Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Valued Contributor.. ravpatil Valued Contributor..
Valued Contributor..
720 views

Create a rule to check malicious traffic

Jump to solution

I have an active channel which populates a list of malicious IP's and it keeps updating itself.

My requirement is to have a rule populated everytime an internal IP interacts with one of the IP's in the list.

Wanted to know how do I do it.

My thoughts are:

Have the list of the IP's from the active channel populated to an Dynamic active list

Have a rule to check the network traffic with the list present in the active list.

Will this work?

Or would there be an easier way of achieving this.

Thanks,

Ravi.

Labels (1)
Tags (2)
0 Likes
1 Solution

Accepted Solutions
reswob4 Honored Contributor.
Honored Contributor.

Re: Create a rule to check malicious traffic

Jump to solution

In our case, our is a bit more static than what Ravinder is doing.  We receive a csv list from an internal org and I upload it into an active list on a regular basis.

However, there are several methods to create and maintain a list of bad IPs/Domains. 

1. Subscribe to a Threat Intel Feed (an excellent free one is https://intel.criticalstack.com/. Even though it's built for a different product, the results can be parsed into a csv and sent to ArcSight where a rule can put the IPs and Domains into active lists. For a different system, I'm using a simple python script to parse the results into a format I can use.)

2.  Roll your own script to download from publicly available lists (i.e. Suspicious Domains - SANS Internet Storm Center). Then parse and send to ArcSight where a rule can put the IPs and Domains into different active lists.

3. Manually create/maintain lists.

Hope that helps.

View solution in original post

0 Likes
6 Replies
reswob4 Honored Contributor.
Honored Contributor.

Re: Create a rule to check malicious traffic

Jump to solution

You could do with with an active list or a session list.  I'm using active lists to check for activity to undesirable IPs and domains. 

0 Likes
Highlighted
cbroncano
Visitor.

Re: Create a rule to check malicious traffic

Jump to solution

Hi Craig,

Where do you get your list from?

0 Likes
reswob4 Honored Contributor.
Honored Contributor.

Re: Create a rule to check malicious traffic

Jump to solution

In our case, our is a bit more static than what Ravinder is doing.  We receive a csv list from an internal org and I upload it into an active list on a regular basis.

However, there are several methods to create and maintain a list of bad IPs/Domains. 

1. Subscribe to a Threat Intel Feed (an excellent free one is https://intel.criticalstack.com/. Even though it's built for a different product, the results can be parsed into a csv and sent to ArcSight where a rule can put the IPs and Domains into active lists. For a different system, I'm using a simple python script to parse the results into a format I can use.)

2.  Roll your own script to download from publicly available lists (i.e. Suspicious Domains - SANS Internet Storm Center). Then parse and send to ArcSight where a rule can put the IPs and Domains into different active lists.

3. Manually create/maintain lists.

Hope that helps.

View solution in original post

0 Likes
Valued Contributor.. ravpatil Valued Contributor..
Valued Contributor..

Re: Create a rule to check malicious traffic

Jump to solution

Hello Craig,

Thanks for the reply.

My concern here is I do not have an Active List and the only source is the Active Channel which contains the IP's.

How do I pull the IP's from the channel to the Active List ?

0 Likes
rkent1 Acclaimed Contributor.
Acclaimed Contributor.

Re: Create a rule to check malicious traffic

Jump to solution

Hi , you can make a rule that looks for the events (the ones you are looking at in your active channel) and use a rule action to populate a list.

Can you clarify what type of active channel it is? What sort of events are they? A screenshot would certainly help here.

0 Likes
Valued Contributor.. ravpatil Valued Contributor..
Valued Contributor..

Re: Create a rule to check malicious traffic

Jump to solution

Thanks Richard.

That seems to be the right approach. The active channel is not currently receiving events and is scheduled to receive events after few hours. That was the reason there was no result populated on the active list that I had created.

Hope that'll work. Will wait for the next batch of events appear in the channel.

Fingers Crossed. 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.