Highlighted
mohammad-kh Contributor.
Contributor.
1687 views

Join rule creation(from interview point)

Jump to solution

Hi all,

OLD to arcsight but new to rule creation.

Please take a simple and perfect example and tell me how to create a join rule from the begining.

I had tried hard but unable to join or create a event 2 in the rule tab

regards,

Mohammad

Labels (1)
0 Likes
1 Solution

Accepted Solutions
zargaran Honored Contributor.
Honored Contributor.

Re: Join rule creation(from interview point)

Jump to solution

Dear mohammad

For example you can create a rule for successfully brute force. 

In this case you must joined two rule. 

1-a rule that set a login failed frequently 

2-a rule that set a login success single with same sourceAddress. 


Join rule : rule1:rule2

sourceAddress(rule1)=sourceAddress(rule2)

endTime(rule1)<endTime(rule2)


rule1:

AND

deviceVandor !="ArcSight"

categoryBehavior = "/Authentication/Verify"

categoryOutcome = "/Failure"

sourceAddress is not null


rule2:

AND

deviceVendor!="ArcSight"

categoryBehavior ="/Authentication/Verify"

categoryOutcome ="/Success"

sourceAddress is not null


                    


BR

Amir

0 Likes
5 Replies
zargaran Honored Contributor.
Honored Contributor.

Re: Join rule creation(from interview point)

Jump to solution

Dear mohammad

For example you can create a rule for successfully brute force. 

In this case you must joined two rule. 

1-a rule that set a login failed frequently 

2-a rule that set a login success single with same sourceAddress. 


Join rule : rule1:rule2

sourceAddress(rule1)=sourceAddress(rule2)

endTime(rule1)<endTime(rule2)


rule1:

AND

deviceVandor !="ArcSight"

categoryBehavior = "/Authentication/Verify"

categoryOutcome = "/Failure"

sourceAddress is not null


rule2:

AND

deviceVendor!="ArcSight"

categoryBehavior ="/Authentication/Verify"

categoryOutcome ="/Success"

sourceAddress is not null


                    


BR

Amir

0 Likes
rejinmk Respected Contributor.
Respected Contributor.

Re: Join rule creation(from interview point)

Jump to solution

Hi Mohammad,

This is very simple. For instance, consider that you have a firewall after an IPS, and you want to detect if a traffic that IPS detected as suspicious but allowed on IPS and then it was passed through the firewall.

------------------

Matching Event

Firewallevent.sourceAddress = IPSevent.sourceAddress

Firewallevent.endTime > IPSevent.endTime

IPSevent

deviceVendor = IPS

name = suspiciousSignature

FirewallEvent

deviceVendor = Firewall

deviceAction != denied

------------------

Regards,

Rejin

0 Likes
mohammad-kh Contributor.
Contributor.

Re: Join rule creation(from interview point)

Jump to solution

Thanks rejin for your prompt response.

0 Likes
rkent1 Acclaimed Contributor.
Acclaimed Contributor.

Re: Join rule creation(from interview point)

Jump to solution

These presentations were some of my favs for learning rule creation:

0 Likes
Jabeer
New Member.

Re: Join rule creation(from interview point)

Jump to solution

Dear Amir,

What should be the Aggregation count and action to be set for this rule.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.