This is the official forum for discussing the ArcSight Activate L1-Malware Monitoring - Indicators and Warnings package, as described in the Activate Wiki
Cybersecurity
DevOps Cloud (ADM)
IT Operations Cloud
This is the official forum for discussing the ArcSight Activate L1-Malware Monitoring - Indicators and Warnings package, as described in the Activate Wiki
I noticed that the correlation events produced by the malware package have parameters in the name field with information like the virus name and the address of the infected host. Normally I recommend leaving parameters out of the name field because they make reporting on different event types difficult. This is in keeping with the advice from the CEF guide which says:
Name is a string representing a human-readable and understandable description of the event. The event name should not contain information that is specifically mentioned in other fields. For example: “Port scan from 10.0.0.1 targeting 20.1.1.1” is not a good event name. It should be: “Port scan”. The other information is redundant and can be picked up from the other fields.
The message field is the better place for plain-text descriptions of what happened. Did the best practice change on this?
I noticed that the correlation events produced by the malware package have parameters in the name field with information like the virus name and the address of the infected host. Normally I recommend leaving parameters out of the name field because they make reporting on different event types difficult. This is in keeping with the advice from the CEF guide which says:
Name is a string representing a human-readable and understandable description of the event. The event name should not contain information that is specifically mentioned in other fields. For example: “Port scan from 10.0.0.1 targeting 20.1.1.1” is not a good event name. It should be: “Port scan”. The other information is redundant and can be picked up from the other fields.
The message field is the better place for plain-text descriptions of what happened. Did the best practice change on this?