How to apply At-least condition in a rule?
Like we have at least condition in Qradar. How can we make similar type of rule in ArcSight i.e.
If there are 30 drops in 10 minutes.
According to the organisation. 10 drops in 10 minutes are considered as an attack.
So rather than having 3 rules for 10 drops in 10 minutes I want 1 rule with 30 drops in 10 minutes.
Still cannot figure a way out.
Any guidance is welcome and I apologise in advance for the naive nature of my question.
Re: How to apply At-least condition in a rule?
This is pretty simple to do with ESM.
1. Create a rule
2. Define your specific drop conditions and/or use the categorization applied in ESM for the dropped firewall events
Category Significance : /Informational/Warning
Category Behavior : /Access
Category Device Group : /Firewall
Category Device Type : Firewall
Category Outcome : /Failure
3. In the aggregation tab set the # of matches to 30 and set the time frame 10 minutes. Select the fields for aggregation as needed.
4. In the actions tab, activate the "on every threshold" action
5. Deploy in Real Time Rules
A couple things to consider:
1) Regression test the rule first before deploying it into Real Time Rules
2) Depending on the volume of firewall traffic you'll want to watch this rule carefully for partial matches. The time threshold is somewhat large and this rule will be evaluating against a high volume event source.
3) Depending on the volume, this rule has the potential to get noisy without building out any suppression.