The ArcSight Activate Attack Progression Method

The L3-Impact and Threat Analysis packages are currently under testing and not yet released to the ArcSight Marketplace. Check the marketplace's new items category for updates.


The L3-Base - Impact and Threat Analysis package contains the supporting resources (active lists and rules) for tracking the activity of systems, user accounts, service accounts, system accounts, etc., across the ArcSight Attack Life Cycle phases for this method.


The Resources

Each phase of the ArcSight Attack Life Cycle has its own list, for attacker and target perspectives, for both entities and systems.


The rules examine the correlation events from Activate content and Activate-compliant content and add the appropriate information, if it is available, to the appropriate list.

Categorization Usage

The rules look at the Category Custom Format field, The range of values is listed below.
  • /Attack Life Cycle/Recon
  • /Attack Life Cycle/Delivery
  • /Attack Life Cycle/Exploit
  • /Attack Life Cycle/Activity/C2
  • /Attack Life Cycle/Activities/Concealment
  • /Attack Life Cycle/Activities/Establish Persistence
  • /Attack Life Cycle/Activities/Expand Access
  • /Attack Life Cycle/Activities/Lateral Movement
  • /Attack Life Cycle/Activities/Lateral Recon

List Restrictions

These lists have different TTLs (Times To Live), based on the weight of the Attack Life Cycle phase.

Impact and Threat Scoring

Although the Attack Life Cycle lists have different TTLs, longer term metrics are kept in the Impact and Threat Scoring lists.


-- PrenticeHayes - 24 May 2017
Topic revision: r1 - 24 May 2017, PrenticeHayes


Activate Wiki

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback