ArcSight Pro Tip #1 - type field

Welcome to the first of a 100 best practice posts, these range from newbie to advanced user and consist of tips, tricks and best practices for ArcSight.

Filter Criteria: type

When using the "event.type" CEF field in a filter or rule you have the following options:

Action, Base, Aggregated, Correlation

This is likely a field you want to leverage in ALL content!  Why? 

Well it specifies if you want to fire a correlation event from a base or non-correlation events, or subsequently if you would like your correlation event to be based on another correlation event!  You can have rules that trigger other rules and so on but be warned! 

Rules that do not specify:

type != Correlation 

Can easily end up in an infinite loop

Therefore this ArcSight Pro Tip is to begin all rule content specifically with this filter entry unless you specifically want to match on rule generated events (non-base events):

type != Correlation

Reminder != means "not equal to"


Happy hacking!


Greg

@threatstream

http://www.threatstream.com

Parents
  • I know we're getting off topic from the original point, and I may be incorrect that it will show up on the dashboard (was just looking for a playful way to explain the impact), but having a condition at the top of the rule that matches on nearly everything DOES have a huge impact on performance. If suddenly all your rules have to move on to an additional condition before eliminating the event as a match, the correlation engine will begin to struggle (and potentially choke). Bad condition ordering alone can cause ESM to fail to handle incoming traffic and lead to connectors caching. I strongly disagree with saying there can be no negative impact to performance if this tip isn't utilized correctly... it's an extremely important tip, but it does come with a caveat.

Reply
  • I know we're getting off topic from the original point, and I may be incorrect that it will show up on the dashboard (was just looking for a playful way to explain the impact), but having a condition at the top of the rule that matches on nearly everything DOES have a huge impact on performance. If suddenly all your rules have to move on to an additional condition before eliminating the event as a match, the correlation engine will begin to struggle (and potentially choke). Bad condition ordering alone can cause ESM to fail to handle incoming traffic and lead to connectors caching. I strongly disagree with saying there can be no negative impact to performance if this tip isn't utilized correctly... it's an extremely important tip, but it does come with a caveat.

Children
No Data