Highlighted
Super Contributor.. Super Contributor..
Super Contributor..
408 views

Indicators of Compromise of Report

Jump to solution

Hey All,

I have a large list of known bad IPs and Bad Domain Names.  Is there a way to import this list into ESM and Alert if any tracffic is going to these IPs or if anything is trying to do a DNS lookup on the known Bad Domain Names?

Thanks,

Eric

Labels (1)
0 Likes
Reply
1 Solution

Accepted Solutions
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: Indicators of Compromise of Report

Jump to solution

Create a rule, give it a name and choose the conditions tab. Rightclick in conditions tab and choose new InActiveList condition. Choose the list you created and check the field in the list with the "bad ips" against your destinationAddress field.

Read ESM 101 and console user manual..

Joachim

View solution in original post

0 Likes
Reply
10 Replies
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: Indicators of Compromise of Report

Jump to solution

Addresses should be easy - create an active list, rightclick and choose import csv file. Then create rule to check for FW traffic to address in active list.

Domains might be a bit more tricky though if you have really domains as in arcsight.com and not FQDNs like protect724.arcsight.com. The reason is that there is no such thing as a mongrel between InActiveList and contains. Could be done with some local variable magic if it's really needed...

Joachim

0 Likes
Reply
Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

Re: Indicators of Compromise of Report

Jump to solution

Thanks,

I was able to import the list of IPs into an Active list.  Now, I'm having trouble with writing the rule to check FW traffic against addresses in the active list.

Sorry I'm still new at ESM.

Thanks,

Eric

0 Likes
Reply
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: Indicators of Compromise of Report

Jump to solution

Create a rule, give it a name and choose the conditions tab. Rightclick in conditions tab and choose new InActiveList condition. Choose the list you created and check the field in the list with the "bad ips" against your destinationAddress field.

Read ESM 101 and console user manual..

Joachim

View solution in original post

0 Likes
Reply
Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

Re: Indicators of Compromise of Report

Jump to solution

I created a rule with the InActiveList pointing to my Active list of known Bad IPs and choose the destinationAddress field.  I also put a good IP address in the list to ensure that it was working and the rule doensn't seem to work.  There are about 900 IPs in the list would that cuase a problem?

Eric

0 Likes
Reply
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: Indicators of Compromise of Report

Jump to solution

Is the rule under Realtime Rules? Otherwise you can only run a simulation with past events...

Joachim

0 Likes
Reply
Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

Re: Indicators of Compromise of Report

Jump to solution

I figured out my issue.  The Active List that I created to import all known IPs also included the Zone field which I think was messing things up.  So, I created a new Active list with targetAddress as the only field and imported all the known bad IPs into it.  Using this new Active list I was able to get the rule to work. 

Thanks,

Eric

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: Indicators of Compromise of Report

Jump to solution

What's the local variable magic? I've been trying to figure this out for years. Literally.

When addressing an ActiveList value through a variable, you still need to do a lookup, and that lookup is "=" not "Contains." I can't do an "IndexOf" against a List, either, only a variable or string...

0 Likes
Reply
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: Indicators of Compromise of Report

Jump to solution

I'd take the FQDN from attacker- or targetHostname and chop off until the first dot to get the subdomain into a local variable - rinse and repeat once or or twice to get the domain.

Then do sth like variable1 in activelist or variable2 in activelist or variable3 in activelist.

Not nice, but the only way to do it...

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: Indicators of Compromise of Report

Jump to solution

Gotcha. I was going through something different auditing CLI commands and having to separate out their arguments. Since it was a flex connector I just used __regexToken to put what I was looking for into another field, but using "Contains" against an Active List entry would be nice, too.

0 Likes
Reply
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: Indicators of Compromise of Report

Jump to solution

If you want to scrape stuff from a string via regex inside ESM, have a look at:

https://protect724.arcsight.com/message/20958#20958

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.