lists are to maintain information, and check for the existence of particular information in lists using the InActiveList condition in rules.

For example, active lists are very useful for tracking suspicious or hostile IP addresses as well as targets of attacks that may be compromised.


Active Lists

• Data Source for resources (Rules, Reports, Query Viewers, …)

• ‘Memory tables’ with fields that can be dynamically added or removed or updated by rules

• Can also be populated manually or by importing CSV files

• Informations in list have life time (Lists configured with TTL: Time to Live)

Example: “Worm Infected Systems” Active Lists tracks Zones and IP Addresses of systems exhibiting worm-like behavior along with port that the Worm is attempting to target


Creating Active Lists

• Select “Lists” from the Navigator Panel



• Select ”Active Lists” tab in Navigator Panel


Anatomy of Active Lists

Item Description

NAME Specifies Name of Active List

OPTIMIZE DATA Reduces memory usage consumed by the Active List by using hashes

CAPACITY Number of entries in Active List

TTL Dictates how long an entry remains in Active List

ALLOW MULTI-MAPPING

Allow multiple instances of key pairings

DATA Events or Fields included in Active List

KEY FIELD Allows rules to look up value fields

ArcSight creates audit events for all aspects of Active Lists statistics



• When configured Click APPLY

CAUTION Once saved, Active List parameters cannot be modified

!


Populating Active Lists

Importing CSV Files

• Select « Active Lists » in Navigator

• Right click desired Active List

• Select Import CSV Files

• Chose file and click OK

Manually

• Select « Active Lists » in Navigator

• Right click desired Active List

• Select « Edit Active List »

• Click « Add Entry » in Inspect /edit panel

• Add entry and click


Use Case Examples


Populating Active Lists with Rules

• Example #1: Firewall blocked IP address added to a list and maintained for 2 hours

• How do we do ?

• Rule detects Firewall events with blocked IP address (inbound connections)

• Action in rule adds blocked IP Address to a previously created Active List

• IP Address is hold in that list for 2 hours (if not updated, entry in the list will be deleted)

• What content do we need ?

A Field based Active List holding blocked IP address during 2 hours

A rule with the following:

Conditions filtering access failures from Firewall point of view

Aggregation is necessary to get the rule fired (event though we just need 1 occurrence of such event)

Action adds Attacker Address, Device Address, Device Product and Device Vendor as 1 entry in the list


Creating Active List

• Select “Lists” from the Navigator Panel



• Right Click on “admin’s Active Lists”

• Select “New Active List”



• Provide a name for the List (e.g External Firewall

Blocked IP address)

• Select a Time To Live (TTL) period

Means the time during which data will

be hold in the list

0 means the data will not expire

Here we hold each entry during 2 hours



We will create a Field based Active List

• Select the “Fields Based” Radio button



• Check the “Key Fields”


Creating Active Lists • Define the fields* that each entry in the List will

be comprise of

• Here we define/create 4 fields/columns*:

Source IP address

Firewall IP IP address

FW Product Name

FW Vendor

• Define the field type

• Check the “Key Fields” for “Source IP” and

“Firewall IP”

• Click “Apply” to save the changes

The Active is now created and ready for use

*Think about fields defined in Active List as columns like in a table



• Select “Rules” from the Navigator Panel



• Right Click on “<admin>’s Rules”

• Select “New Rule”

• Standard Rule



• Provide a Name

• Select the Conditions Tab



• Left Click on the “Filters” button

• Select “Firewall filter” we created previously

Using filters is best practice

It creates consistency

If you have previously tested the filter you know it will work

You can enter the conditions directly if preferred



We need add something to filter blocked accesses

• Right click “Event1”

• Select “Category” then “CategoryBehavior”

• Select “StartsWith” as logical operator

• Select “/Access” as filter term

• Click OK

• Add the second line with categoryOutcome=« /Failure »

• Click Apply

The filter is now ready

• Click « Aggregation tab



• Select “Add” for the “Aggregate only if these fields are

identical” section (in the lower half of the Inspect/Edit

panel)

• We select Attacker Address…….blocked IP Address

Device Address……….firewall IP Address

Device Product………..firewall model

Device Vendor…………firewall brand name

In this example we are looking for one event but

aggregation is still needed

• Apply the changes you have made

• Select either Yes or No when prompted for any extra fields



• Select the “Actions” Tab

• By default the rule will always be set to “On First Event”

• Meaning (with an Aggregation of 1) this rules will

always fire when an event is seen

The online help explains the other options in detail...



• Right click on “On First Event”


• Select “Active List”

• Select “Add To Active List”



• Right Click on “On First Event”

• Select to add to an Active List

• Select the created Active List “External Firewall Blocked

Addresses”



We map Event Fields with the Active List

Fields

• In the pop-up box we map the fields we

aggregated on to the fields you defined in

the Active List

• Click OK



• Click “OK” to save the rule



• Rule is now complete

• It must be activated

• Select the new rule

• Left Click and Hold

• Drag it to “Real-Time Rules” Folder



• You can choose to Copy, Link or Move the Rule

• Select “Link”

• This is a best practice

• The rule is created under a project folder but active

on the system

• This is the most common reason for rules not

triggering!



• You will see the new rule listed in both Folders


What happened to the Active List

• Go to the “Lists” -> “Active Lists” Resource under the

Navigator Panel

• Right Click on the Active List created

• Select “Show Entries”


What happened to the Active List?

• The Active List now has data in it

• Refresh is not automatic

• To refresh click the recycle icon


Chaining Rules using Active Lists

Example #1: Compromised user accounts detection

We want to detect Login Failures followed by Successful logins with same user account

• How do we do ?

• By creating 1 Active list and 2 Rules

• Rule #1 detects Repeated Login Failures then add IP + Username in Active List

• Rule #2 detects successful logins AND check if IP + Username is already in Active List

• What content do we need ?

Create a Field based Active List with the needed fields (Source IP + User Account Name)

Create a rule #1

“Conditions” will filter login failures then add to Active List after 3 failures

Create a rule #2

Condition will filter successful logins then check If InActiveList


Complex Scenarios Detection - Chaining Rules


Active List “Suspect”


Sequence3

Active List “Hostile”

Unique correlated event

Action: write in Active list “Suspect”

Events combination

Action : write in Active list “Hostile”

Action : ALERT

1. Inter-relates events across sessions using Active Lists (or memory tables)

2. Any field or combination of event fields may be persisted from base events

3. Long & short -term state machines

4. Good for tracking logical sequences of events

E.g. Reconnaissance, attack formation, progression & conclusion, Low Level signals follow-up

Chaining Rules

1-Attacker is probing a network

2-Minutes or days or even weeks after that same attacker starts login challenge sessions (unauthorized accesses) onto a system and fails

3-Eventually the attacker has successfully accessed a system. Compromised resource

Rule1

Rule2

Rule3



Rule #1

• We can use the Rule from Lab 7-1

Remove any reference to Root user account

Click Apply

Then we click on Aggregation tab



Rule #1 To make sure the rule is fired is this demo we define a

low threshold level


Select #of Match and type 3 (number of occurrence's)


Select “Add” for the “Aggregate only if these fields

are identical” section (lower half of Inspect/Edit panel)

Add the following CEF Fields:





Now we define actions that follow up the rule

outbreak

• Select “Actions” tab

• By default rule will always be set to “On First Event”

• We need to Change this :

Right click On First Event and select De-Activate Trigger

Right click On First Threshold and select Activate Trigger



• Right click on “On First Threshold”


• Select “Active List” then Select “Add to Active List”

We select the Active List “Repeated Login Failures”

we just created.

• Map the required Fields

• “Username” map events Fields “Target User Name”

• “Target Host” maps events Field “Target Address”

• “Source IP” maps events Field “Attacker Address

Click OK and Apply

RULE #1 is ready now



Rule #2

• Will do:

• Detect Successful Logins

• Check if username is in Active List

“Repeated Login Failures”

• If so will fire an alarm

• 3 conditions needed here:

1. categoryBehavior=/Authentication/Verify

2. categoryOutcome=/Success

3. “InActiveList



Rule #2

• Select the “Repeated Login Failures” we just

created from the drop down list

• Map the Event Fields with the Active Lists

Defined Field Fields

• Click OK

• Click APPLY in the “InActiveList” windows

• Click APPLY lower right corner


Rule #2 We need Aggregate to fire the rule


Select #of Match and type 1


Select “Add” for the “Aggregate only if these fields

are identical” section (lower half of Inspect/Edit panel)

Add the following CEF Fields:






Action will Set Name Field to:

• “Compromised User Account ?”

• Rule is complete now and must be copied to the

Real Time Rules directory


Lab 2 Create and Test a Chaining Rule Aggregating Events Use Case: Detect Successful login followed immediately after Multiple failed logins for ‘administrator’ account

What is expected ? A rule is fired if multiple failures logins observed for ‘administrator account. And immediately after that success login event observed.

What Content do we need here ?

• Conditions : At least 2 Conditions & 1 Active List is required for this rule to be fired

Open An Active Channel and check if your rule has Fired (wait mns)

• Might be good to use the ‘InLine’ Filter to do so


Lab 3 Chain 2 rules with Active List

Use Case: Detect an already denied address that is seen in a network Firewall denied access to an IP address. That same IP address is seen later on another part of network indicating that a breach has occurred (improbable scenario apparently but let’s do it)

• What Content do we need here?

• 1 Active List – Field based (attacker IP, Firewall IP, Firewall Type and Vendor)

• 2 Rules

• Rule 1: Detects denied IP addresses by Firewall then Add IP to an Active List

• Rule 2: Detects permit IP addresses by firewall and search if IP is in Active List

• Action: Set Event Field to “Potential Breach !!!”


Reports

Reports are captured views or summaries of data that can be printed or viewed in the ArcSight Console or ArcSight Command Center viewer in a variety of formats. A report binds one or more queries with a report template.


Reports

• Can be viewed with:

• ESM Console or Arcsight Command Center

• 3rd party utilities: PDF, Excel and CSV

• Report overall workflow:

1. Gather Report data (Active Lists, Session Lists, Notifications, Cases, Assets, Events, Trends)

2. Develop Report in Reports templates

3. Run as Scheduled Report or On Demand

• Data can be collected by :

• Running Queries on the ESM Database

• Using Trends


Creating Reports - Templates

• Basic report templates are provided as standard

• For testing and basic reporting they are effective !

• Custom report templates can be created

• Very flexible

• Meet most report design requirements

• Requires extended knowledge of template editor


Creating Reports

• Minimum 2 Steps Required

• Recommend 3 Steps

1. Minor edit of template to apply customer logo

2. Create Query that will supply data to the report engine

Resourced based SQL logic intended to gather information from data sources

3. Associate the Query with a Report

THE FOLLOWING EXAMPLE WILL ILLUSTRATE HOW TO BUILD A REPORT SHOWING TOP 10 FIREWALL EVENTS


Creating Reports

• Use the Navigator panel to Open the REPORTS resource



• Reports resource has 5 tabs

• Let us customize the template

• Select “Templates tab”



• Browse the resources tree

• Select “ArcSight System”

• - “1 Chart”

• - “With Table”

• - “Chart and Table Portrait”

• Left Click and Drag to Admin’s report templates


Creating Reports –Templates

• Select to “Copy”



• Copy to “Admin’s Templates”

• Right Click, select “Edit Template”



• Select “Open in Designer” from “Inspect/Edit”

panel



• Report Designer opens as a separate (embedded) application



• Select the “ArcSight” Logo

• Right Click

• Select Properties



• In the dialogue box

• Uncheck “None”

• Allows to select another Logo

• Select “Browse”



• Select an appropriate logo

• PNG format is recommended

• Smaller images work best



• Check the “Embed” option

• Click OK



• Exit the Report Designer

You will be prompted to save the edit!



• Select “Yes” to save the template

• When back in the Console Inspect/Edit panel select “Apply”

Changes are not saved until you Apply the changes


Creating Reports - Queries

• STOP!

• Before building reports

• Know what you want to report on!

• It may sound obvious but think about the data you are going to report on

• How much will there be

• 1000 page reports do not look sexy

• Consider Fields you will use

!



• We’ve a template, now let us build the Query

to be run on the ESM Data base

• Under “Reports” in the Navigator Panel

• Select the “Queries” Tab

• Right Click and select “New Query”



• Provide a query Name

• Select Query on Events

• Select Start and End Time

• Select the Fields tab



• Queries are based on SQL logic:

• Select

• Group by

• Order by

• Functions available for grouping and sorting:

• Count

• Max

• Min

• Average

• Sum

• Time (grouping by time frame)

• Left Click on “Add ‘SELECT’ columns”



• Select from the Fields that you want included in

the report

• This can (and should) be multiple selections

Use as many fields as required but not too many.

4 or 5 fields will look best in A4 Portrait



• Event ID will be used for aggregation

• Double Click it



• Select the drop down

• Select “Count”

• Click the Green icon



• Left click on “Add ‘ORDER BY columns”

• Choose the field to order the report by

• Event ID in the example



• Apply the same aggregation as for the Select

component

• Select for the report to Ascend (ASC) or Descend

(DESC)



• Now we need a filter to select

the event data to report on

• Select the “Conditions” Tab



• We could add a new condition

• It’s better here to use (or reuse) a Filter

• Select from Admin’s Filters

• Firewall Events

• Click OK



• Apply the changes


Creating Reports

• We now have:

• a template customized

• a Query

• Now we need to associate our template and our Query

• This will actually create the report

• In the Navigator Panel under Reports

• Select “Reports”


Creating Reports

• Right Click and Select “New Report”


Creating Reports

• Provide a Name for the report

This will appear in the report title


Creating Reports

• Select the “Template” tab

• Select the Template that you created earlier


Creating Reports

• Select the “Data” tab

• Select the Query that you created


Creating Reports

• Select the “Chart” tab

• Select the Query that you created

The same in this example but can be different


Creating Reports

• Select a “Chart Type” from the drop down box


Creating Reports

• Move the appropriate field(s) for the X-Axis


Creating Reports

• Move the appropriate field(s) for the Y-Axis


Creating Reports

• Select the “Parameters” tab


Creating Reports

• Unselect the “Use Default” option for “Row

Limit” for both Table and Chart

• Edit the “Row Limit” to show “10”


Creating Reports

• “Apply” the changes to the report

• Select “Preview”


Creating Reports

• Change the “Start Time” to “$Now – 1h”

• Make sure that data matching the report is in this time window!

• Try to keep the time window short so you are not kept waiting for the result


Creating Reports

• Confirm the report present the data

you expected in the format you

wanted

• Make appropriate changes and

retest


Lab 1 Create a report showing Top 10 Firewall Events

• Include a Chart and Table

• Run the report for all data today

• Group the data by Destination Address or Hostname

• Schedule the report to run every day

• What time should reports run at?

• What factors need to be considered?

Building Active Rules in ESM - Micro Focus Community · Rules Rules (a.k.a. correlation rules or...

Documents

Transcript of Building Active Rules in ESM - Micro Focus Community · Rules Rules (a.k.a. correlation rules or...