Has anyone worked with Activate Base Suppression Lists successfully?
I am trying to work with the suppression lists, but the documentation is somewhat incomplete. There is no mention of how a list comes into play with any of the rules. Don't the rules need to query the active list during condition check? The only described method for adding to these is manually, via the Console, but that would be prohibitive to do. I'm getting hundreds of thousands of hits per hour on some rules, and am trying to keep the generation of correlated events from inundating my DB, and stacking up millions of partial matches.
I tried adding the condition check and the event-based Name and Attacked based Suppression AL update on one rule (Multiple Denies from Same Source) and it caused the correlated event's name to vary between rule name and triggering event name, and did not suppress any of the fires.
Any assistance would be appreciated. I'm getting nowhere fast.
Hey R Michael,
It's been forever since I've talked to you! 🙂 Hope all is well.
Okay, first, yes, the rule conditions should include /All Filters/ArcSight Activate/Core/Suppression List Filters/All Network Based Suppression Lists (i.e., the base/aggregated events should not have entries in any of the lists). This is not complete, yet, for all the published packages. Also, this filter is being updated for Activate Base 188.8.131.52, which is currently in test and should be released soon.
An L2-Perimeter Monitoring package update is also now in test (thanks to @henk-jan.van.es), with some additional updates, that include adding the suppression list filter to all the packages rules, making sure that the "problem" rules find the active lists that were moved to Activate Base, and updating the Category Custom Format field to use the updated ArcSight Attack Life Cycle (see https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/HowActivateCategorization#Category_Custom_Format for details).
Second, regarding the documentation, have you seen these two (recently created) pages?:
The section you're probably most interested in is https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/SuppressionSystem#Using_the_Suppression_Lists_in_the_Real_45Time_Workflow.
I haven't had time to complete it (it will be next week before I can get back to it...), but if you go through it, assuming you haven't already, and still have questions, please let me know and I'll try to answer your questions and get the answers into the document.
I haven't enough time to play/test new ACTIVATE packages until now. I just checked them now, and I can say = I don't see big progress with suppression lists and support of them in latest L1/L2 packages.
Because I have no more time to wait until it is implemented, I would like to ask you for suggestion how to approach this. I need to add/use suppression lists in L1/L2 packages - mainly ENTITY monitoring, and I would like to do it "your way".
Can you please suggest me a way you prefer? Where to place them, how to hook them to packages/rules.
My first idea was to add it to main hooking filters (entity example /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Authentication/*)... On the other hand, it will solve the false positives with L1/L2 packages. But if there are false positives in PRODUCT rules it will not help me... So maybe there is a better place - some kind of product filter "all events of product"? Or is the best way the combination of both?
Solution Security Architect