vatsalyay11 Absent Member.
Absent Member.

How to apply At-least condition in a rule?

Like we have at least condition in Qradar. How can we make similar type of rule in ArcSight  i.e.

If there are 30 drops in 10 minutes.
According to the organisation. 10 drops in 10 minutes are considered as an attack.

So rather than having 3 rules for 10 drops  in 10 minutes I want 1 rule with 30 drops in 10 minutes.
Still cannot figure a way out.
Any guidance is welcome and I apologise in advance for the naive nature of my question.

Labels (1)
1 Reply
tkachouba Trusted Contributor.
Trusted Contributor.

Re: How to apply At-least condition in a rule?

This is pretty simple to do with ESM. 

1. Create a rule

2. Define your specific drop conditions and/or use the categorization applied in ESM for the dropped firewall events

Category Significance : /Informational/Warning

Category Behavior : /Access

Category Device Group : /Firewall

Category Device Type : Firewall

Category Outcome : /Failure

3. In the aggregation tab set the # of matches to 30 and set the time frame 10 minutes.  Select the fields for aggregation as needed.

4. In the actions tab, activate the "on every threshold" action

5. Deploy in Real Time Rules

A couple things to consider:

1) Regression test the rule first before deploying it into Real Time Rules

2) Depending on the volume of firewall traffic you'll want to watch this rule carefully for partial matches.  The time threshold is somewhat large and this rule will be evaluating against a high volume event source.

3) Depending on the volume, this rule has the potential to get noisy without building out any suppression.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.