The ArcSight Activate Entity and System State Tracking Method

The L3-Impact and Threat Analysis packages are currently under testing and not yet released to the ArcSight Marketplace. Check the marketplace's new items category for updates.

Introduction

The L3-Base - Impact and Threat Analysis package contains the supporting resources (active lists and rules) for tracking the states of systems, user accounts, service accounts, system accounts, etc., for this method.

EntityAndSystemStateTrackingMethod.png

This method is loosely based on the Threat Tracking component of the ArcSight ESM Priority Formula (aka the Threat Level Formula).

PriorityFormulaLists.png

The Resources

There are four sets of lightweight rules and active lists used to track entities and systems from both the attacker and target perspectives:
  • Attack Entity Perspective
  • Attack System Perspective
  • Target Entity Perspective
  • Target System Perspective
The rules examine the correlation events from Activate content and Activate-compliant content and add the appropriate information, if it is available, to the appropriate list. There are two sets of lists based on Attacker and Target.
Attacker Target
Suspicious Suspicious
Hostile Targeted
Infiltrator Compromised
These six lists track the state. There is a set for systems, and a separate set for entities.

This is the current set of state lists available in the L3 package:

StateLists.png

Categorization Usage

The rules examine two specific fields, the Category Significance field and the Category Outcome field. For the attacker perspective, these are the settings that will determine which list will be affected:
Categorization Fields Attacker State List
Category Significance = /Suspicious Attacker State 1 Suspicious

Category Significance = /Compromise

Category Outcome != /Success

Attacker State 2 Hostile

Category Significance = /Compromise

Category Outcome = /Success
Attacker State 3 Infiltrator
Note that the Category Outcome field is not used for the Suspicious state.

For the target perspective, these are the settings that will determine which list will be affected:
Categorization Fields Target State List
Category Significance = /Suspicious Target State 1 Suspicious

Category Significance = /Compromise

Category Outcome != /Success

Target State 2 Targeted

Category Significance = /Compromise

Category Outcome = /Success
Target State 3 Compromised
Note that the Category Outcome field is not used for the Suspicious state.

List Restrictions

An entry can only be one one of the lists for that perspective at a time. For example, a system cannot be on both the Target System State 1 Suspicious list and the Target System State 2 Targeted list at the same time. Furthermore, an entry cannot move to a lower state. In other words, once a system is identified on Attacker System State 3 Infiltrator, it cannot be moved down to the Attacker System State 2 Hostile list.

The other restriction is that these lists have different TTLs (Times To Live), the higher the state, the longer the retention of entries for that list.

Impact and Threat Scoring

Although the Entity and System State lists have different TTLs, longer term metrics are kept in the Impact and Threat Scoring lists.

ImpactAndThreatScoreLists.png

-- PrenticeHayes - 24 May 2017
Topic attachments
I Attachment Action Size Date Who Comment
EntityAndSystemStateTrackingMethod.pngpng EntityAndSystemStateTrackingMethod.png manage 39.0 K 24 May 2017 - 14:57 PrenticeHayes  
ImpactAndThreatScoreLists.pngpng ImpactAndThreatScoreLists.png manage 16.0 K 24 May 2017 - 16:21 PrenticeHayes  
PriorityFormulaLists.pngpng PriorityFormulaLists.png manage 12.5 K 24 May 2017 - 15:12 PrenticeHayes  
StateLists.pngpng StateLists.png manage 21.5 K 24 May 2017 - 15:49 PrenticeHayes  
Topic revision: r2 - 14 Sep 2017, PrenticeHayes


 


Activate Wiki 2.1.0.0

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback