Activate and the new builtin content for ESM
with the new ESM content, which came with 7.2 I am curious how does that work together with Activate packages? Also what is the outlook on activate? will that be merged into the new builtin content?
Both packages currently seem as two separate entities with alerts generated from Activate seen in the Main Channel and alerts from the builtin content being seen in its active channel. Also the structure for activate filters seems to be better - as in the builtin content it seems to be more a touch of the old days instead of the Activate approach with nested filters and such.
Hello Simon and t_Kachouba,
I would be glad to answer this question, and it is a fair question to ask. If you only want the short answer soundbite it is: "Activate is not the go forward content solution for ArcSight. Therefore what you know as the Activate Framework, will not be advanced as the Activate Framework." There, I hope that was direct and straight forward enough so that there is clarity of the answer.
Now, if you have another couple of minutes, here is the longer answer and the more comprehensive answer.
SOME BACKSTORY: In ArcSight recent history, under HPE, the product team was generally not interested in content, where content was defined as correlation rules, dashboards, reports, etc. In this era, the general ArcSight mantra was: "If you want or need content, and you are not capable to do it yourself, then let us introduce you to our PS organization." This poor thinking is what drove many customers away from ArcSight to competitor solutions. ArcSight attempted to respond with the ArcSight Marketplace, however this was never really advanced as some other vendor's solutions.
ENTER ACTIVATE FRAMEWORK: The ArcSight Professional Services organization had started identifying a need for generalized content, and they had - after all - been on the front lines and were seeing consistent themes. At the time, there were no solid and established industry frameworks. So the ArcSight PS organization took the content, as I understand it as I was not part of ArcSight at the time, and organized a framework of content based on a Hierarchical ESM deployment model. E.g. The ESMs on the front-lines would get the L1 Activate content, If it was a middle-tier correlator then you had L2, and if it was a top-tier correlator and the MOM of alerts then it would get the L3 content. Thus was born the L1 - L3 content. I'm not 100% sure where the name ACTIVATE came from. In the end, the "Activate Framework" was born and it was kept and maintained by ArcSight Professional Services.
THEN CAME MICRO FOCUS MANAGEMENT: In May of 2018, the management that had been running ArcSight in the last couple years of HPE had all left, and in the early part of 2018 Micro Focus installed a leadership team that did not come from the HPE heritage rather the Micro Focus heritage. This Management Team, which included a new Dir. of Product Management had a very different view on content. So beginning in 2018, content was brought into the Product Group, and engineering resources assigned to it. Also by this time, those within PS who had created the Activate Framework had also left Micro Focus, and the net result was that Activate was now in Limbo. No longer being maintained by PS, and not really being what Micro Focus Product Management had in mind for content, a change was required
BORN DEFAULT CONTENT AND MITRE: In 2019 the decision was made that we would restore default content in the product so that the customer would get value in hours or at most days. We no longer wanted customers deploying ArcSight and it being a giant Data Center heater doing nothing useful until either the customer bought enough PS to make it useful, or learned to create content themselves. But the question now remained "What should the content be" The answer was given to us in the fact that in late 2018 and into 2019 the MITRE ATT&CK Framework was coming into mainstream. So the decision was made that all the new (default) content would be aligned to the MITRE Framework. Now customers had an industry recognized framework, so have a vendor standard was no longer needed. Also, because Activate was aligned more to a deployment strategy then a threat offense / defense strategy, it was further not appropriate to go forward with. So at this point, the decision was made that we WOULD NOT continue to develop and advance the Activate framework.
HOW RE-PURPOSING CONTENT MADE SENSE: So what we discovered when moving to align with MITRE is that a lot of the content could be mapped to specific Tactics for detection. So the newly empowered engineering-led Content team took the Activate content and begin mapping it to the MITRE framework. Key items they completely repurposed into new "default" content, and other content they left on the Marketplace. Bit-by-bit they have effectively remodeled the Activate content where appropriate and augmented it, so that the "Default Content" is "highly optimized content that has very strict performance impact requirements. Therefore a customer may deploy the default content with assured confidence that it will not crash the solution or consume all of its resources. The content team and the various component teams work together to cross-check one another and ensure that these performance standards are maintained. If the content does not achieve those standards, then it is still made available in the marketplace, but it is not included in the default content.
My hope is that you found this answer helpful and that you are finding value in the new default content. Of course your feedback is more than welcome either good or bad.
Thank you for the detailed explanation, much appreciated. I do however have some additional questions with regards to this.
Activate also brought with the way to do things in ESM. One of those was nested filters, which made much easier for tweaking the content to your specific environment and the other was false positive removal, through suppression lists. Both were documented and explained on how to do them with the Activate Framework.
Next are the product filters, which eases the pain of configuring use cases, where the specific event types were defined so that configuration was much easier for the us the partner or the customer. That meant you did not have to "hunt" for how the event looks in order to use it.
Also with Activate main channel you had the option of viewing All correlated alerts in one point, I can't seem to find this with the default content.
I hope you can salvage some parts of Activate 🙂 and bring them into the default content.
Thank you again,
Thank you for the great feedback, and what you really valued from the Activate Framework. I will absolutely make certain that this feedback make it to the content team and we'll see how we can get these benefits integrated into the content