This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L1-Malware Monitoring Indicators and Warnings

This is the official forum for discussing the ArcSight Activate L1-Malware Monitoring - Indicators and Warnings package, as described in the Activate Wiki

Parents
  • 0

    I noticed that the correlation events produced by the malware package have parameters in the name field with information like the virus name and the address of the infected host. Normally I recommend leaving parameters out of the name field because they make reporting on different event types difficult. This is in keeping with the advice from the CEF guide which says:

    Name is a string representing a human-readable and understandable description of the event. The event name should not contain information that is specifically mentioned in other fields. For example: “Port scan from 10.0.0.1 targeting 20.1.1.1” is not a good event name. It should be: “Port scan”. The other information is redundant and can be picked up from the other fields.

    The message field is the better place for plain-text descriptions of what happened. Did the best practice change on this?

Reply
  • 0

    I noticed that the correlation events produced by the malware package have parameters in the name field with information like the virus name and the address of the infected host. Normally I recommend leaving parameters out of the name field because they make reporting on different event types difficult. This is in keeping with the advice from the CEF guide which says:

    Name is a string representing a human-readable and understandable description of the event. The event name should not contain information that is specifically mentioned in other fields. For example: “Port scan from 10.0.0.1 targeting 20.1.1.1” is not a good event name. It should be: “Port scan”. The other information is redundant and can be picked up from the other fields.

    The message field is the better place for plain-text descriptions of what happened. Did the best practice change on this?

Children
No Data