How case & stage works ?

previously, I use 4.0 which express predefine rules provide certain notifications on the user group.

is the ArcSight activate rules provide create case and modify stage to a specific user group?
how the case and stage work?

is there any reference document for schemes that can be used for the case and the stage?

Thanks,

Fakhri

Parents
  • Verified Answer

    Hey ​,

    Since you asked about Activate, I would like to add to ​'s excellent response to your query.

    In Activate, we use the SOC stages based on work from our ArcSight Professional Services SIOC Team (contact ​ for more SIOC info):

    These SOC stages are for use in /All Active Channels/ArcSight Activate/Workflow/Main Channel, aka "The Triage Channel," and can be used in cases if you make the proper modifications to the manager and console properties files (we're hoping to improve that process in a future release, but I'm invoking every disclaimer I've ever seen about that comment! ).

    Generally, in the Activate Workflow, which is fairly loosely defined compared to the Official SIOC Workflow, stages are assigned to events, and when changing the stage of an event, it is often required to assign that event to a user. Almost all of the Activate rules will set the Event Annotation Stage of their correlation events to one of the stages in the /All Stages/SOC Stages/System group. If the rules is using the information for establishing or maintaining a baseline, it will use the System Monitored stage. If the rule is actionable, that is, important enough to warrant a security analyst's time to remediate or investigate, it will use the Triage stage. I'm betting you can guess the use of the Testing stage. Note, the Testing stage is only for use when there is no test and staging environment, so all content development must be done on the production environment (this is not a good idea, but budget constraints can cause all sorts of issues). We are planning to expand our documentation on the Activate Workflow in the Activate Methods section of the wiki, but unfortunately, no-one has had time to do this, yet.

    I have developed a methodology for automatic creation of cases and for sending notifications for a few customers, but I haven't yet generalized it enough to make it easily accessible to the Activate community. That is also on my "To Do" list. The obvious, simple solution is to just add that functionality to the rule, but the problem with that is that if you do it, you'll need to re-do it whenever you install an update for those rules. The methodology I have tested with those few customers has worked, and eliminates the update problem, but now it is just a matter of time and not needing to put out other fires to complete and publish them.

    Hope this helps,

    --

    Prentice Hayes
    ArcSight Security Team Architect & Principal Consultant

    ArcSight R&D | Federal Services

    HPE Security Products

Reply
  • Verified Answer

    Hey ​,

    Since you asked about Activate, I would like to add to ​'s excellent response to your query.

    In Activate, we use the SOC stages based on work from our ArcSight Professional Services SIOC Team (contact ​ for more SIOC info):

    These SOC stages are for use in /All Active Channels/ArcSight Activate/Workflow/Main Channel, aka "The Triage Channel," and can be used in cases if you make the proper modifications to the manager and console properties files (we're hoping to improve that process in a future release, but I'm invoking every disclaimer I've ever seen about that comment! ).

    Generally, in the Activate Workflow, which is fairly loosely defined compared to the Official SIOC Workflow, stages are assigned to events, and when changing the stage of an event, it is often required to assign that event to a user. Almost all of the Activate rules will set the Event Annotation Stage of their correlation events to one of the stages in the /All Stages/SOC Stages/System group. If the rules is using the information for establishing or maintaining a baseline, it will use the System Monitored stage. If the rule is actionable, that is, important enough to warrant a security analyst's time to remediate or investigate, it will use the Triage stage. I'm betting you can guess the use of the Testing stage. Note, the Testing stage is only for use when there is no test and staging environment, so all content development must be done on the production environment (this is not a good idea, but budget constraints can cause all sorts of issues). We are planning to expand our documentation on the Activate Workflow in the Activate Methods section of the wiki, but unfortunately, no-one has had time to do this, yet.

    I have developed a methodology for automatic creation of cases and for sending notifications for a few customers, but I haven't yet generalized it enough to make it easily accessible to the Activate community. That is also on my "To Do" list. The obvious, simple solution is to just add that functionality to the rule, but the problem with that is that if you do it, you'll need to re-do it whenever you install an update for those rules. The methodology I have tested with those few customers has worked, and eliminates the update problem, but now it is just a matter of time and not needing to put out other fires to complete and publish them.

    Hope this helps,

    --

    Prentice Hayes
    ArcSight Security Team Architect & Principal Consultant

    ArcSight R&D | Federal Services

    HPE Security Products

Children
  • Hi,

    Regarding Activate Rules, some rules have 2 action.
    On First Event: set annotation stage->Triage
    On subsequent Events: set annotation stage-> Triage

    I think there is a misconfiguration here. As far as I understand, we should annotate the first event as Triage and subsequent events as "System Monitored". This way, we can establish a rule throttling mechanism, can't we?