3.1 Beta Testing - New Features
Hi! I am taking part in the ArcSight 3.1 beta testing. I would like to know if anyone else tried it and I would welcome any input on the new features available. As anybody tried using the new session reconciliation data monitor? We thought it could be useful for VPN logs correlation with IDS events. However, it doesn't appear to be customizable enough for our needs. We receive both login and logout messages, but it doesn't seem to be possible to have the data monitor start and end the session with those 2 unique events. All I managed to do was to start the session with the login message and end it after a fixed amount of time. The logout message becomes worthless. LDAP authentication is also not yet possible, we have found a minor bug that prevents us from using empty Active Directory allowed user group names. I think this is already fixed on their side, so hopefully, it the fix will be available when the official release is out. The slideshow mode is interresting, although a few improvements are necessary, for example, it should be possible to remove the menu bar from the slideshow, which would prevent a plasma display from burning after a few days. The last thing I wanted to mention concerns the zones mapping. We used to have a defaultzones.csv on each agent. The 3.1 beta allows for management of zones through the console, in a resource section called Asset Networks. We haven't tried it yet, but were told that a script should be provided to allow migration from the csv to the new resource. Anybody else has stories on this? Are there any new things you were able to do that were not possible with 3.0sp2? Do you plan on using any of the new features?
RE: 3.1 Beta Testing - New Features
For the session reconciliation DM, you should be able to specify a filter for the ending event and add your logout event there. What's not working on that part? Other cool things in 3.1? - multipe editors open at a time and copying conditions between them - search of resources - strip charts? basically multiple moving averages combined into one chart - de-escalation of last state DM, matrix view for DM I guess these are some of my favorites. But I am biased wink
RE: 3.1 Beta Testing - New Features
not to mention: * networks, this makes custom zone configuration so easy, no more defaultzones.csv * arcsight variables - now I can see the business role (or any asset category) of attacked systems in my active channel, in a report, or even a datamonitor * de-escalation of nodes on the last state datamonitors * and of course all the new content... colby
I agree that the multiple editors opened at the same time for resources of the same type can be very useful. Also, I didn't mention it in my previous post, but the sharing of network tools between users or between consoles can save a lot of time. Concerning the Session Reconciliation data monitor, there might be something I did wrong. I don't see where the session end filter can be specified. There's only 2 filters in the configuration options, one for "Restrict by Filter" and one for "Point Event Filter". The goal being the correlation of a VPN username/IP with IDS events in a dynamic IP environment. I would assume that one is used for specifiying an IDS event, and the other one is used for specifying the "session". But then again, I'm probably wrong. Do you have any docs on this? Right now, I am mostly using the good old trial/errors method. I think it is possible that what I want to do requires a combination of a session reconciliation data monitor to create "sessions" and then a rule to correlate "sessions" with IDS events. Rule Example: Join on Session IP = IDS Event IP AND Session Start Time < IDS Event Start Time AND Session End Time > IDS Event End Time IDS Event is ---various filter conditions--- Session is ---filter for the Session Reconciliation data monitor events--- That would mean I would use the 2 filters in the data monitor configuration, one for the start session event (user loggin or ip assigned) and one for the stop session event (user logout). Does it make sense, and if so, which filter is which? OR... Maybe I need to first have a rule that correlates start event with stop event and use the meta-event created in my session filter. This assumes that the session reconciliation data monitor would automatically take care of the starttime-endtime (using the meta-event starttime-endtime). I think this is more likely, but if so, then it means we still need a rule that will have thousands of partial matches (because there are thousands of opened sessions). Anyway, I might be on the wrong track. I would appreciate any input!