D4 - T1 - Active Lists and Session Lists

Active Lists and Session Lists*
HP ArcSight Proof of Concept Boot Camp Training

TECHNICAL DAY-3
Philippe Jouvellier - HP ESP | Global Partner Enablement
philippe.jouvellier@hpe.com
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Objectives
Upon successful completion on this Lab, you will be able to:

 Describe Active Lists and Session Lists
 Explain the difference between Active and Session Lists
 Create and Configure Lists
 Populate Lists
 View Entries in Lists
 Chaining Rules with Active Lists
2 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Active Lists
Active lists are data store that can hold information derived from
events, or other sources.
The main uses of active lists are to maintain information, and
check for the existence of particular information in lists using
the InActiveList condition in rules.
For example, active lists are very useful for tracking suspicious or hostile IP
addresses as well as targets of attacks that may be compromised.
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Active Lists
• Data Source for resources (Rules, Reports, Query Viewers, …)
• ‘Memory tables’ with fields that can be dynamically added or removed or
updated by rules
• Can also be populated manually or by importing CSV files
• Informations in list have life time (Lists configured with TTL: Time to Live)
! Starting with ESM 6.5c

• 5 Million entries Active Lists / Session Lists with a high-end machine; eg DL580
• 1 Million entries is the default max setting (see server.defaults.properties)
Example: “Worm Infected Systems” Active Lists tracks Zones and IP Addresses of systems exhibiting
worm-like behavior along with port that the Worm is attempting to target
Active Lists
•Various Ways to Use Active Lists
–Chain multiple Rules together
–Rule throttling
–Malicious IP and Domain Watch Lists
–Role-based Use Cases
–Enrich events with additional information
–User Profiling
–Reports
•Active List Types

–Event-based
–Fields-based
Creating Active Lists
• Select “Lists” from the Navigator Panel
• Select ”Active Lists” tab in Navigator Panel
Anatomy of Active Lists
Item Description
NAME Specifies Name of Active List
Reduces memory usage consumed by

OPTIMIZE DATA
the Active List by using hashes
CAPACITY Number of entries in Active List
Dictates how long an entry remains in

TTL
Active List
ALLOW MULTI-
Allow multiple instances of key pairings
MAPPING
DATA Events or Fields included in Active List
KEY FIELD Allows rules to look up value fields
ArcSight creates audit events for all aspects of Active Lists statistics
Anatomy of Active Lists
Item Description
NAME Specifies Name of Active List
Reduces memory usage consumed by

OPTIMIZE DATA
the Active List by using hashes
CAPACITY Number of entries in Active List
Dictates how long an entry remains in

TTL
Active List
ALLOW MULTI-
Allow multiple instances of key pairings
MAPPING
DATA Events or Fields included in Active List
KEY FIELD Allows rules to look up value fields
ArcSight creates audit events for all aspects of Active Lists statistics
• When configured Click APPLY
!
CAUTION
Once saved, Active List parameters cannot be modified
Populating Active Lists
Importing CSV Files
• Select « Active Lists » in Navigator
• Right click desired Active List
• Select Import CSV Files
• Chose file and click OK
Manually
• Select « Edit Active List »
• Click « Add Entry » in Inspect /edit panel
• Add entry and click
Populating Active Lists
Importing CSV Files
• Select Import CSV Files
• Chose file and click OK
Manually
• Select « Edit Active List »
• Click « Add Entry » in Inspect /edit panel
• Add entry and click
Session Lists
Session Lists are similar to Active Lists, with the following
major differences:
• Session Lists always have Start Time, End Time and Creation Time fields
• Entries in Session Lists are « terminated » instead of removed
• Session Lists partition data into weekly partitions because the lists can
grow very large over a period of time
• Session Lists do not have to fit entirely in memory
• Session Lists are optimized for efficient time-based queries
Creating Session Lists
Creating Session Lists
• Select ”Session Lists” tab in Navigator Panel
• Rick click ‘admin’s Session Lists’
• Select ‘New Session Lists’ from the menu
Anatomy of Session Lists
Item Description
Identifies the session list in ArcSight pick lists.
NAME
Spaces and special characters are allowed.
Check this box to alert the system to allow multiple
OVERLAPPING
instances of key pairings, which keeps the previous
ENTRIES
session with the same key field open.
This setting indicates the maximum number of
IN MEMORY session entries the system keeps in memory. As a
CAPACITY best practice, be sure to set In Memory Capacity
(X1000) higher than the number of live sessions you
anticipate
Time after which entries are marked as terminated
ENTRY (if no explicit termination event is received previous
EXPIRATION to this). An entry with no expiry date/time can only
TIME be terminated explicitly (through user action on
ArcSight Console, rule actions, or archives).
ArcSight creates audit events for all aspects of Session Lists statistics
Use Case Examples
Populating Active Lists with Rules
• Example #1: Firewall blocked IP address added to a list and maintained for 2 hours
• How do we do ?
• Rule detects Firewall events with blocked IP address (inbound connections)
• Action in rule adds blocked IP Address to a previously created Active List
• IP Address is hold in that list for 2 hours (if not updated, entry in the list will be deleted)
• What content do we need ?
 A Field based Active List holding blocked IP address during 2 hours
 A rule with the following:
 Conditions filtering access failures from Firewall point of view
 Aggregation is necessary to get the rule fired (event though we just need 1 occurrence of such event)
 Action adds Attacker Address, Device Address, Device Product and Device Vendor as 1 entry in the list
Creating Active List
• Right Click on “admin’s Active Lists”

• Select “New Active List”
• Provide a name for the List (e.g External Firewall

Blocked IP address)
• Select a Time To Live (TTL) period

 Means the time during which data will
be hold in the list
 0 means the data will not expire
 Here we hold each entry during 2 hours
We will create a Field based Active List

• Select the “Fields Based” Radio button
• Check the “Key Fields”
• Define the fields* that each entry in the List will
be comprise of
• Here we define/create 4 fields/columns*:
 Source IP address
 Firewall IP IP address
 FW Product Name
 FW Vendor
• Define the field type
• Check the “Key Fields” for “Source IP” and
“Firewall IP”
• Click “Apply” to save the changes
The Active is now created and ready for use
*Think about fields defined in Active List as columns like in a table
• Select “Rules” from the Navigator Panel
• Right Click on “<admin>’s Rules”

• Select “New Rule”
• Standard Rule
• Provide a Name
• Select the Conditions Tab
• Left Click on the “Filters” button

• Select “Firewall filter” we created previously
Using filters is best practice
 It creates consistency
 If you have previously tested the filter you know it will work
 You can enter the conditions directly if preferred
We need add something to filter blocked accesses
• Right click “Event1”
• Select “Category” then “CategoryBehavior”
• Select “StartsWith” as logical operator
• Select “/Access” as filter term
• Click OK
• Add the second line with categoryOutcome=« /Failure »
• Click Apply
The filter is now ready
• Click « Aggregation tab
• Select “Add” for the “Aggregate only if these fields are
identical” section (in the lower half of the Inspect/Edit
panel)
• We aggregate following event fields:
 Attacker Address…….blocked IP Address
 Device Address……….firewall IP Address blocking external IP
 Device Product………..firewall model from vendor
 Device Vendor…………firewall brand name
In this example we are looking for one event but

aggregation is still needed
• Apply the changes you have made
• Select either Yes or No when prompted for any extra fields
• Select the “Actions” Tab

• By default the rule will always be set to “On First Event”
• Meaning (with an Aggregation of 1) this rules will
always fire when an event is seen
The online help explains the other options in detail...
• Right click on “On First Event”

• Select “Add”
• Select “Active List”
• Select “Add To Active List”
• Right Click on “On First Event”

• Select to add to an Active List
• Select the created Active List “External Firewall Blocked
Addresses”
We map Event Fields with the Active List

Fields
• In the pop-up box we map the fields we
aggregated on to the fields you defined in
the Active List
• Click OK
• Click “OK” to save the rule
• Rule is now complete

• It must be activated
• Select the new rule
• Left Click and Hold
• Drag it to “Real-Time Rules” Folder
• You can choose to Copy, Link or Move the Rule

• Select “Link”
• This is a best practice
• The rule is created under a project folder but active
on the system
• This is the most common reason for rules not

triggering!
• You will see the new rule listed in both Folders
Did the Rule Fire?….Yes
What happened to the Active List
• Go to the “Lists” -> “Active Lists” Resource under the

Navigator Panel
• Right Click on the Active List created
• Select “Show Entries”
What happened to the Active List?
• The Active List now has data in it

• Refresh is not automatic
• To refresh click the recycle icon
Lab 11-1 Create an Active List Populated by a Rule
Use Case: detect interactive login after a specific time
• Rule Content and Expected Behaviour
• Conditions:
 Detect Successful Logins
 Create a Local Variable evaluating time (After Hours should start 1 am for this Lab !)
• Aggregation will trigger after:
 1 match within 2 minutes
• Action:
• Will add some of the Event Fields to a previously created Active List
• Fields added in the Lists will be the following:
 Username, Source IP, Destination IP, Event Time (Use “End Time” Event Field)
 TTL will be set to 5 days
42 2014Key
© Copyright Fields
Hewlett-Packard are set
Development for
Company, Username,
L.P. The information containedSource
herein is subjectIP, Destination
to change without notice. IP
Lab 11-1 Create an Active List Populated by a Rule
Use Case: detect interactive login after a specific time
• Rule Content and Expected Behaviour
• Conditions:
 Detect Successful Logins
 Create a Local Variable evaluating time (After Hours should start 1 am for this Lab !)
• Aggregation will trigger after:
 1 match within 2 minutes
• Action:
• Will add some of the Event Fields to a previously created Active List
• Fields added in the Lists will be the following:
 Username, Source IP, Destination IP, Event Time (Use “End Time” Event Field)
 TTL will be set to 5 days
43 2014Key
© Copyright Fields
Hewlett-Packard are set
Development for
Company, Username,
L.P. The information containedSource
herein is subjectIP, Destination
to change without notice. IP
Chaining Rules using Active Lists
Example #2: Potentially compromised user accounts detection
We want to detect Login Failures followed by Successful logins with same user account
• How do we do ?
• By creating 1 Active list and 2 Rules
• Rule #1 detects Repeated Login Failures then add IP + Username in Active List
• Rule #2 detects successful logins AND check if IP + Username is already in Active List
• What content do we need ?
 Create a Field based Active List with the needed fields (Source IP + User Account Name)
 Create a rule #1
 “Conditions” will filter login failures then add to Active List after 3 failures
 Create a rule #2
 Condition will filter successful logins then check If InActiveList
Rule #1
Rule #1
To make sure the rule is fired is this demo we define a
low threshold level
• Select Aggregate Tab
 Select #of Match and type 3 (number of occurrence's)
 Select Time Frame and type 2 minutes
 Select “Add” for the “Aggregate only if these fields

are identical” section (lower half of Inspect/Edit panel)
 Add the following CEF Fields:
 AttackerAddress, TargetAddress and TargetUserName
 Click OK then Click Apply
Now we define actions that follow up the rule

outbreak
• Select “Actions” tab
• By default rule will always be set to “On First Event”
• We need to Change this :
 Right click On First Event and select De-Activate Trigger
 Right click On First Threshold and select Activate Trigger
• Right click on “On First Threshold”
• Select “Add”
• Select “Active List” then Select “Add to Active List”
We select the Active List “Repeated Login Failures”
we just created.
• Map the required Fields
• “Username” map events Fields “Target User Name”
• “Target Host” maps events Field “Target Address”
• “Source IP” maps events Field “Attacker Address
Click OK and Apply
RULE #1 is ready now

Rule #2
• Will do:
• Detect Successful Logins
• Check if username is in Active List
“Repeated Login Failures”
• If so will fire an alarm
• 3 conditions needed here:
1. categoryBehavior=/Authentication/Verify
2. categoryOutcome=/Success
3. “InActiveList
Rule #2
• Select the “Repeated Login Failures” we
just created from the drop down list
• Map the Event Fields with the Active Lists
Defined Field Fields
• Click OK
• Click APPLY in the “InActiveList” windows

• Click APPLY lower right corner
Rule #2
We need aggregate to get the rule fired
• Select Aggregate Tab
 Select #of Match and type 1
 Select Time Frame and type 2 minutes
 Select “Add” for the “Aggregate only if these fields

are identical” section (lower half of Inspect/Edit panel)
 Add the following CEF Fields:
 AttackerAddress, TargetAddress and TargetUserName
 Click OK then Click Apply
Action will Set Name Field to:

• “Compromised User Account ?”
• Rule is complete now and must be copied to the
Real Time Rules directory
Did the Rule Fire?….Yes
Lab 11-2 Chain 2 rules with Active List
Use Case: Detect an already denied address that is seen in a network
Firewall denied access to an IP address.
That same IP address is seen later on another part of network indicating that a breach has occurred (improbable
scenario apparently but let’s do it)
• What Content do we need here?

• 1 Active List – Field based (attacker IP, Firewall IP, Firewall Type and Vendor)
• 2 Rules
• Rule 1: Detects denied IP addresses by Firewall then Add IP to an Active List
• Rule 2: Detects permit IP addresses by firewall and search if IP is in Active List
• Action: Set Event Field to “Potential Breach !!!”
Thank You
Questions ?

D4 - T1 - Active Lists and Session Lists

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

D4 - T1 - Active Lists and Session Lists

Uploaded by

Copyright:

Available Formats

Active Lists and Session Lists*

HP ArcSight Proof of Concept Boot Camp Training

Upon successful completion on this Lab, you will be able to:

! Starting with ESM 6.5c

•Active List Types

Reduces memory usage consumed by

CAPACITY Number of entries in Active List

Dictates how long an entry remains in

DATA Events or Fields included in Active List

KEY FIELD Allows rules to look up value fields

Reduces memory usage consumed by

CAPACITY Number of entries in Active List

Dictates how long an entry remains in

DATA Events or Fields included in Active List

KEY FIELD Allows rules to look up value fields

• Select “Lists” from the Navigator Panel

• Right Click on “admin’s Active Lists”

• Provide a name for the List (e.g External Firewall

• Select a Time To Live (TTL) period

We will create a Field based Active List

• Check the “Key Fields”

• Select “Rules” from the Navigator Panel

• Right Click on “<admin>’s Rules”

• Left Click on the “Filters” button

 You can enter the conditions directly if preferred

In this example we are looking for one event but

• Select the “Actions” Tab

• Right click on “On First Event”

• Right Click on “On First Event”

We map Event Fields with the Active List

• Click “OK” to save the rule

• Rule is now complete

• You can choose to Copy, Link or Move the Rule

• This is the most common reason for rules not

• You will see the new rule listed in both Folders

• Go to the “Lists” -> “Active Lists” Resource under the

• The Active List now has data in it

 Select “Add” for the “Aggregate only if these fields

Now we define actions that follow up the rule

 Right click On First Threshold and select Activate Trigger

• “Target Host” maps events Field “Target Address”

• “Source IP” maps events Field “Attacker Address

Click OK and Apply

RULE #1 is ready now

• Click APPLY in the “InActiveList” windows

 Select “Add” for the “Aggregate only if these fields

Action will Set Name Field to:

• What Content do we need here?

You might also like