Make Aggregation more than 999 in Rules.
This is my first blog regarding Arcsight Content Development ,
As per the trend analysis of denied events from external on my customer environment.I need to create a rule with threshold as 4600 hits within 10 minutes.But using Arcsight Express 4.0 , I can give the Threshold maximum as 999.To resolve this scenario , I have created 4 Rules and 1 Active List.Please find below in detail.
- R1 - Lightweight Rule - To Feed the Active List.
- R2- Standard Rule - To Trigger the Alert and To Convert String to IP Address Type.
- R3 - Standard Rule - To Convert String to IP Address Type.
- R4 - Lightweight Rule - To Remove the Entry from Active List.
- A1 - Active List - To make an list of Active Attacking IP's.
Step 1: Create One Active List. (A1)Create one field based active list with TTL 10 minutes and below fields .
- Source Address (Key Field ,Type - Address ,Sub-Type - IP Address)
- Source Host name (Key Field ,Type - String)
- Destination Address (Key Field ,Type - Address ,Sub-Type - IP Address)
- Destination Host Name (Key Field ,Type - String)
- Device Address (Key Field ,Type - Address ,Sub-Type - IP Address)
- Device Host Name (Key Field ,Type - String)
- Aggregation Count (Type - Integer ,Sub-Type - SUM) - To make the sum of each event Aggregation Count.
Step 2 : Create Light Weight Rule (R1)Create one light weight rule , which will satisfy the condition of deny events from external.and In Actions On Every Event ADD the entries to the Active List (A1). So now for example Event1 reached to manager and matches to R1 and the data is entered to the A1 and count as 1 with creation time and modification time as same.
Step 3 : Create One Standard Rule (R2) - Real Rule to MonitorWhenever R1 triggers, one manager internal event will trigger with Device Event Class ID : activelist:103 . This particular event is representing for "An entry was changed in an active list".In deviceCustomString4 of this particular event contains all the data which is updated to Active List , For example
- Source Address : 10.10.10.10
- Source Host name : AAA
- Destination Address : 22.214.171.124
- Destination Host Name : BBB
- Device Address : 126.96.36.199
- Device Host Name : <Blank>
- Aggregation Count : 10
In deviceCustomString4 it will be update as 10.10.10.10|AAA|188.8.131.52|BBB|184.108.40.206|null|10.In Event Annotation Modification Time contains the Last Modification time of Active list Entry.In Device Custom Date1 contains the Creation time of Active List Entry.In this rule we need to create 7 Global Variables and 8 Local Variables.
7 Evaluate Velocity Template Global Variables -- Using regex and replaceAll operator segregate all data's from deviceCustomString4
1 Time Difference In Minutes Local Variable
1 Convert String To Integer Local Variable
6 Custom Conditional Evaluation Local Variables
- 7 Evaluate Velocity Template Global Variables
This Function will return a string Type
- Source Address - $deviceCustomString4.replaceAll('([^|]*)\|([^|]*)\|([^|]*)\|([^|]*)\|([^|]*)\|([^|]*)\|([^|]*)','$1'). This particular function will segregate all 7 datas from deviceCustomString4 and assign first token value to "Source Address" Global variable.Now Source Address contains 10.10.10.10 data and its having String Type. (Same way I created below 6 more Global Variables)
- Source_Host_Name contains AAA
- Destination_Address contains 220.127.116.11
- Destination_Host_Name contains BBB
- Device_Address contains 18.104.22.168
- Device_Host_Name contains null
- Aggregation_Count contains 10
- 1 Convert String To Integer Local Variable
"Aggregation_Integer" -- Since my "Aggregation_Count" variable is in String Type .Using "ConvertStringToInteger" Function,@ changing the Type to Integer (To compare the data with Integer values)
- 1 Time Difference In Minutes Local Variable
"Time_Difference" -- using "TimeDifferenceInMinutes" Function calculate the Time difference between Creation Time and Modification Time in minutes and saved to "Time_Difference" variable.
- 6 Custom Conditional Evaluation Local Variables
- "Source_Address_new" -- Using "CustomConditionalEvaluation" ,If the "Source Address" variable contains "null" value as a string , then return the value as <blank> otherwise return the value as "Source Address" itself.(In the same way create below 5 more local variables)
- In Actions Tab : One Every Event : Set the all the 8 local variables to fields of the rule event.
- In Aggregation Tab : Call all 8 local variables in identical Tab.
- Condition should be like , Events from Manager internal agent , as Device Event class ID : activelist:103 , from the particular Active List and Time_Difference <= 10.0 and Aggregation_Integer > 4600
Step 4 : Create One Standard Rule (R3) - Rule need to White-list from Monitoring
Create exact same as R2 but in Conditions ,need to modify as "Time_Difference > 10.0" and no need to mention Aggregation_Integer. (Exclude Aggregation related local variables as well).
Step 5 : Create One LightWeight Rule (R4)
When ever R2 or R3 trigger's , one manager internal event will trigger with device event class ID as rule:101.So the condition should be like , When ever these rules triggers using this manger internal event , need to remove from the Entry from Active List(A1).