Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
manojs Super Contributor.
Super Contributor.
1480 views

Rule to identify any new devices

Jump to solution

Hi,

We provide services to multiple customers. I need to create a rule to identify if any new device is integrated to send logs to ESM. I have an active list which contains list of all the devices that are authorized for monitoring. Now I wish to create a rule if customer adds/integrates any new device on their network and configures to send logs to ESM ( say Syslog) my monitoring team should get an alert so we can filter out logs from that device and add that device to another active list for reporting purpose.

Below is the rule I have created ( Ref screenshots) to match device with the devices in the active list (approved devices) and adding device to another active list (unknown devices) that are not in approved devices list.

Rule works fine but the problem is it adds few devices(not all) to new active (unknown devices) list that are already in approved devices active list. TTL for active list is 100 and ESM version is 5.0.2.

Any suggestions please ????

Rule_Condition.PNGFilter.PNG

     Action.PNGAggregation.PNG

Manoj S.
Labels (1)
0 Likes
1 Solution

Accepted Solutions
balahasan.v1 Acclaimed Contributor.
Acclaimed Contributor.

Re: Rule to identify any new devices

Jump to solution

Hi Manoj,

Type=Base is not accurate. Instead use Type!=Correlation. Coz ur connector with Aggregation enabled generates the Aggregated events also.

I tried the below condition and it works fine for me.

dell.JPG

Ur Condition problem is this: Don't Compare all fields in the Condition.Most of the Device Version String field is either empty or Numerical. So Compare only Device Address

dellll.JPG

0 Likes
14 Replies
balahasan.v1 Acclaimed Contributor.
Acclaimed Contributor.

Re: Rule to identify any new devices

Jump to solution

Hi Manoj,

Which field u r using to compare the Entries and what is the Key Field which you are using in the AL.And also keep in mind. The device details are captured in DeviceAddress or DeviceHostname too

0 Likes
Highlighted
manojs Super Contributor.
Super Contributor.

Re: Rule to identify any new devices

Jump to solution

Hi Bala

Thanks for your response. I am comparing Device address, Device product, Device version and Device vendor in  the active list. Key field I am using is Device Address.

Hope this helps

Regards

Manoj S.

Manoj S.
0 Likes
nils.guenther@t Honored Contributor.
Honored Contributor.

Re: Rule to identify any new devices

Jump to solution

>> We provide services to multiple customers

Could it be that devices only look like doublettes? As you provide services to multiple customers you surely have multiple zones and probably even multiple networks that include overlapping address ranges. So as allready suggested by Bala you should at least include hostname in your checks.

In the long term you should consider using asset model for this use case. Especially in a multiple customer/multible Network Scenario this should work a lot better than active lists with plain IP-addresses.

0 Likes
manojs Super Contributor.
Super Contributor.

Re: Rule to identify any new devices

Jump to solution

Hi Hils,

I am just testing it on our test environment (POC) for single customer. Even using hostname in the active list is not giving desired results. Rule is adding device to active list which is already there in matching active list.

Manoj S.
0 Likes
balahasan.v1 Acclaimed Contributor.
Acclaimed Contributor.

Re: Rule to identify any new devices

Jump to solution

Hi Manoj,

Type=Base is not accurate. Instead use Type!=Correlation. Coz ur connector with Aggregation enabled generates the Aggregated events also.

I tried the below condition and it works fine for me.

dell.JPG

Ur Condition problem is this: Don't Compare all fields in the Condition.Most of the Device Version String field is either empty or Numerical. So Compare only Device Address

dellll.JPG

0 Likes
manojs Super Contributor.
Super Contributor.

Re: Rule to identify any new devices

Jump to solution

Thanks a ton Bala, it worked now !!!

Manoj S.
0 Likes
pganguly1 Absent Member.
Absent Member.

Re: Rule to identify any new devices

Jump to solution

hi Bala ,

I this rule I notice that for my IIS connector I am not getting the device address and device hostname , and also I get many device ip address which are showing my manager hostname as their device hostname, device address are different but they have common hostname i.e my manager hostname,,please suggest

0 Likes
balahasan.v1 Acclaimed Contributor.
Acclaimed Contributor.

Re: Rule to identify any new devices

Jump to solution

Hi Pradeep,

Have you included the Vendor!= ArcSight and Type!=Correlation

Sometimes the unparsed events won't have the device vendor and product.. U need a map file to do that.

Or there are some cases, If you are using Activelist and Rule to fill the above information where device Address and Hostname is the Key.. By default ArcSight will fill it's ip and hostname on empty columns as well.

U only need to worry if the base event logs are missing that information

0 Likes
nick Trusted Contributor.
Trusted Contributor.

Re: Rule to identify any new devices

Jump to solution

hi ,

I have a similar scenario as described in the original post but instead of Devices i have to check for new Networks(like DMZ,Core etc.,). i have created master list of all the networks.i need help in the filter condition.

Thanks in Advance.

NSN
0 Likes
Respected Contributor.. sumsama1 Respected Contributor..
Respected Contributor..

Re: Rule to identify any new devices

Jump to solution

Hi Manoj, Can i have a screen shot of complete set of rules you are using for this

0 Likes
manojs Super Contributor.
Super Contributor.

Re: Rule to identify any new devices

Jump to solution

Sorry, I have switched company and I dont have this available with me now.  But if you go thru the screenshots and description in post with suggestions put in by Bala, you may be able to create rule without any issues. You try it, if come across any issues, let me know.

Manoj S.
0 Likes
Respected Contributor.. sumsama1 Respected Contributor..
Respected Contributor..

Re: Rule to identify any new devices

Jump to solution

I have created below rule for New Device added

AND

Device Product !=Arcsight

Type != Correlation

Device Vendor != Arcsight

Event ID is NOT NULL

Device Address IS NOT NULL

NOT

InActiveList (All Active List/Arcsight Administration/Devices/Approved Device List)

and under action I am adding those to another AL called "New Device Added". But its giving high partial Match and it is adding Duplicate values to New Device Added AL. Any suggestion

0 Likes
manojs Super Contributor.
Super Contributor.

Re: Rule to identify any new devices

Jump to solution

What fileds are you matching in AL within this condition ?

Let me know all the fields you hv in AL

Manoj S.
0 Likes
Respected Contributor.. sumsama1 Respected Contributor..
Respected Contributor..

Re: Rule to identify any new devices

Jump to solution

RULE.PNGThis is what I am using.

Approved Device List.PNG

Action :

Actions.PNG

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.