Difference: HowActivateCategorization (r7 vs. r6)

Activate Categorization

Common Categorization

When categorizing Activate correlation rules, choose one from each column (except for the Notes column, of course).

Category Device Groups and Types

Please note that the table below does not map Category Device Groups to Category Device Types.

Category Device Group
/Application
/Assessment Tool
/Firewall
/Honeypot
/IDS
/IDS/Host
/IDS/Host/Antivirus
/IDS/Host/File Integrity
/IDS/Network
/IDS/Network/Traffic Analysis
/Identity Management
/Identity Management/AAA
/Network Equipment
/Network Equipment/Router
/Network Equipment/Switches
/Operating System
/Proxy
/Security Information Manager
/VPN
Category Device GroupCategory Device TypeNotes
/IDS/Network Anti-Malware Anti-Virus
/IDS/Host Application
/IDS/Host/File Integrity CASB Cloud access security broker
/IDS/Host/Antivirus Data Security
/Application Database
/Operating System DLP Data Loss Prevention
/Network Equipment Encryption
/Network Equipment/Router Endpoint Detection and Response
/Network Equipment/Switches File Integrity Monitor
/VPN HoneyPot
/Identity Management Host
/Identity Management/AAA IDAM Identity and Access Management
/Security Information Manager IDS
/Assessment Tool Integrated Security
IPS
KMS Key Management Service
Log Consolidator
Mainframe
Network Access Control
Network Device
Network Monitoring
Operating System
Payload Analysis
Physical Access Control
Physical Security
Policy Management
Printer
Proxy
Security Information Manager
Security Management
Ticketing System
Universal Threat Management
VPN Virtual Private Network
Vulnerability Management
Vulnerability Scanner
Web Application Firewall
Web Server
Wireless Security

Category Device Types

Category Device TypeNotes
Anti-Malware Anti-Virus
Application
CASB Cloud access security broker
Data Security
Database
DLP Data Loss Prevention
Encryption
Endpoint Detection and Response
File Integrity Monitor
HoneyPot
Host
IDAM Identity and Access Management
IDS
Integrated Security
IPS
KMS Key Management Service
Log Consolidator
Mainframe
Network Access Control
Network Device
Network Monitoring
Operating System
Payload Analysis
Physical Access Control
Physical Security
Policy Management
Printer
Proxy
Security Information Manager
Security Management
Ticketing System
Universal Threat Management
VPN Virtual Private Network
Vulnerability Management
Vulnerability Scanner
Web Application Firewall
Web Server
Wireless Security

Device Event Category

The Device Event Category (DEC) is used to inform and track a few attributes, such as the Multi-Sensor Data Fusion Model (DFM) level, such ase Indicators and Warnings (I&W), Situational Awareness, etc., and the Activate Defense Monitoring in Depth ( DMiD) layer. The more information that is added to the DEC field, the more refined the Activate metrics can be (this is for the L3-Impact and Threat Analysis and L4-Process Refinement levels).

The information in the DEC is based on the default ArcSight ESM DEC for a correlation event from a rule, and should be in this format:

/Rule/Fire/Activate/< DMiD Layer>/[/[/[ /] ] ]

Examples:

Consider Entity Monitoring use cases.

/Rule/Fire/Activate/Entity Monitoring/Indicators and Warnings

/Rule/Fire/Activate/Entity Monitoring/Indicators and Warnings/User Authentication

/Rule/Fire/Activate/Entity Monitoring/Indicators and Warnings/Entity Authentication/Suspicious Failed Login Attempts

/Rule/Fire/Activate/Entity Monitoring/Indicators and Warnings/Entity Authentication/Suspicious Failed Login Attempts/Failed Login to Disabled Account

/Rule/Fire/Activate/Entity Monitoring/Situational Awareness

/Rule/Fire/Activate/Entity Monitoring/Situational Awareness/Entity Management

/Rule/Fire/Activate/Entity Monitoring/Situational Awareness/Entity Management/Suspicious Failed Login Attempts

/Rule/Fire/Activate/Entity Monitoring/Situational Awareness/Entity Management/Suspicious Failed Login Attempts/Failed Login to Privileged Account

Category Custom Format

The Category Custom Format field is used to indicate where the event falls in the ArcSight Attack Life Cycle. The currently recommended values are:

  • /Attack Life Cycle/Recon
  • /Attack Life Cycle/Delivery
  • /Attack Life Cycle/Exploit
  • /Attack Life Cycle/Activities NOTE: try not to use this, it isn't tracked, and probably won't ever be!
  • /Attack Life Cycle/Activities/C2
  • /Attack Life Cycle/Activities/Lateral Recon
  • /Attack Life Cycle/Activities/Expand Access
  • /Attack Life Cycle/Activities/Lateral Movement
  • /Attack Life Cycle/Activities/Establish Persistence
  • /Attack Life Cycle/Activities/Concealment
  • /Attack Life Cycle/Objectives NOTE: try not to use this, it isn't tracked, and probably won't ever be!
  • /Attack Life Cycle/Objectives/Confidentiality NOTE: this is not yet tracked.
  • /Attack Life Cycle/Objectives/Integrity NOTE: this is not yet tracked.
  • /Attack Life Cycle/Objectives/Availability NOTE: this is not yet tracked.

In some cases, where an event precisely fits into the Attack Life Cycle could be dependent upon many unknown factors, such as the intent of the attack (i.e., what the attacker's exact objectives are).

-- PrenticeHayes - 24 May 2017

View topic | View difference side by side | History: r8 < r7 < r6 < r5 | More topic actions
 
This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback