Highlighted
arcsight.analys1 Absent Member.
Absent Member.
1366 views

Correlated alert - get data from base event

Jump to solution

Hi all,

I want to get data from two base events into a correlated alert.

e.g. Base event will have a field - country_name

Base Event 1  - country_name - United States

Base Event 2 - country_name - Nigeria

Is it possible to get these two country details in correlated events. Since the country_name field is not identical many have told me this is not possible in arcsight.

But this is a very common scenario. Has anyone found any workaroud?? Any pointers appreciated??

0 Likes
1 Solution

Accepted Solutions
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: Correlated alert - get data from base event

Jump to solution

Dear Vishal S,

If you have worked a lot with Active List, you will understand how to do this properly.

You generated a rule (lightweight is better depends use case) that send to active list username as a key and country as value like this:

Username     Country

user1               UK

user2               USA

If you see an event with user1 and country different of UK, you update the active list like this in using a special char other than pipe "|" as by example colon ':' . You can do that with get_activelist_value function and concatenateThree String function. You do this in you first correlation rule in using variable. Keep in variable each added country to do not add the first one again in following events. (NOT THIS country1:country2:country1)

user1               UK:DE

Then in using another rule based on active list auditing event activelist:103 (An entry was changed in an active list), you will detect event for this active list you created above where there is in deviceCustomString4 field the special char as colon in the example above.

This means that there is one user with minimum 2 different countries.

2 colon means 3 countries.

You will detect in real-time directly there is more than 1 country.

If I have correctly understood your use case, I think I have succeeded to build it. It a bit tricky but it should work I have used it for another purpose.

If you have questions, do not hesitate to contact me.

I hope this explanation was enough clear

Regards

Michael

0 Likes
10 Replies
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: Correlated alert - get data from base event

Jump to solution

Dear Vishal S,

You may use Join Rules to do this.

In using variables and aggregation you may created a correlated event with information present in both base events when this Join Rule has triggered.

Check on the ArcSight User Console Guide for JOIN Rules documentation.

I hope this will help you.

Thanks

Kind Regards

Michael

0 Likes
arcsight.analys1 Absent Member.
Absent Member.

Re: Correlated alert - get data from base event

Jump to solution

Dear Michael,

Thanks for the suggestion, I have actually tried this....Sorry should have mentioned this in the first note.

The problem with using variables in Join Rules is that the base events need to be monitored over a three hour window and at least 400-500 events are triggered per day. If we use variable, it is overwhelming the resources and has a drasic affect on the performance.

Regards,

Vishal

0 Likes
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: Correlated alert - get data from base event

Jump to solution

Dear Vishal S,

The last solution would be to use an Active List with a lightweight rule or to use a Trend.

But I need more information about the use case (what you want to detect, what information are in the base events, etc...)

to describe the technical part.

Thx

Michael

0 Likes
arcsight.analys1 Absent Member.
Absent Member.

Re: Correlated alert - get data from base event

Jump to solution

Dear Michael,

Ok. Here is the scenario

We have a public facing website where user login activity is monitored.

Whenever a user logs in we get the ip address and geo location of the ip address. If the user has logged in from two different countries in a three hour window, an alert should be raised.

So base event contains username and country field. This is being used in the correlated alert condition.

In three hour window, if(BaseEvent1.username = BaseEvent2.username and BaseEvent1.Country != BaseEvent2.Country) alert is raised.


E.g.

BaseEvent1.username = alice1

BaseEvent1.Country = United States

BaseEvent2.username = alice1

BaseEvent2.Country = Russia

Now, one field in correlated event can be mapped to the username field in Basevent i.e. we can get "alice1" in correlated alert. But since country has unique values - United States and Russia, this is not being captured.

So essentially, the correlated event should have a field Country = United States, Russia

If you need anything else like exact rule condition, please let me know

Regards,

Vishal

0 Likes
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: Correlated alert - get data from base event

Jump to solution

Dear Vishal S,

If you have worked a lot with Active List, you will understand how to do this properly.

You generated a rule (lightweight is better depends use case) that send to active list username as a key and country as value like this:

Username     Country

user1               UK

user2               USA

If you see an event with user1 and country different of UK, you update the active list like this in using a special char other than pipe "|" as by example colon ':' . You can do that with get_activelist_value function and concatenateThree String function. You do this in you first correlation rule in using variable. Keep in variable each added country to do not add the first one again in following events. (NOT THIS country1:country2:country1)

user1               UK:DE

Then in using another rule based on active list auditing event activelist:103 (An entry was changed in an active list), you will detect event for this active list you created above where there is in deviceCustomString4 field the special char as colon in the example above.

This means that there is one user with minimum 2 different countries.

2 colon means 3 countries.

You will detect in real-time directly there is more than 1 country.

If I have correctly understood your use case, I think I have succeeded to build it. It a bit tricky but it should work I have used it for another purpose.

If you have questions, do not hesitate to contact me.

I hope this explanation was enough clear

Regards

Michael

0 Likes
Yamini_B
Senior Member.

Re: Correlated alert - get data from base event

Jump to solution

Hi Micheal,

Kindly help on below queries.

(1) How to add the data into an AL separated by colon?

(2) Need to know which three strings to concat based on your below points.

"You can do that with get_activelist_value function and concatenateThree String function. You do this in you first correlation rule in using variable. "

Regards,

Yamini.B

0 Likes
arcsight.analys1 Absent Member.
Absent Member.

Re: Correlated alert - get data from base event

Jump to solution

Dear Michael,

Yes, I got what you are trying to say. Many thanks for the detailed explanation.

I will give this a try and let you know if it works.

Regards,

Vishal

0 Likes
shakthi243 Absent Member.
Absent Member.

Re: Correlated alert - get data from base event

Jump to solution

Hi Vishal,

I have configured the same scenario in our environment using local variables.

I have attached screenshot for your reference. This is the easiest way to do field merging from two different base events and capture both the country names in the correlation events.

I have not noticed any significant performance issues with this rule.

Rule Condition:

I have created two event condition with same query and then a join condition to achieve our requirement ie. ( Login from two different countries.

Rule Condition.png

Variables:

Created two variables to capture the value from attacker Geo Country Name field.

variables.png

Aggregation:

Add the variables in the aggregate only if these fields are identical section as below.

Aggregation.png

Actions:

You can map the values of these variables using set event field action item.

I have mapped it to deviceCustomString6 field.

actions.png

Thats it. It works as expected.

Regards,

Gowrishankar

0 Likes
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: Correlated alert - get data from base event

Jump to solution

Dear Gowrishankar,

I advice you to use a lightweight rule to send to active list without any correlated event.

And then use a normal rule to detect Active List audit event as explained in my answer.

No Performance issue. It works well.

Thanks

Regards

Michael

0 Likes
arcsight.analys1 Absent Member.
Absent Member.

Re: Correlated alert - get data from base event

Jump to solution

Dear Michael and Gowrishankar,

Thanks a lot for the response We were able to implement both these solutions with some tweaks in separate use cases.

Have you guys tried doing this using REST API i.e. can i get details of base events if i populate query viewer window with correlated events????

Regards,

Vishal

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.