This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L1-Malware Monitoring Indicators and Warnings

This is the official forum for discussing the ArcSight Activate L1-Malware Monitoring - Indicators and Warnings package, as described in the Activate Wiki

Parents
  • We have been looking into some issues with the correlated events in the L1-Malware package and have noticed some odd inconsistencies in the aggregation. Can anyone provide any insight into these choices or are some of these things that need to be corrected? Here are just a couple of examples:

    • Multiple Unsuccessful Scans have been Detected in Host aggregates only on destinationAddress and not destinationHostName as all of the other rules in the package
    • Multiple Unsuccessful Scans have been Detected in Host  is also the only one that does not include deviceVersion, deviceAction, and deviceEventClassId
    • Use of deviceSeverity, destinationUserName, deviceHostName is limited to half the rules (different combinations)
    • Unresolved Malware includes a number of the source fields whereas Resolved does not.  

    I've included a spreadsheet with the information that I pulled for analysis. As an aside, I think this information would be extremely valuable in the Wiki documentation as an indicator of what fields should be tested when implementing the rules. 

    Jeff

     

    L1 Malware Aggregation.xlsx.zip
Reply
  • We have been looking into some issues with the correlated events in the L1-Malware package and have noticed some odd inconsistencies in the aggregation. Can anyone provide any insight into these choices or are some of these things that need to be corrected? Here are just a couple of examples:

    • Multiple Unsuccessful Scans have been Detected in Host aggregates only on destinationAddress and not destinationHostName as all of the other rules in the package
    • Multiple Unsuccessful Scans have been Detected in Host  is also the only one that does not include deviceVersion, deviceAction, and deviceEventClassId
    • Use of deviceSeverity, destinationUserName, deviceHostName is limited to half the rules (different combinations)
    • Unresolved Malware includes a number of the source fields whereas Resolved does not.  

    I've included a spreadsheet with the information that I pulled for analysis. As an aside, I think this information would be extremely valuable in the Wiki documentation as an indicator of what fields should be tested when implementing the rules. 

    Jeff

     

    L1 Malware Aggregation.xlsx.zip
Children
No Data