Difference: FrameworkResourceStructureNamingConventions (r2 vs. r1)

Resource Structure and Naming Conventions

Introduction

ArcSight Activate is a standardized approach to content development that provides guidance for developers to create familiar content. During early workshops, we ran tests where two separate groups where given the same training and documentation and then asked to create a content package from scratch. The results were as expected, the same content was created, placed in the same location, and put together in the exact same manner. The only notable difference between the two was the analysis of the event stream for certain indicators and warnings.

Content Directory Structure

The Activate directory structure described provides the appropriate foundation for content developers to create modular content. Below, you will find everything you need to know about the current structure as well as what you will need to create should you want to include additional content within certain packages or even build a new package from scratch.

DirectoryDescription
/All /ArcSight Activate This will be the root directory for all resources. This directory should not contain any content.
/All /ArcSight Activate/Core This directory will house sub-directories that are common across multiple use cases and packages. This directory will also be used for access control between teams (ie: Active Lists for suppression).
/All /ArcSight Activate/Core/Product / For every vendor/product, there will be a directory to handle particular indicators and warnings that cannot be combined within a single filter. This is considered level 1 content or "Indicators and Warnings"
/All /ArcSight Activate/Development This directory will be the main holding area for content in development. It's recommended that you store content in a logical structure beneath this directory. This will facilitate promoting the package to production.
/All /ArcSight Activate/Solutions This directory will be the main holding area for content dealing with Use cases.
/All /ArcSight Activate/Solutions/ Activate/Solutions/ Case Name> This is the top level directory for all use cases. This directory will not have any content, it will simply store the solution packages. For any customer specific content, a customer directory may be created at this level.
/All /ArcSight Activate/Product //

Under each vendor product, there will be one directory for each group of indicators and warnings. The groups are:

  • System and Service Errors
  • System and Service Changes
  • User Entity Authentication
  • User Entity Management
  • Suspicious Product Specific Events
  • Suspicious Product Specific Patterns.
/All /ArcSight Activate/Solutions/ Activate/Solutions//Indicators Name>/Indicators and Warnings Content that is used to track indicators and warning information that is shared between vendor products will be stored in this path. The usual hooks into this content will be a filter that combines the required events in an 'OR' statement. This is considered level 1 content or "Indicators and Warnings"
/All /ArcSight Activate/Solutions/ Activate/Solutions//Situational Name>/Situational Awareness Content that builds on tracking and identification correlation by adding any external situation information such as network model data or vulnerability information. This is considered level 2 content or "Situational Awareness"
All /ArcSight Activate/Workflow This directory will hold all content that drives or monitors workflow.

ResourceStructure.jpg

This directory structure is replicated for all relevant ArcSight resources. For new products, make sure to create the product directory under .../ArcSight Activate/Core/Product /. So far we've been using some variation of the device vendor and device product fields within ArcSight.

Naming Convention

When naming content, use short descriptive sentences much like a white paper title. Resource titles should give the user an idea of what the resource covers without having to analyze the supporting content.

Here are some guidelines:

  • Resource Name
    • Capitalize all major words in a resource name
    • Articles, short prepositions and coordinating conjunctions are not capitalized (short is less than 5 letters)
    • Always capitalize a word following a colon
  • Avoid using special characters such as commas, colons, semicolons.
    • If punctuation is required, use a dash with spaces on both ends
      ie: Trend - Windows Logon Events
  • Try to avoid using numbers in the title
    ie: Top 10 Attackers becomes Top Attackers
  • For non-event queries, specify the type in the name
    ie: Trend - Connector Feed Counts
    ie: AL - Default Windows Administration Accounts
    ie: SL - Active Windows RDP Sessions
  • If you need/want a resource to show up at the top of directory list, precede the title with a '_'
  • Time resolution is important but don't hard code set timelines.
    • Daily report would show hourly data points
    • Weekly reports would show daily data points
    • Monthly reports would show daily or weekly data points depending on the information being displayed.

Examples:

BAD: VPN Logins Collected Daily for the Past Week, Successful and Unsuccessful

  • Too wordy 'Collected Daily' and ambiguous

BETTER: Successful and Unsuccessful Daily VPN Logins - Past Week

  • Provides unnecessary information "Successful and Unsuccessful"

GOOD: Daily VPN Login Attemps Attempts for the Past Week

  • Time resolution is hardcoded hard-coded even though it can vary based on user

BEST: Daily VPN Logins

For reference: http://titlecase.com

Resource Description

Try to always provide a description of how the content is supposed to work or how it is used within the use case. That said, in some cases, the description is simply the title. For example, a good Filter name will most likely not require a description. Here are some guidelines for Resource Descriptions :

  • Avoid listing specifics
    ie: i.e.: field names
    ie: i.e.: related resource URI
  • Don't copy/paste from word, special chars have the potential of causing problems.

View topic | View difference side by side | History: r2 < r1 | More topic actions
 
This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback