Professional Documents
Culture Documents
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Objectives
2 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Active Lists
Active lists are data store that can hold information derived from
events, or other sources.
The main uses of active lists are to maintain information, and
check for the existence of particular information in lists using
the InActiveList condition in rules.
For example, active lists are very useful for tracking suspicious or hostile IP
addresses as well as targets of attacks that may be compromised.
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Active Lists
• Data Source for resources (Rules, Reports, Query Viewers, …)
• ‘Memory tables’ with fields that can be dynamically added or removed or
updated by rules
• Can also be populated manually or by importing CSV files
• Informations in list have life time (Lists configured with TTL: Time to Live)
Example: “Worm Infected Systems” Active Lists tracks Zones and IP Addresses of systems exhibiting
worm-like behavior along with port that the Worm is attempting to target
4 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Active Lists
•Various Ways to Use Active Lists
–Chain multiple Rules together
–Rule throttling
–Malicious IP and Domain Watch Lists
–Role-based Use Cases
–Enrich events with additional information
–User Profiling
–Reports
5 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Creating Active Lists
• Select “Lists” from the Navigator Panel
6 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Creating Active Lists
• Select ”Active Lists” tab in Navigator Panel
7 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Anatomy of Active Lists
Item Description
NAME Specifies Name of Active List
ArcSight creates audit events for all aspects of Active Lists statistics
8 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Anatomy of Active Lists
Item Description
NAME Specifies Name of Active List
ArcSight creates audit events for all aspects of Active Lists statistics
9 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Creating Active Lists
• When configured Click APPLY
!
CAUTION
Once saved, Active List parameters cannot be modified
10 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Populating Active Lists
Importing CSV Files
• Select « Active Lists » in Navigator
• Right click desired Active List
• Select Import CSV Files
• Chose file and click OK
Manually
• Select « Active Lists » in Navigator
• Right click desired Active List
• Select « Edit Active List »
• Click « Add Entry » in Inspect /edit panel
• Add entry and click
11 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Populating Active Lists
Importing CSV Files
• Select « Active Lists » in Navigator
• Right click desired Active List
• Select Import CSV Files
• Chose file and click OK
Manually
• Select « Active Lists » in Navigator
• Right click desired Active List
• Select « Edit Active List »
• Click « Add Entry » in Inspect /edit panel
• Add entry and click
12 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Session Lists
Session Lists are similar to Active Lists, with the following
major differences:
• Session Lists always have Start Time, End Time and Creation Time fields
• Entries in Session Lists are « terminated » instead of removed
• Session Lists partition data into weekly partitions because the lists can
grow very large over a period of time
• Session Lists do not have to fit entirely in memory
• Session Lists are optimized for efficient time-based queries
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Creating Session Lists
• Select “Lists” from the Navigator Panel
14 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Creating Session Lists
• Select ”Session Lists” tab in Navigator Panel
• Rick click ‘admin’s Session Lists’
• Select ‘New Session Lists’ from the menu
15 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Anatomy of Session Lists
Item Description
Identifies the session list in ArcSight pick lists.
NAME
Spaces and special characters are allowed.
Check this box to alert the system to allow multiple
OVERLAPPING
instances of key pairings, which keeps the previous
ENTRIES
session with the same key field open.
This setting indicates the maximum number of
IN MEMORY session entries the system keeps in memory. As a
CAPACITY best practice, be sure to set In Memory Capacity
(X1000) higher than the number of live sessions you
anticipate
Time after which entries are marked as terminated
ENTRY (if no explicit termination event is received previous
EXPIRATION to this). An entry with no expiry date/time can only
TIME be terminated explicitly (through user action on
ArcSight Console, rule actions, or archives).
ArcSight creates audit events for all aspects of Session Lists statistics
16 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Use Case Examples
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Populating Active Lists with Rules
• Example #1: Firewall blocked IP address added to a list and maintained for 2 hours
• How do we do ?
• Rule detects Firewall events with blocked IP address (inbound connections)
• Action in rule adds blocked IP Address to a previously created Active List
• IP Address is hold in that list for 2 hours (if not updated, entry in the list will be deleted)
• What content do we need ?
A Field based Active List holding blocked IP address during 2 hours
A rule with the following:
Conditions filtering access failures from Firewall point of view
Aggregation is necessary to get the rule fired (event though we just need 1 occurrence of such event)
Action adds Attacker Address, Device Address, Device Product and Device Vendor as 1 entry in the list
18 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Creating Active List
19 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Creating Active Lists
20 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Creating Active Lists
21 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Creating Active Lists
22 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Creating Active Lists
23 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Creating Active Lists
• Define the fields* that each entry in the List will
be comprise of
• Here we define/create 4 fields/columns*:
Source IP address
Firewall IP IP address
FW Product Name
FW Vendor
• Define the field type
• Check the “Key Fields” for “Source IP” and
“Firewall IP”
• Click “Apply” to save the changes
The Active is now created and ready for use
*Think about fields defined in Active List as columns like in a table
24 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Populating Active Lists with Rules
25 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Populating Active Lists with Rules
26 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Populating Active Lists with Rules
• Provide a Name
• Select the Conditions Tab
27 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Populating Active Lists with Rules
If you have previously tested the filter you know it will work
28 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Populating Active Lists with Rules
We need add something to filter blocked accesses
• Right click “Event1”
• Select “Category” then “CategoryBehavior”
• Select “StartsWith” as logical operator
• Select “/Access” as filter term
• Click OK
• Add the second line with categoryOutcome=« /Failure »
• Click Apply
The filter is now ready
• Click « Aggregation tab
29 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Populating Active Lists with Rules
• Select “Add” for the “Aggregate only if these fields are
identical” section (in the lower half of the Inspect/Edit
panel)
• We aggregate following event fields:
Attacker Address…….blocked IP Address
Device Address……….firewall IP Address blocking external IP
Device Product………..firewall model from vendor
Device Vendor…………firewall brand name
30 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Populating Active Lists with Rules
31 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Populating Active Lists with Rules
32 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Populating Active Lists with Rules
33 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Populating Active Lists with Rules
34 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Populating Active Lists with Rules
35 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Populating Active Lists with Rules
36 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Populating Active Lists with Rules
37 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Populating Active Lists with Rules
38 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Did the Rule Fire?….Yes
39 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
What happened to the Active List
40 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
What happened to the Active List?
41 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Lab 11-1 Create an Active List Populated by a Rule
Use Case: detect interactive login after a specific time
• Rule Content and Expected Behaviour
• Conditions:
Detect Successful Logins
Create a Local Variable evaluating time (After Hours should start 1 am for this Lab !)
• Aggregation will trigger after:
1 match within 2 minutes
• Action:
• Will add some of the Event Fields to a previously created Active List
• Fields added in the Lists will be the following:
Username, Source IP, Destination IP, Event Time (Use “End Time” Event Field)
TTL will be set to 5 days
42 2014Key
© Copyright Fields
Hewlett-Packard are set
Development for
Company, Username,
L.P. The information containedSource
herein is subjectIP, Destination
to change without notice. IP
Lab 11-1 Create an Active List Populated by a Rule
Use Case: detect interactive login after a specific time
• Rule Content and Expected Behaviour
• Conditions:
Detect Successful Logins
Create a Local Variable evaluating time (After Hours should start 1 am for this Lab !)
• Aggregation will trigger after:
1 match within 2 minutes
• Action:
• Will add some of the Event Fields to a previously created Active List
• Fields added in the Lists will be the following:
Username, Source IP, Destination IP, Event Time (Use “End Time” Event Field)
TTL will be set to 5 days
43 2014Key
© Copyright Fields
Hewlett-Packard are set
Development for
Company, Username,
L.P. The information containedSource
herein is subjectIP, Destination
to change without notice. IP
Chaining Rules using Active Lists
Example #2: Potentially compromised user accounts detection
We want to detect Login Failures followed by Successful logins with same user account
• How do we do ?
• By creating 1 Active list and 2 Rules
• Rule #1 detects Repeated Login Failures then add IP + Username in Active List
• Rule #2 detects successful logins AND check if IP + Username is already in Active List
• What content do we need ?
Create a Field based Active List with the needed fields (Source IP + User Account Name)
Create a rule #1
“Conditions” will filter login failures then add to Active List after 3 failures
Create a rule #2
Condition will filter successful logins then check If InActiveList
44 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Chaining Rules using Active Lists
Rule #1
45 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Chaining Rules using Active Lists
Rule #1
To make sure the rule is fired is this demo we define a
low threshold level
• Select Aggregate Tab
Select #of Match and type 3 (number of occurrence's)
Select Time Frame and type 2 minutes
47 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Chaining Rules using Active Lists
• Right click on “On First Threshold”
• Select “Add”
• Select “Active List” then Select “Add to Active List”
We select the Active List “Repeated Login Failures”
we just created.
• Map the required Fields
• “Username” map events Fields “Target User Name”
50 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Chaining Rules using Active Lists
Rule #2
We need aggregate to get the rule fired
• Select Aggregate Tab
Select #of Match and type 1
Select Time Frame and type 2 minutes
52 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Did the Rule Fire?….Yes
53 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Lab 11-2 Chain 2 rules with Active List
Use Case: Detect an already denied address that is seen in a network
Firewall denied access to an IP address.
That same IP address is seen later on another part of network indicating that a breach has occurred (improbable
scenario apparently but let’s do it)
54 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank You
Questions ?
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use