Security and Privacy Services

ArcSight ITS Training

Lab 6 – Working with Rules
8 August 2013

This study source was downloaded by 100000805244265 from CourseHero.com on 04-20-2022 07:49:47 GMT -05:00

https://www.coursehero.com/file/38700920/Lab-6-Rulespdf/
 Lab 6.1 – Working with Rules

Table of Content
SECTION 1 - LAB OBJECTIVES ................................................................................................................................3
SECTION 2 – CREATE AN EVENT RULE ...............................................................................................................4

Legend

Notation or important step or note. For example, the objective for each section.

Observation for the preceding step.

Deloitte
This study source Confidential and
was downloaded Proprietary
by 100000805244265 from CourseHero.com on 04-20-2022 07:49:47 GMT -05:00 Page 2 of 8

https://www.coursehero.com/file/38700920/Lab-6-Rulespdf/
 Lab 6.1 – Working with Rules

Section 1 - Lab objectives

The objective of this lab is as follows:

 Create and work with Rules

Deloitte
This study source Confidential and
was downloaded Proprietary
by 100000805244265 from CourseHero.com on 04-20-2022 07:49:47 GMT -05:00 Page 3 of 8

https://www.coursehero.com/file/38700920/Lab-6-Rulespdf/
 Lab 6.1 – Working with Rules

Section 2 – Create an event rule

Rule 1 Lab - Guided

Create a rule such that if there is a high priority (greater than 7) threat and the target ip is
in the Active List /All Active Lists/_Training/Critical assets, an correlated event is created.

Aggregate the event such that 10 events are aggregated within a minute.

1. Open the Navigator and select the "Rules" resource

2. Right click on your folder and click on "New Rule"
3. In the Name, type "<your name> Rule 1 Lab"

4. In the Conditions configure the variable:

Deloitte
This study source Confidential and
was downloaded Proprietary
by 100000805244265 from CourseHero.com on 04-20-2022 07:49:47 GMT -05:00 Page 4 of 8

https://www.coursehero.com/file/38700920/Lab-6-Rulespdf/
 Lab 6.1 – Working with Rules

Note: Please also add a condition that the targeted asset is part of your network.
This will avoid the rule firing for other student's test alert.

5. Click on Aggregation and configure the aggregation parameters:

Deloitte
This study source Confidential and
was downloaded Proprietary
by 100000805244265 from CourseHero.com on 04-20-2022 07:49:47 GMT -05:00 Page 5 of 8

https://www.coursehero.com/file/38700920/Lab-6-Rulespdf/
 Lab 6.1 – Working with Rules

6. Click on the "Actions" tab and right click on "On First Event" and click on "Add" and
then "Set Event Field"

Deloitte
This study source Confidential and
was downloaded Proprietary
by 100000805244265 from CourseHero.com on 04-20-2022 07:49:47 GMT -05:00 Page 6 of 8

https://www.coursehero.com/file/38700920/Lab-6-Rulespdf/
 Lab 6.1 – Working with Rules

7. Click on OK
8. Create a link into your real time folder

Verify that the rule fired

Deloitte
This study source Confidential and
was downloaded Proprietary
by 100000805244265 from CourseHero.com on 04-20-2022 07:49:47 GMT -05:00 Page 7 of 8

https://www.coursehero.com/file/38700920/Lab-6-Rulespdf/
 Lab 6.1 – Working with Rules

Rule 2 Lab
Create another rule as follows:

 Locked account
 Target address in Active List /All Active Lists/_Training/Critical assets
 Attacker address: 10.123.2.2
 Target user name: <your name>
 Priority 9
 Action: Create local notification

Deloitte
This study source Confidential and
was downloaded Proprietary
by 100000805244265 from CourseHero.com on 04-20-2022 07:49:47 GMT -05:00 Page 8 of 8

https://www.coursehero.com/file/38700920/Lab-6-Rulespdf/
Powered by TCPDF (www.tcpdf.org)