prentice@hpe.co Honored Contributor.
Honored Contributor.
1149 views

L2-Perimeter Monitoring - Situational Awareness

This is the official forum for the discussion of the L2-Perimeter Monitoring - Situational Awareness package.

 

This content is coming soon!

 

The installation/update package will be available from the ArcSight Marketplace. All new and updated Activate Framework packages will be made available on the ArcSight Marketplace (https://marketplace.microfocus.com/arcsight).

 

The documentation is available at https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/L2PerimeterMonitoring .

Labels (2)
0 Likes
11 Replies
jdc07301 Trusted Contributor.
Trusted Contributor.

Re: L2-Perimeter Monitoring - Situational Awareness

The package currently on Marketplace (0.1.0.0) has two rules that will not validate due to a missing Active List:

/All Rules/ArcSight Activate/Solutions/Perimeter Monitoring/Situational Awareness/Ingress Communications from Suspicious Region

/All Rules/ArcSight Activate/Solutions/Perimeter Monitoring/Situational Awareness/Egress Communications to Suspicious Region

depends on resource

/All Active Lists/ArcSight Activate/Solutions/Perimeter and Network Monitoring/Situational Awareness/Suspicious Region - ITAR_OFAC Countries

that cannot be found

Jeff

0 Likes
prentice@hpe.co Honored Contributor.
Honored Contributor.

Re: L2-Perimeter Monitoring - Situational Awareness

Are you using the latest version of Activate Base?

0 Likes
jdc07301 Trusted Contributor.
Trusted Contributor.

Re: L2-Perimeter Monitoring - Situational Awareness

I am running 2.4.0.0 on ESM 6.9.1.

I just dug into this a little more. The Active List is present but the located at /All Active Lists/ArcSight/Core/Common. The rule in the package is looking for it under /All Active Lists/ArcSight Activate/Solutions/Perimeter and Network Monitoring/Situational Awareness.  Looks like the rule just need updating.

0 Likes
prentice@hpe.co Honored Contributor.
Honored Contributor.

Re: L2-Perimeter Monitoring - Situational Awareness

You are correct, which is why I asked which version. It's weird, because I was creating Activate Base 2.4.0.0 when I was splitting up the Perimeter and Network Monitoring packages into the respective Network Monitoring and Perimeter Monitoring packages. Must be a minor bug in the package framework, where it was looking for the old location (apologies, I thought I had fixed that...I'll try again). Glad you figured it out.

0 Likes
tkachouba Trusted Contributor.
Trusted Contributor.

Re: L2-Perimeter Monitoring - Situational Awareness

Hi,

I installed the L2-Perimeter Monitoring - Situational Awareness package I noticed 2 broken resources.  The rule "Egress Communications to Suspicious Region" and "Ingress Communications from Suspicious Region".

Rule /All Rules/Real-time Rules/ArcSight Activate/Solutions/Perimeter Monitoring/Situational Awareness/Egress Communications to Suspicious Region depends on resource /All Active Lists/ArcSight Activate/Solutions/Perimeter and Network Monitoring/Situational Awareness/Suspicious Region - ITAR_OFAC Countries that cannot be found

and

Rule /All Rules/Real-time Rules/ArcSight Activate/Solutions/Perimeter Monitoring/Situational Awareness/Ingress Communications from Suspicious Region depends on resource /All Active Lists/ArcSight Activate/Solutions/Perimeter and Network Monitoring/Situational Awareness/Suspicious Region - ITAR_OFAC Countries that cannot be found


On a side note, I also installed the L2-Network Monitoring - Situational Awareness package and noticed a broken resource.  The rule "Web Proxy Identified Exploit Traffic" is dependent on an Active List that does not exist.

Rule /All Rules/Real-time Rules/ArcSight Activate/Solutions/Network Monitoring/Situational Awareness/Web Proxy Identified Exploit Traffic depends on resource /All Active Lists/ArcSight Activate/Solutions/Perimeter and Network Monitoring/Situational Awareness/Proxy Identified Exploit Kit Queries that cannot be found.

 

I used the latest packages available from the HP Marketplace and installed them in the order below.  Older versions of the packages which require migration were never installed.

ArcSight Activate Base 2.4.0.0

L1-Perimeter Monitoring - Indicators and Warnings

L2-Perimeter Monitoring - Situational Awareness

L1-Network Monitoring - Indicators and Warnings

L2-Network Monitoring - Situational Awareness

Has anyone else experience this?  What's the best way to resolve this issue with the broken resources?  From the post above, I can confirm the list is available at the location /All Active Lists/ArcSight Activate/Core/Common.  Is it advisable to update the rule and keep it in the current location?  Or update the rule and move the list to the proper location?

0 Likes
prentice@hpe.co Honored Contributor.
Honored Contributor.

Re: L2-Perimeter Monitoring - Situational Awareness

We are working on fixing this. In the meantime, the lists belong in Activate Base, so the preferred "fix" is to update the rules and leave the lists where they are.

0 Likes
Outstanding Contributor.. Pushpendra_Rathi Outstanding Contributor..
Outstanding Contributor..

Re: L2-Perimeter Monitoring - Situational Awareness

Is this problem fixed yet or not?

0 Likes
Outstanding Contributor.. Pushpendra_Rathi Outstanding Contributor..
Outstanding Contributor..

Re: L2-Perimeter Monitoring - Situational Awareness

​​

Hi ,

Fresh installed ESM 6.11 with latest Activate base package 2.5.1.0 but faced the same issue.

After installing the L2-Perimeter Monitoring - Situational Awareness package I noticed 2 broken resources.  The rule "Egress Communications to Suspicious Region" and "Ingress Communications from Suspicious Region". but I found and used the respective active list from the Activate Base package, so both rules were fixed.

However, I am not able to fix this rule as there is no such active list available. So my question is that from where should I get this active list & why it's not part of this package or base package ?

Rule /All Rules/Real-time Rules/ArcSight Activate/Solutions/Network Monitoring/Situational Awareness/Web Proxy Identified Exploit Traffic depends on resource /All Active Lists/ArcSight Activate/Solutions/Perimeter and Network Monitoring/Situational Awareness/Proxy Identified Exploit Kit Queries that cannot be found

0 Likes
prentice@hpe.co Honored Contributor.
Honored Contributor.

Re: L2-Perimeter Monitoring - Situational Awareness

Hey,

I'm glad you got the two Perimeter Monitoring rules fixed, but the screenshot for the Web Proxy Identified Exploits rule is part of Network Monitoring...

0 Likes
Highlighted
Outstanding Contributor.. Pushpendra_Rathi Outstanding Contributor..
Outstanding Contributor..

Re: L2-Perimeter Monitoring - Situational Awareness

Also wondering if Perimeter & Network Monitoring package is split into following 4 different packages then why I still see a folder\group "Perimeter and Network Monitoring" (See the selected group in the screenshot)

L1-Perimeter Monitoring - Indicators and Warnings

L2-Perimeter Monitoring - Situational Awareness

L1-Network Monitoring - Indicators and Warnings

L2-Network Monitoring - Situational Awareness

0 Likes
prentice@hpe.co Honored Contributor.
Honored Contributor.

Re: L2-Perimeter Monitoring - Situational Awareness

If you upgraded from the L<1|2>-Perimeter and Network Monitoring packages, then it is possible that some of the groups didn't get cleaned up when you (or the update scripts) uninstalled them. If you had them installed and uninstalled them, then installed the new versions, they probably weren't cleaned up.

There are several reasons why they might not have been cleaned up with their parent package uninstallation. The most common being that some of the resources in the group were modified or were somehow linked to resources outside of the package. Worst-case, there was something not quite properly cleaned up in the DB. You should be able to delete the offending groups. They're not in the new packages.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.