This is the official forum for discussing the ArcSight Activate L1-Malware Monitoring - Indicators and Warnings package, as described in the Activate Wiki
We have been looking into some issues with the correlated events in the L1-Malware package and have noticed some odd inconsistencies in the aggregation. Can anyone provide any insight into these choices or are some of these things that need to be corrected? Here are just a couple of examples:
I've included a spreadsheet with the information that I pulled for analysis. As an aside, I think this information would be extremely valuable in the Wiki documentation as an indicator of what fields should be tested when implementing the rules.
I noticed that the correlation events produced by the malware package have parameters in the name field with information like the virus name and the address of the infected host. Normally I recommend leaving parameters out of the name field because they make reporting on different event types difficult. This is in keeping with the advice from the CEF guide which says:
Name is a string representing a human-readable and understandable description of the event. The event name should not contain information that is specifically mentioned in other fields. For example: “Port scan from 10.0.0.1 targeting 126.96.36.199” is not a good event name. It should be: “Port scan”. The other information is redundant and can be picked up from the other fields.
The message field is the better place for plain-text descriptions of what happened. Did the best practice change on this?