Highlighted
marksadler Absent Member.
Absent Member.
730 views

Having an Active Channel of IOCs

I am trying to create an Active Channel which checks against a list of IP addresses in an Active List and showing an event when a match is found.  I cannot add Active Lists to the Active Channel without getting an error.  What would be the best way to go about this?

Currently the Active List of IOCs has around 100 IP addresses in it.

Thanks.

Labels (2)
0 Likes
9 Replies
Honored Contributor.. varunraaj Honored Contributor..
Honored Contributor..

Re: Having an Active Channel of IOCs

Hi Mark,

My approach would be create a rule which checks the events against the Active List and make them to trigger an alert if the address is in the list. In active channel i would be monitoring the alert.

Regards,

Varun P G

0 Likes
Frequent Visitor.. Obiora_NG
Frequent Visitor..

Re: Having an Active Channel of IOCs

Pls can you assist me in creating such rule.
You could share a snapshot of the rule you have .

Thanks.
0 Likes
marksadler Absent Member.
Absent Member.

Re: Having an Active Channel of IOCs

Hi Varun, thanks for your response.

I created a rule and now able to see events firing when they match an IP in my Active List.  However, my Active Channel filter is simply Name = "Rule Name".  It works but probably isn't the best way to go about this.  Also I've noticed if I amend my Active List in any way, add/remove addresses, the Active Channel does not reflect these changes.  The new addresses do not fire in the AC although if I searched for them manually I can see traffic to this addresses.  Is there a way I need to refresh the AL or Rule or is this some kind of bug within Arcsight?

0 Likes
Honored Contributor.. varunraaj Honored Contributor..
Honored Contributor..

Re: Having an Active Channel of IOCs

Hi Mark,

To check is the query for the search and the rule are same ?

Regards,

Varun P G

0 Likes
tkachouba Trusted Contributor.
Trusted Contributor.

Re: Having an Active Channel of IOCs

Create your alerts based on event Stages.  In the rule action tab use the Set Event Field action to set the Event Annotation Stage field to the specific Stage resource you want, for example "Triage".  Now you can pull up an active channel with the condition Event Annotation Stage Name = Triage.  All alerts with that Stage will be listed in the Active Channel.

When you add addresses to the list the rule will fire on any future matches and creates a new correlation event. When addresses are removed the rule will will not fire at all respectively.

You can the Verify Rule(s) with Events option to regression test against past events the rule to see if it would have fired at some point in time.

0 Likes
Outstanding Contributor.. douglas.baker@h1 Outstanding Contributor..
Outstanding Contributor..

Re: Having an Active Channel of IOCs

While the responses relating to using a Rule w/ an Active List are clearly an alternative, your question was for an Active Channel.

With 'many' Conditions in an Active Channel possible as is your example of 100 or more IP's I would in general suggest that the best practice for this would be to use a Filter in the Active Channel as a Condition. The reason for this is (at least) two-fold with one being that the list of IP's might be of interest elsewhere (such as in a Rule as a Condition) and two it might be argued that editing the Filter is more appropriate that trying to do the same in the Active Channel Conditions (noting that if it IS being used multiple time a change in one place benefits all usages.

With a Filter reference in your Active Channel its Conditions become 'clean' (at least visually) and I suggest makes it easier to adjust your Active Channel for a potential variety of Conditions. As an example you may wish to have an Active Chanel which is used to watch for a variety of potentially unrelated 'things' (Conditions) that you might want to 'put up on a monitor where everyone can see it somewhere' but it would not be your principle risk investigation Resource, e.g. all your Rules that are driving some 'Watch Officer Main Channel' that drives (very near) real time risk mitigation. In this case your 'focus channel of some things that are interesting', remember it might be off there on a side monitor up on the wall where everyone can see it, would be driven by potentially many unrelated Condition examples that would best each be developed Content within separate Filters such that things can be added, removed and tweaked easily without potentially 'destroying' the Channel.

It is also suggestable that a best practice for such Filter sets is that because each is a specific focus that naming can be more meaningful and descriptive. You then also make decisions about such Content placement, e.g. maybe a new Filter 'in development' comes out of Public (always try to stay away from per-user private Resource tree dependencies) while those Filters that have been through a little extra 'vetting' get promoted into a 'company specific' Resource Tree' structure where there are Access Control details in place that require specific Users w/ appropriate Access Control privileges granted to maintain, i.e. vet and deploy....

Content development that is worth doing is worth learning and practicing and worth doing well.

So, an attempt to answer the actual Active Channel question, acknowledge the Rule responses, and suggest some best practice.

Thank you,

Doug

0 Likes
ianfitz Outstanding Contributor.
Outstanding Contributor.

Re: Having an Active Channel of IOCs

Hi folks,

Lots of good tips have already been provided, I'm just adding this for completeness as I didn't see (unless I missed something) a comment about this in the trail above...

Note that it is possible to lookup Active Lists in an Active Channel.

Within in the Active Channel create a local variable that looks up the list of interest based on the field you need to use as a key.  Then the Active Channel filter criteria would be to filter for where mylocalvariable.listkey IS not null.

Just FYI.

Cheers,

Ian.

0 Likes
Contributor.. nayland.oneal Contributor..
Contributor..

Re: Having an Active Channel of IOCs

Lots of good tips in here. Like Ian, I would just add that in your rule you can pass the "name" through on the aggregate on the rule if you want the name of the event to persist. This may be useful to the analysts in identifying the nature of the activity beyond the fact that it matched an active list of "bad". You could also modify the name to include both the original name and a pre/post addition.

Nayland

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Having an Active Channel of IOCs

I think it is a bug, because rules normally work against all events in the ESM database.

ahh no sorry wrong product.

No this is not a bug, rules work only agains NEW events, not against historic events.

Cheers

Andreas

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.