Highlighted
Acclaimed Contributor.
Acclaimed Contributor.
1362 views

How create a rule

Jump to solution

Hi All,

How do we write a standard rule for Once source Many Destinations, 5 events within 5 minutes? or other way ?

Cheers

Gayan

Mr
Labels (2)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

That sound pretty good but this should be real time. This my design for a trigger event.

Aggregation:

# of Matches: 5

Time Frame: 5 Minutes

Aggregate only if these fields are unique:

Destination Address

Aggregate only if these fields are identical:

Source Address

On every threshold, it set the field value.

So doesn't this rule trigger once src IP trying to access many dst IP's (more than 5 events within 5 min)? (let assume all noises are filtered out like blank src or dst ip)

Mr

View solution in original post

0 Likes
6 Replies
Highlighted
Super Contributor.
Super Contributor.

Conditions:

sourceAddress = 10.0.0.1 and destinationAddress Is NOT NULL

# I would also recommend adding your technology/products to further reduce the load on the rules engine.

... and (deviceProduct = ASA or deviceProduct = FWSM)

Aggregation:

# of Matches: 5

Time Frame: 5 Minutes

Set your actions:

On First Threshold

or

On Every Threshold

or

On Time Window Expiration

I would first check to see how chatty your single source is before implementing the rule.

If there are more than 10,000 destinations within one minute the rule will go into DOS protection mode and disable itself.

-Chris

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Hi Chris,

Appreciate your reply.

In the condition, 1st place I do filtering for specific traffic that I want to use. let say "Checkpoint-FW-events". But how rule looks like.

Since I consider once src and many dst. It's verymuch like vertical scan but only different is I don't consider the port. Aggregation and threshold can fine-tune.

Is there a way to configure rule like below.

sourceAddress = Unique and destinationAddress Is NOT NULL\

?

Cheers

Gayan

Mr
0 Likes
Highlighted
Super Contributor.
Super Contributor.

Tracking scanning activity can be brutal on ESM'S rules engine unless you can finely tune out the normal noise.

If you're unsure of what the normal noise levels are that will likely also match your rule trigger thresholds then running some queries can shed some light on how much tuning will be needed to make a real-time rule work without triggering hundreds or thousands of times.

Try running a query against your checkpoint product and filter out any events lacking addresses and dstport to start.

Conditions:

deviceProduct = Checkpoint-FW-events and sourceAddress Is NOT NULL and destinationAddress Is NOT NULL and destinationPort Is NOT NULL

# verify your device product

Fields:

Select

Sum(Aggregated Event Count) SUM

Minute # or Hour: These variables should be in your Global Variables under: ArcSight Foundation > Variables Library > Timestamp Formats >

Source Address

Destination Address

Destination Port

Category Device Group

Category Behavior

Category Outcome

Device Product

Group By

Minute # or Hour

Source Address

Destination Address

Destination Port

Category Device Group

Category Behavior

Category Outcome

Device Product

Set the time frame to 1h or 24h (if 24 hours use the hour variable instead of the minute).

Increase your row limit to 100k.

Create a query viewer or report and attach this query and run it in csv format.

You can massage the data around in excel to filter out anything less than a five count and further group them in pivot tables.

This should shed some light on your noise levels.

When you feel confident that these will not be incredibly noisy then here are a couple sample ways on how to identify scans:

Vertical Scan

Conditions:

Your tuned filter.

Aggregation:

# of Matches: 5

Time Frame: 5 Minutes

Aggregate only if these fields are unique:

destinationPort

Aggregate only if these fields are identical:

sourceAddress

destinationAddress

deviceProduct

categoryOutcome

Set your actions:

On Time Window Expiration [ Active ] Cumulative Rule Chain is On

Horizontal Scan

Conditions:

Your tuned filter.

Aggregation:

# of Matches: 5

Time Frame: 5 Minutes

Aggregate only if these fields are unique:

destinationAddress

Aggregate only if these fields are identical:

sourceAddress

destinationPort

deviceProduct

categoryOutcome

Set your actions:

On Time Window Expiration [ Active ] Cumulative Rule Chain is On

Alternative Generalized Method / Box Scanning

Conditions:

categoryDeviceGroup startswith /Firewall and categoryBehavior = /Access and categoryOutcome = /Failure and sourceAddress Is NOT NULL and destinationAddress Is NOT NULL and destinationPort Is NOT NULL and type != Correlation

Aggregation:

# of Matches: 5

Time Frame: 5 Minutes

Aggregate only if these fields are unique:

#Leave empty

Aggregate only if these fields are identical:

sourceAddress

deviceProduct

Set your actions:

On Time Window Expiration [ Active ] Cumulative Rule Chain is On

Keep an eye on your Rules Status dashboard when turning these high resource intensive rules on:

/All Dashboards/ArcSight Administration/ESM/System Health/Resources/Rules/Rules Status

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

That sound pretty good but this should be real time. This my design for a trigger event.

Aggregation:

# of Matches: 5

Time Frame: 5 Minutes

Aggregate only if these fields are unique:

Destination Address

Aggregate only if these fields are identical:

Source Address

On every threshold, it set the field value.

So doesn't this rule trigger once src IP trying to access many dst IP's (more than 5 events within 5 min)? (let assume all noises are filtered out like blank src or dst ip)

Mr

View solution in original post

0 Likes
Highlighted
Super Contributor.
Super Contributor.

For the criteria that you are looking for that will trigger.

Unique source to multiple destinations.

The initial query was a suggestion so that you could avoid a hyper active rule that could cause your rule engine problems.

Under those conditions your public and internal facing services will probably be 99% of the rule fires.

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Yes, it is correct. In my scenario actually, I'm looking for IPS traffic only. So I can filter out all noisy traffic. Thanks for your help and really appreciate it.

Mr
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.