Highlighted
baauji1 Absent Member.
Absent Member.
723 views

Can I aggregate on a field in Join rule?

Hi,

I need to create a join rule which checks for signatures in IDS and connections in firewall and triggers if connections in firewall cross a threshold. I have two event definitions in Conditions Tab and have applied Matching Condition between them. Will aggregating on the firewall logs based on identical source address work??

Also, I want IDS Signature to appear in the alert triggered. Is it possible? I read about a method by creating a velocity template variable. Can someone tell how to do this as I am a bit new to ArcSight.

Labels (1)
0 Likes
5 Replies
SCipriano Absent Member.
Absent Member.

Re: Can I aggregate on a field in Join rule?

let's assume you call: IdsEvent and FwEvent.

Yes, you may aggregate by  IdsEvent.sourceAddress and  FwEvent.sourceAddress.

If you want to "save" some fields to be populated on the triggered alert then you should aggregate by that field and use the action "Set Event Filed Actions".

For instance. you want to save the Name of IDS event. if so aggregate by it and place a actions set the field with $IdsEvent.name

Was that it?

0 Likes
baauji1 Absent Member.
Absent Member.

Re: Can I aggregate on a field in Join rule?

I am not sure if it would work.


Consider I want a join rule to trigger in which I have IDS event and Firewall event. Now, the rule should trigger if there are events in IDS and 500 events of same source IP in Firewall. The threshold should be crossed then only I want the rule to be triggered. The problem I am facing here is when I set the threshold to 500, it will aggregate the firewall source address. If I add the IDS Name in aggregation, then it will wait for 500 events in IDS as well which is not what I am looking for. Correct me if I am wrong anywhere !!

0 Likes
baauji1 Absent Member.
Absent Member.

Re: Can I aggregate on a field in Join rule?

I am attaching the screenshots of my rule and aggregation Tab. That might give you more clarity of what I need in the rule!

pic1.JPGpic2.JPG

0 Likes
SCipriano Absent Member.
Absent Member.

Re: Can I aggregate on a field in Join rule?

Ok, I see what you mean.

Since you want >=500 events from Fw and >=1 events from IDS you have to split the rule.

I see several ways to reply to your need but it all have different approaches and will produce different outcomes. Nevertheless I’ll introduce the way I would implement or, at least, I would use on the first configuration set.

I would say that you should:

1)    1)  Create a rule that triggers when >=500 FW events are detected within a specific timeframe. Aggregated from attacker address. You may copy the filter that you have form the “firewall_Logs” on the image.

2)    2)  Create a second rule that triggers when rule (1) appears and an IDS event appear as well form the same Attacker Address. Aggregate for all Attacker Addresses for all the rules (This is a must, otherwise it won’t recognize since the values would be null). This second rule may have a different timeframe and I would suggest a little bit longer from (1).

Does it make sense to you?

0 Likes
baauji1 Absent Member.
Absent Member.

Re: Can I aggregate on a field in Join rule?

I knew this method before also but I thought my approach would become wrong. I had forgot about the correlation log which is triggered when a rule is triggered. So I am going to try this method now. Lets see. Will confirm if it works !

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.