Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
454 views

Tips and tricks with filters in Sentinel 7


Does anyone have any tips or tricks filtering out events that are not
needed? or even best practices? Anyone setup up any filters at the
connector? We have several collectors/connectors.

We have a 8tb server that looks like it will be filled in 90 days. We
have some data retention rules setup to dump stuff after a certain time.
Thank you for your help.


--
danvarela
------------------------------------------------------------------------
danvarela's Profile: https://forums.netiq.com/member.php?userid=231
View this thread: https://forums.netiq.com/showthread.php?t=46124

0 Likes
3 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Tips and tricks with filters in Sentinel 7

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Typically I've felt that filtering is pretty straight-forward, and have
had customers tell me the same, so knowing more about what you're
wanting to do (just free up space, or maybe have data able to be
retained longer, or decrease licensing requirements, or avoid the need
for network storage, or...) may help. The biggest pains, in my opinion,
with event source/connector/collector filtering are the following:

1. Filtering before the collector parses does not have access to any of
the nice collector-created fields for filtering. This should be
obvious, but (myself included) it is often overlooked. The collector
does the normalization, adds fields like 'EventName', 'Initiator' stuff,
'Observer' stuff, etc. which are all great for filtering, but before the
collector parses the data none of these fields are there and you just
have one long string of stuff to parse on your own. As a result,
filtering is a little tricky at times because now you need to put into
one filter enough logic to catch all of the events you want without
catching any of the events you do not want. Doable, but not trivial.

2. Too many places to have these filters. Sentinel needs a UI that
lets you see all existing filters in one view, or at least a
modification to the ESM icons indicating which nodes have filters
present on them (for a start).

Other things to consider based on your real needs. If you filter within
Sentinel you still get all of the Raw data for filtered events so space
will not be saved there unless you modify your raw data retention
policies. Also, licensing (events per second) is all done based on the
number of events that reach Sentinel at all, before filtering is
applied. Finally, filtering takes time too, so performance gains can be
maximized elsewhere.

The right way to filter out stuff you know you will never need in any
part of Sentinel is to do it on the event source side, and I do not mean
the event source node within ESM. To avoid licensing, raw data, and all
performance impact on Sentinel be sure that
eDirectory/IDM/Linux/databases/etc. simply never send the events to
Sentinel. This is generally a great thing to do because a lot of the
things many of these devices/applications send are nonsense for security
auditing anyway. This all leads to taking a step back and looking at
the bigger picture. Do you really need a 'File Close' event from an OES
server's filesystem auditing? I hope not... and if so, have a REALLY
good reason about what that means which was not already learned from a
File Open combined with Read/Write/Modify. Sentinel is about security,
so be sure you're only sending security things.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQnRZ5AAoJEF+XTK08PnB54TEQAJmiZK+Wtal5eP74XUWNRHwZ
BTca8Cp3NVMq12dYOrumikhZKJEmBP2MaKs31XyFudbMIGHRD5S3qydBINKnwsaN
XqfoU5p1aq+fDvLs4xWlTutzXZBLNp4ovj0JVVGyl+QkFPG4D3nQedtjKLvtUBe+
NsZW3N5SmRwVyqQOjOy+ZqgHqITlROXLqIybvgM4/l2P0q17mT/5Md/MxXRICyus
YKtAIUp3sMgezQbtGYuL8d6TzjuZzMN2RM9I5aqU4jmFQLs4dFLgzn9CFXo2P43V
hVWi3qSrzzHE0ivjOUoc+9HWoYgND1hfd7lK5KBWOUssTcgtlN/bj4Htd+GYWkiT
UwL3Ug9yUkiLGN6CtiRoT6utP/MeAGAC6tOe1uoxfjcKp6AWZ+Uodi6oE1PC1hrq
c75MbLRD1HBebk5pufW6bG5CM7Q3GkpoboKi/fSS1tusFPnmYdwe2H+wM8YG1bv+
DEdzn1BvA2tYTcGiYNulOhJNvYZn6FBS8s7MY3BUzc92RAWpaq9ooXyynVyPCetd
GJDceTFIIvDy/I2Kk04irAfZASsbWlMjwPBXgUNHNc8xV5B/XamFLk/cbdYALHya
6OXqZgJEfpJbzWQ0Ww6DET7rAr7qgaYk9tifjba+eVM1WKujYEtKDQsJZ+x+jhf8
LL0iFnQnvHcSjnM7Kv1k
=fqZQ
-----END PGP SIGNATURE-----
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Tips and tricks with filters in Sentinel 7


Thank you so much. This is exactly what I was looking for.


--
danvarela
------------------------------------------------------------------------
danvarela's Profile: https://forums.netiq.com/member.php?userid=231
View this thread: https://forums.netiq.com/showthread.php?t=46124

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Tips and tricks with filters in Sentinel 7


Here are some events for Windows 2008 that can be cut from support.
Hope this helps.
Noisy Windows Events that should be filtered:
5156: Windows Filtering Platform has allowed a connection. All 5156
events should be filtered.
4713: This filter is designed to prevent Security Event 4713, Kerberos
Policy Changed
4728: Global Group Member Added is filtered when the member name is “-“
and target account name is “None”. When this situation is met it refers
to machine authentication and system-to-system communication from domain
controllers.
4661: A handle to an object was requested. This event should be
filtered out when the username ends with a $, eg “USERNAME$”. This
will filter out all machine account events.
4624: Successful Logon. This event should be filtered out when the
username is “local service”, “network service”, or “system” and the
logon type is “5”. This will filter out all machine account events.
4768: Authentication Ticket Granted. This event should be filtered out
when the username ends with a $, eg “USERNAME$”. This will filter out
all machine account events.
4634: User Logoff. This event should be filtered out when the username
ends with a $, eg “USERNAME$”. This will filter out all machine
account events.
4634: An account was logged off. This event should be filtered out when
the username equals: “System”. This will filter out events related to
machine authentication and system-to-system communication.
4662: An operation was performed on an object. This event should be
filtered out when the username ends with a $, eg “USERNAME$”. This
will filter out all machine account events.4624:
4662: An operation was performed on an object. This event should also
be filtered when the user name equals: “System”.
4672: Special privileges assigned to new logon. This event should be
filtered when the user name equals: “System”.
4769: Service Ticket Granted. This event should be filtered out when
the username ends with a $, eg “USERNAME$”. This will filter out all
machine account events.


We are trying to get the wildcard to work with the $. Seems Sentinel
does not like wildcards in filters. Waiting on a reply from support.


--
danvarela
------------------------------------------------------------------------
danvarela's Profile: https://forums.netiq.com/member.php?userid=231
View this thread: https://forums.netiq.com/showthread.php?t=46124

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.