This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L1-Network Monitoring - Indicators and Warnings

This is the official forum for the discussion of the L1-Network Monitoring - Indicators and Warnings package.

 

The installation/update package will be available from the ArcSight Marketplace. All new and updated Activate Framework packages will be made available on the ArcSight Marketplace (https://marketplace.microfocus.com/arcsight?tab=categories).

 

The documentation is available at https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/L1NetworkMonitoring.

--
Prentice S. Hayes
Principal Product Manager | Security Operations
OpenText Cybersecurity

LinkedIn: https://www.linkedin.com/in/prenticeshayes/ 

Website: https://www.opentext.com/

  • Hi I have installed the package active base 2.5.2 but when I install this package all the filters have the expresion false like the picturefalse1.png

     

    For what reason its happen

  • We recently have implemented the L1-Networking Monitoring and have come across what I think is a minor bug. The "Very High Severity IDS Event" correlated events is set with a Medium severity. It should be set to "Very High".  The "High Severity IDS Event" is being set correctly. 

  • You're correct, it is a bug. We are currently testing the update package that has this corrected.

     

    Thanks!

    --
    Prentice S. Hayes
    Principal Product Manager | Security Operations
    OpenText Cybersecurity

    LinkedIn: https://www.linkedin.com/in/prenticeshayes/ 

    Website: https://www.opentext.com/

  • I believe I have found another bug in this package which is resulting in the message being incorrectly set for High IDS Severity Events. The message is supposed to be set to the event name along with the Rule ID which is in device Event Class ID.  This is working of Very-High events, but not High ones. I believe the reason is that the aggregation criteria is different between the two rules. In addition to the fields aggregated on for High Events, Very-High also has event1.Device Event Class ID and event1.Request Url as two additional fields.

     

     

     

  • 0 in reply to jdc07301$emplogoFR

    I can confirm that adding the Device Event Class ID resolves the issue with the message field.

  • The installation file for L1-Network Monitoring 0.2.0.0 displays the following when starting:

    "This is the L2-Network Monitoring - Situational Awareness..."

    Confusing but other than that it ran fine.

    Jeff

     

     

  • 0 in reply to jdc07301$emplogoFR

    The Linux installer does not work due to Windows-style carriage returns in the script.

  • 0 in reply to Beirne$emplogoFR

    The Linux installer fails on Step 5 when it exports the customizations package. The line:

    $CONSDIR/bin/arcsight package -q -action export -package "$customizationsPackage" -f "$customBundle" -m $manager -port $port -u $user -p "$pwvar"

    should be:

    $CONSDIR/bin/arcsight package -q -action export -package "$customizationsPackage" -f "$customBundlePackage" -m $manager -port $port -u $user -p "$pwvar"
    checkError "Step 5: Export $customizationsPackage to $customBundlePackage"