Honored Contributor.. john.robinson21 Honored Contributor..
Honored Contributor..

Re: L1-Malware Monitoring - Indicators and Warnings

Circling back to this topic.  I downloaded and installed the package with no problems.  However, when reading the wiki and viewing the Filters associated to the rules in the package....it seems that all rules are based from one filter called "No Events"?  How can multiple rules be based on one filter?  Especially a filter that only has "false" in the common conditions?

0 Likes
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: L1-Malware Monitoring - Indicators and Warnings

Ok so I havent looked at this package, but based on my knowledge of the Activate framework, you need to install the product package pertinent to your environment, for example McAfee ePO then replace the filter/false with the appropriate filter from McAfee. 

So rule might be "Unquarantined" in the malware package and the filter might be "Unquarantined" in the McAfee package and you just link those 2 up.  This makes it easy to link products and rules no matter if you are using McAfee or Symantec or fill_in_the_blank_malware_service. 

This is where it becomes important for customers to develop the specific product packages, like if you are using MalwareBytes in your environment, but ArcSight maintains the abstract "Malware" solution packages. 

​ - does that sound correct? 

0 Likes
Highlighted
mike_of_many Trusted Contributor.
Trusted Contributor.

Re: L1-Malware Monitoring - Indicators and Warnings

That's correct. The malware package used the higher level language choices

  • Quarantined
  • Resolved
  • Unresolved
  • Unscanned

These in McAfee are pretty straight forward as ePO AV and AM events use the same language, TrendMicro events are (if I recall) going to read,

  • Isolated
  • Removed
  • Marked
  • Untouched or unable to scan ..

This also extends to IOC's and sandboxing aka Detonation Engines...

0 Likes
Trusted Contributor.. aizuevo Trusted Contributor..
Trusted Contributor..

Re: L1-Malware Monitoring - Indicators and Warnings

Hi ,

i got broken rules ini L1 malware ,

some  condition have "unknown field" and "invalid variables",

how to resolve this issue ?

1 1 .png

1 2.png

0 Likes
oswaldo.dimas@h Regular Contributor.
Regular Contributor.

Re: L1-Malware Monitoring - Indicators and Warnings

Hi Aizuevo,

I took a look at your screenshots, and if the package successfully installed, you should not have had these broken resources.

The first image shows invalid local variables, which is odd if they are local and the parent resource is there. Those variables query L1-Malware Monitoring Active lists, they might not be there.

You installed the package through the command line using the batch file? Did you see any errors in the bat file execution?

Here is the Wiki page for the package, you can encounter details on it:

https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/L1MalwareMonitoring

Another possible reason is that if you installed a product package and hooked filters into the L1 Malware Monitoring filters and then removed the package without previously unhooked the filters, because of the dependency the L1 filters will be broken - hence the rules that depend on them.

The "Resolved Malware Detected" rule is a simple rule with no variables and only 2 filters within it. So for the rule to be broken, a possible explanation would be that those filters are not there.

If you double click the rules, a window will appear with some options ( buttons ), if you click "show invalid reason" it will tell you the reason why the rule is broken.

If you have any further questions don't hesitate on write on the blog and we will gladly help you,

Regards

Os

0 Likes
Trusted Contributor.. aizuevo Trusted Contributor..
Trusted Contributor..

Re: L1-Malware Monitoring - Indicators and Warnings

Hi Oswaldo,

"You installed the package through the command line using the batch file? Did you see any errors in the bat file execution?"

i'm install Using command line ,

i'm just see failed installed  Customizations package on comand line..

Installing the following packages:

    /All Packages/ArcSight Activate/L1-Malware Monitoring - Indicators and Warnings - Customizations

---------------------------------------------------------------------------

---------------------------------------------------------------------------

Install complete. Elapsed Time:10 secs 780 ms

Exiting...

Could Not Find C:\arcsight\Console\current\L1-Malware_Monitoring_-_Indicators_and_Warnings_-_Customizations_*.arb

"If you double click the rules, a window will appear with some options ( buttons ), if you click "show invalid reason" it will tell you the reason why the rule is broken."

invalid reason because some local variable not found.

l1 malware error.pngfield unavailable.png

0 Likes
Trusted Contributor.. aizuevo Trusted Contributor..
Trusted Contributor..

Re: L1-Malware Monitoring - Indicators and Warnings

i will try update active base ,

0 Likes
Trusted Contributor.. aizuevo Trusted Contributor..
Trusted Contributor..

Re: L1-Malware Monitoring - Indicators and Warnings

i've update active base to 2.5.1.0 and problem resolved,

L1 malware 1.1.0.0 minimum requirement active base 2.5.0.0

0 Likes
oswaldo.dimas@h Regular Contributor.
Regular Contributor.

Re: L1-Malware Monitoring - Indicators and Warnings

Awesome!!!

If you have any comments or questions, please let us know!

Regards

Os

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.