Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
AarushJ Super Contributor.
Super Contributor.
814 views

Hi Techies, can any one provide insights for Advance correlation rules

Jump to solution

Hi Techies,

Can any one help provide me insights on
1) Advance Correlation Rules
2) Crossdevice Correlation Rules 
For a newly set up Soc Infra  devices in Architucture are WIndows,AV,Unix,DLP,Symantec,WAF,Firewall(ASA and Checkpoint),IPS,Routers and Swithches.
If someone can provide the list the with aggregation and conditions it will be good.

Rgards and Thanks in Advance,
AJ

AJ
0 Likes
1 Solution

Accepted Solutions
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Hi Techies, can any one provide insights for Advance correlation rules

Jump to solution

I would recommend looking here first, as there is much premade content you can reuse if you are just starting with ArcSight: https://marketplace.microfocus.com/arcsight?tab=categories

Then for different types of articles, things like these:

https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-92.pdf

https://www.sans.org/reading-room/whitepapers/auditing/successful-siem-log-management-strategies-audit-compliance-33528

http://h41382.www4.hpe.com/gfs-shared/downloads-231.pdf

 

-----------------------------------------------------------------------------------------
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
//Marius
5 Replies
AarushJ Super Contributor.
Super Contributor.

Re: Hi Techies, can any one provide insights for Advance correlation rules

Jump to solution
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Hi Techies, can any one provide insights for Advance correlation rules

Jump to solution

Hey @AarushJ

I am a bit unsure what you mean with Advance and Crossdevice correlations here?

Are you looking for documentation references etc?

Normally it is wise to find the usercases and correlation before you decide on the logsources (though even i don't always have the possibility to do that).

If you want to make your usercases above device types and vendors, you will need to look at Category based usercases, this is also best practice i feel, as you don't create usercases per type of device.

There is several different categories that we use, let's say we want to monitor user authentication accross devices, we would look at

Category Behaviour = /Authentication/Verify

CategoryOutcome = /Failure or /Success, depending on your usercase.

 

Or maybe you want to look for resources being modified accross devices, like new firewall rules being added, new windows files being created etc, then we would use category again, though it would be

CategoryBehaviour = Modify/* or /Create

So what you need to do is first have your logs gathered at one place, then decide on what you want to create, then you look at logs from each vendor, to either find a common category field, or map them in manually.

-----------------------------------------------------------------------------------------
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
//Marius
AarushJ Super Contributor.
Super Contributor.

Re: Hi Techies, can any one provide insights for Advance correlation rules

Jump to solution

Hi @Marius2,

Good Day!
Thanks for replying, yes I m looking for any good documentation that can tell genrally what kind of Correltion rule must have for an enterprise SIEM and what are all possiable crossdevice advanced correlation rule we can design.
I work for client having all kind of devices in the netwroka and in infra.

So looking for what are all ideal correlation rules we can make.!
Information on Category behaviour and outcome is helpful thanks!

AJ
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Hi Techies, can any one provide insights for Advance correlation rules

Jump to solution

I would recommend looking here first, as there is much premade content you can reuse if you are just starting with ArcSight: https://marketplace.microfocus.com/arcsight?tab=categories

Then for different types of articles, things like these:

https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-92.pdf

https://www.sans.org/reading-room/whitepapers/auditing/successful-siem-log-management-strategies-audit-compliance-33528

http://h41382.www4.hpe.com/gfs-shared/downloads-231.pdf

 

-----------------------------------------------------------------------------------------
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
//Marius
Knowledge Partner
Knowledge Partner

Re: Hi Techies, can any one provide insights for Advance correlation rules

Jump to solution

Also read into the MITRE ATT&CK Framework, CIS and the SANS mapping to the different frameworks as well as the SIEM use case whitepapers from Anton Chuvakin

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.