Highlighted
rck Absent Member.
Absent Member.
226 views

Autodetect Machines that don't Match Naming Conventions

I tried to search these forums for this before I posted a question, but I could not find an answer.  Our enterprise uses a standard naming convention that looks like this: sitename_number.  So when people plug their personal machines with names like JohnDoes's-PC, it's very easy to recognize a rogue machine.  I heard an ArcSight engineer mention how there was a way to set up a rule (or some kind of other alert) to detect machines that do not follow the sitename_number scheme.

Anybody have any ideas on how to do this?

0 Likes
Reply
2 Replies
MarkR1 Absent Member.
Absent Member.

Re: Autodetect Machines that don't Match Naming Conventions

My initial thought is it comes down to if you see those hostnames or not in ArcSight itself and how IPs are provisioned in your environment. An event would then need to be created by something you are pulling into AS (eg., Active Directory, DHCP logs, etc). Then it becomes a matter of doing something like sourceHostName matches <regex>, or sourceHostName not like %_%, or doing something crazy like put all of your site codes into an Active List and then create a series of variables to pull out everything between 0 and the "_" and match it to items in the active list (that is a bit more complex obviously though you might be able to leverage that active list for other things down the road).

Edit: Then you could shoot off an email alert or some other action as part of the rule condition. It depends on how real time you want the notification or just a report you look at each morning type of thing.

Anyone else?

0 Likes
Reply
Till
New Member.

Re: Autodetect Machines that don't Match Naming Conventions

Depending on how complex the naming policy is, a  simple "matches" rule with a regex for the naming convention and a condition to match hostnames from the DHCP server could do most of it. You wouldn't need to store things in ALs.

-Till

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.