Highlighted
Trusted Contributor.
Trusted Contributor.
260 views

How to retrieve endTime and managerReceiptTime from base event into correlation event?

Jump to solution

I have the following use cases where I have to deal with endTime and managerReceiptTime:

  1. Future event: end time is higher than manager receipt time, which is impossible if time is correct.
  2. Delayed event: end time is lower than manager receipt time by more than 1 hour.

Consider that the manger time is always correct, the issue lies on the device.

 

I have to keep the original endTime and managerReceiptTime from the base event into the correlated event and the rule must fire once every 24h. I'm not able to accomplish that because for me to keep those 2 fields in the correlated event I need to add them in the aggregation tab, but if I do that the rule fires for each and every event.

 

For example, deviceAddress 10.10.10.1 is 1 hour in the future due to wrong daylight savings configuration and deviceAddress 10.10.10.2 is 5 seconds in the future due to missing NTP configuration. The active list should contain only the first hit for each deviceAddress and don't add it again for 24h. The list should be like this:

endTimemanagerTimedeviceAddress
2019-01-28 03:50:512019-28-01 02:50:5110.10.10.1
2019-01-28 07:45:102019-28-01 07:45:0510.10.10.2
2019-01-29 12:10:002019-01-29 11:10:0010.10.10.1
2019-01-29 19:00:002019-01-29 18:59:5510.10.10.2

 

Considering both devices have more than 100EPS and every event is getting into the ESM with wrong time, I do NOT want this list to be flooded with every event, just the first one. If I add endTime and/or managerReceiptTime into the aggregation tab, I'm flooded by all events.

I already tried using a separated list with a TTL of 24h that gets populated by the rule itself with only the deviceAddress and add a "not in list"condition into the rule, but that didn't work, the flood continued.

 

Hope you guys got the idea and can enlighten me.

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Honored Contributor.
Honored Contributor.

Re: How to retrieve endTime and managerReceiptTime from base event into correlation event?

Jump to solution

Hi,

Do you need that times in the correlation event or just in the active list?

You can create two local variables of type "Alias" in the rule, one for each time field, aggregate those variables and assign them to the active list fields.

If you need that times in the correlated event, you can assign the variables to other date fields, like deviceCustomDate1 and 2.

Regards

View solution in original post

0 Likes
4 Replies
Highlighted
Honored Contributor.
Honored Contributor.

Re: How to retrieve endTime and managerReceiptTime from base event into correlation event?

Jump to solution

Hi,

Do you need that times in the correlation event or just in the active list?

You can create two local variables of type "Alias" in the rule, one for each time field, aggregate those variables and assign them to the active list fields.

If you need that times in the correlated event, you can assign the variables to other date fields, like deviceCustomDate1 and 2.

Regards

View solution in original post

0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Re: How to retrieve endTime and managerReceiptTime from base event into correlation event?

Jump to solution

... maybe your event flood is started by the correlation events that are generated by the rule itself. I would add the condition Type!=Correlation to the conditions tab to prevent the rule from triggering for correlated events. However this does not mean that your rule triggers only once per 24h. The rule triggers on every event with the according time differences between EndTime and ManagerReceiptTime. To let the rule trigger only once per 24h I would use active lists with TTL of 1 day (as you explained in your request). Be careful with case-sensitiveness and keys on active lists. This should work. Do some testing.

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: How to retrieve endTime and managerReceiptTime from base event into correlation event?

Jump to solution

Hi JChris,

 

I confirm that if you want to be sure that the rule triggers every 24h, the best solution and for me the only working solution is using the AL with TTL 24h.

How did you do this part?

Because, based on experience, it is possible that sometimes the Timer in the AL is removed, you have to verify that the list is not NULL when the 24h has been expired.

This is how I have done it:

AL 1Day Timer (Field based AL with 1 Key)

Key: TimerKey
Value: OK
TTL: 1 day

If necessary, you could use activelist:104 ArcSight audit events which will be generated every 24h after you have add the key/value in that list.

Directly, it is expired, you have to re-add the key/value
You don't trigger if  getActiveListValue(TimerKey)=OK or IS NOT NULL
You add a condition in your rule that if there is still the timer, I do not trigger because the 24h has not been expired when it is the case you will receive the audit events and your list will be empty thus the getActiveListValue(TimerKey) will be NULL you can trigger your rule but do not forget in Action to add again the Timer when the rule has triggered.

For building the key, you can concatenate 2 string  (Timer,Key) same for value (OK,) with second string null

This AL is completely independent of your other data, it is just to have a kind of countdown for 24h.

If you want to keep the endTime, the best solution would be to save into another list your correlation rule because if you aggregate endTime, the issue would be with ActiveChannel sorted by endTime, you couldn't see your correlated alert in the ActiveChannel which could be annoying. It depends of your needs.

Sincerely, if your problem of time are due to mistake or misconfiguration (and not due to delay due to different Time Zone), I would ask to solve those problems as ArcSight is a real-time SIEM, it correlates based on managerReceiptTime because it is the Time where the events are received by the SIEM but they need to be correct. If not the correlation has no sens!

If my explanation are not enough clear or if you have any question, do not hesitate to contact me.

Thanks
Regards

Michael

0 Likes
Trusted Contributor.
Trusted Contributor.

Re: How to retrieve endTime and managerReceiptTime from base event into correlation event?

Jump to solution

I'm OP, just to give an update to the community:

I don't remember what I was doing wrong, but I deleted everything and started from zero and it's now working. I'm using a 24h active list to handle the duplicates.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.