Correlated alert - get data from base event

Hi all,

I want to get data from two base events into a correlated alert.

e.g. Base event will have a field - country_name

Base Event 1  - country_name - United States

Base Event 2 - country_name - Nigeria

Is it possible to get these two country details in correlated events. Since the country_name field is not identical many have told me this is not possible in arcsight.

But this is a very common scenario. Has anyone found any workaroud?? Any pointers appreciated??

  • Dear Vishal S,

    You may use Join Rules to do this.

    In using variables and aggregation you may created a correlated event with information present in both base events when this Join Rule has triggered.

    Check on the ArcSight User Console Guide for JOIN Rules documentation.

    I hope this will help you.

    Thanks

    Kind Regards

    Michael

  • Dear Michael,

    Thanks for the suggestion, I have actually tried this....Sorry should have mentioned this in the first note.

    The problem with using variables in Join Rules is that the base events need to be monitored over a three hour window and at least 400-500 events are triggered per day. If we use variable, it is overwhelming the resources and has a drasic affect on the performance.

    Regards,

    Vishal

  • Dear Michael,

    Thanks for the suggestion, I have actually tried this....Sorry should have mentioned this in the first note.

    The problem with using variables in Join Rules is that the base events need to be monitored over a three hour window and at least 400-500 events are triggered per day. If we use variable, it is overwhelming the resources and has a drasic affect on the performance.

    Regards,

    Vishal

  • Dear Vishal S,

    The last solution would be to use an Active List with a lightweight rule or to use a Trend.

    But I need more information about the use case (what you want to detect, what information are in the base events, etc...)

    to describe the technical part.

    Thx

    Michael

  • Dear Michael,

    Ok. Here is the scenario

    We have a public facing website where user login activity is monitored.

    Whenever a user logs in we get the ip address and geo location of the ip address. If the user has logged in from two different countries in a three hour window, an alert should be raised.

    So base event contains username and country field. This is being used in the correlated alert condition.

    In three hour window, if(BaseEvent1.username = BaseEvent2.username and BaseEvent1.Country != BaseEvent2.Country) alert is raised.


    E.g.

    BaseEvent1.username = alice1

    BaseEvent1.Country = United States

    BaseEvent2.username = alice1

    BaseEvent2.Country = Russia

    Now, one field in correlated event can be mapped to the username field in Basevent i.e. we can get "alice1" in correlated alert. But since country has unique values - United States and Russia, this is not being captured.

    So essentially, the correlated event should have a field Country = United States, Russia

    If you need anything else like exact rule condition, please let me know

    Regards,

    Vishal

  • Verified Answer

    Dear Vishal S,

    If you have worked a lot with Active List, you will understand how to do this properly.

    You generated a rule (lightweight is better depends use case) that send to active list username as a key and country as value like this:

    Username     Country

    user1               UK

    user2               USA

    If you see an event with user1 and country different of UK, you update the active list like this in using a special char other than pipe "|" as by example colon ':' . You can do that with get_activelist_value function and concatenateThree String function. You do this in you first correlation rule in using variable. Keep in variable each added country to do not add the first one again in following events. (NOT THIS country1:country2:country1)

    user1               UK:DE

    Then in using another rule based on active list auditing event activelist:103 (An entry was changed in an active list), you will detect event for this active list you created above where there is in deviceCustomString4 field the special char as colon in the example above.

    This means that there is one user with minimum 2 different countries.

    2 colon means 3 countries.

    You will detect in real-time directly there is more than 1 country.

    If I have correctly understood your use case, I think I have succeeded to build it. It a bit tricky but it should work I have used it for another purpose.

    If you have questions, do not hesitate to contact me.

    I hope this explanation was enough clear

    Regards

    Michael

  • Dear Michael,

    Yes, I got what you are trying to say. Many thanks for the detailed explanation.

    I will give this a try and let you know if it works.

    Regards,

    Vishal

  • Hi Vishal,

    I have configured the same scenario in our environment using local variables.

    I have attached screenshot for your reference. This is the easiest way to do field merging from two different base events and capture both the country names in the correlation events.

    I have not noticed any significant performance issues with this rule.

    Rule Condition:

    I have created two event condition with same query and then a join condition to achieve our requirement ie. ( Login from two different countries.

    Rule Condition.png

    Variables:

    Created two variables to capture the value from attacker Geo Country Name field.

    variables.png

    Aggregation:

    Add the variables in the aggregate only if these fields are identical section as below.

    Aggregation.png

    Actions:

    You can map the values of these variables using set event field action item.

    I have mapped it to deviceCustomString6 field.

    actions.png

    Thats it. It works as expected.

    Regards,

    Gowrishankar

  • Hi Vishal,

    I have configured the same scenario in our environment using local variables.

    I have attached screenshot for your reference. This is the easiest way to do field merging from two different base events and capture both the country names in the correlation events.

    I have not noticed any significant performance issues with this rule.

    Rule Condition:

    I have created two event condition with same query and then a join condition to achieve our requirement ie. ( Login from two different countries.

    Rule Condition.png

    Variables:

    Created two variables to capture the value from attacker Geo Country Name field.

    variables.png

    Aggregation:

    Add the variables in the aggregate only if these fields are identical section as below.

    Aggregation.png

    Actions:

    You can map the values of these variables using set event field action item.

    I have mapped it to deviceCustomString6 field.

    actions.png

    Thats it. It works as expected.

    Regards,

    Gowrishankar

  • Dear Gowrishankar,

    I advice you to use a lightweight rule to send to active list without any correlated event.

    And then use a normal rule to detect Active List audit event as explained in my answer.

    No Performance issue. It works well.

    Thanks

    Regards

    Michael