StevenvandeBraak Outstanding Contributor.
Outstanding Contributor.
452 views

Activate Network L1 - non functional

How many people actually use this framework and packages??

 

I thought lets give it a try after 3 years this "project" started and the very first package I install ( network monitoring L1) is totally useless. It contains just a list of empty filters.... Some other packages I take took a look at, sigh... not designed for multi-customer, incomplete/non working content, unreadable complex nestings, spam floods of notifications... I cannot believe there is someone really using this stuff in production.

Labels (1)
0 Likes
5 Replies
tkachouba Trusted Contributor.
Trusted Contributor.

Re: Activate Network L1 - non functional

It sounds like you have not installed and configured the applicable Product Packages in your environment to support the L1 Network Monitoring Package...L1 Network Monitoring will not just "work" on it's own.

0 Likes
Highlighted
Aleks Super Contributor.
Super Contributor.

Re: Activate Network L1 - non functional

,    We use content from ucl.socprime.com for network monitoring. Nice and light. It has realtime and historical traffic analysis with notification on deviations from baselines.

Clip2net_170117183401.png

0 Likes
StevenvandeBraak Outstanding Contributor.
Outstanding Contributor.

Re: Activate Network L1 - non functional

no, the package only has a set of filters that are all empty. there are no rules or anything else in there. I just wanted to see whats in there and apparently nothing functional. I know about the soc prime packages but its kind of stange hp is making such a fuzz about the framework while is isnt really useful after so much time of development...

0 Likes
prentice@hpe.co Honored Contributor.
Honored Contributor.

Re: Activate Network L1 - non functional

Hey,

Apologies for the issues you are running into. In the ArcSight ESM Console, under the Packages tab, under /All Packages/ArcSight Activate, you should see the L1-Network Monitoring package. It should look something like this:

L1-Network-Package-Rules.png

As mentioned, you will need to install and configure the appropriate product packages that hook into the L1-Network Monitoring - Indicators and Warnings package. The currently available product packages are available on the ArcSight Marketplace in the Activate Product Packages category.  Included with the marketplace's description of the product packages is a link to the product package's documentation in the Activate Wiki.

The Activate Framework is more than just content, it is an end-to-end framework addressing everything from making sure the reporting devices are actually logging what should be logged, that the connectors are getting the data and forwarding the events to ESM, that the content covers as much as it can (networks are changing, threats are changing, the content cannot be stagnant), and that there is at least a foundation for a monitoring and response workflow.

Hope this helps,

--

Prentice

0 Likes
ubaidhayee1 Absent Member.
Absent Member.

Re: Activate Network L1 - non functional

Steven,

For activate setup, first of all "Activate Base" package should have been installed. The packages like "Network Monitoring" or "Perimeter Monitoring" are more conceptual monitoring packages. Each of these packages has further 2 levels

L1 - Indicators and Warnings

L2 - Situational Awareness

If you want to see what is the the goal of "Network Monitoring" package you should be looking into "L2 - Situational Awareness". "L1 - Indicators and Warnings" is feeding into "L2 - Situational Awareness".

Further just Like L1 is feeding into L2 , there are Product Packages that feed into L1. So the sequence of installation should be

1- Install "Activate Base" Package

2- Install "Product Packages" (For the products required for your Conceptual Packages like Network Monitoring)

3- Install Network Monitoring "L1 - Indicators and Warnings" Package

4- Configure "Product Package" to feed into "L1 Indicators and Warnings"

5- Install Network Monitoring "L2 - Situational Awareness" (L2 should not require any configuration it is designed to get feeds from L1).

Below link can also be helpful for understanding (Below link was for old package where "Perimeter and Network Monitoring" was combined, Now Network Monitoring is separate package and Perimeter Monitoring is separate)

https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/ActivatePerimeterMonitoring

Regards

Ubaid

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.