Activate Categorization

Common Categorization

When categorizing Activate correlation rules, choose one from each column (except for the Notes column, of course).

Category Device Groups

Category Device Group
/Application
/Assessment Tool
/Firewall
/Honeypot
/IDS
/IDS/Host
/IDS/Host/Antivirus
/IDS/Host/File Integrity
/IDS/Network
/IDS/Network/Traffic Analysis
/Identity Management
/Identity Management/AAA
/Network Equipment
/Network Equipment/Router
/Network Equipment/Switches
/Operating System
/Proxy
/Security Information Manager
/VPN

Category Device Types

Category Device Type Notes
Anti-Malware Anti-Virus
Application  
CASB Cloud access security broker
Data Security  
Database  
DLP Data Loss Prevention
Encryption  
Endpoint Detection and Response  
File Integrity Monitor  
HoneyPot  
Host  
IDAM Identity and Access Management
IDS  
Integrated Security  
IPS  
KMS Key Management Service
Log Consolidator  
Mainframe  
Network Access Control  
Network Device  
Network Monitoring  
Operating System  
Payload Analysis  
Physical Access Control  
Physical Security  
Policy Management  
Printer  
Proxy  
Security Information Manager  
Security Management  
Ticketing System  
Universal Threat Management  
VPN Virtual Private Network
Vulnerability Management  
Vulnerability Scanner  
Web Application Firewall  
Web Server  
Wireless Security  

Device Event Category

The Device Event Category (DEC) is used to inform and track a few attributes, such as the Multi-Sensor Data Fusion Model (DFM) level, such ase Indicators and Warnings (I&W), Situational Awareness, etc., and the Activate Defense Monitoring in Depth ( DMiD) layer. The more information that is added to the DEC field, the more refined the Activate metrics can be (this is for the L3-Impact and Threat Analysis and L4-Process Refinement levels).

The information in the DEC is based on the default ArcSight ESM DEC for a correlation event from a rule, and should be in this format:

/Rule/Fire/Activate/< DMiD Layer>/< DFM Level>[/< I&W category>[/< use case>[ /< user story>] ] ]

Examples:

Consider Entity Monitoring use cases.

/Rule/Fire/Activate/Entity Monitoring/Indicators and Warnings

/Rule/Fire/Activate/Entity Monitoring/Indicators and Warnings/User Authentication

/Rule/Fire/Activate/Entity Monitoring/Indicators and Warnings/Entity Authentication/Suspicious Failed Login Attempts

/Rule/Fire/Activate/Entity Monitoring/Indicators and Warnings/Entity Authentication/Suspicious Failed Login Attempts/Failed Login to Disabled Account

/Rule/Fire/Activate/Entity Monitoring/Situational Awareness

/Rule/Fire/Activate/Entity Monitoring/Situational Awareness/Entity Management

/Rule/Fire/Activate/Entity Monitoring/Situational Awareness/Entity Management/Suspicious Failed Login Attempts

/Rule/Fire/Activate/Entity Monitoring/Situational Awareness/Entity Management/Suspicious Failed Login Attempts/Failed Login to Privileged Account

Category Custom Format

The Category Custom Format field is used to indicate where the event falls in the ArcSight Attack Life Cycle. The currently recommended values are:
  • /Attack Life Cycle/Recon
  • /Attack Life Cycle/Delivery
  • /Attack Life Cycle/Exploit
  • /Attack Life Cycle/Activities NOTE: try not to use this, it isn't tracked, and probably won't ever be!
  • /Attack Life Cycle/Activities/C2
  • /Attack Life Cycle/Activities/Lateral Recon
  • /Attack Life Cycle/Activities/Expand Access
  • /Attack Life Cycle/Activities/Lateral Movement
  • /Attack Life Cycle/Activities/Establish Persistence
  • /Attack Life Cycle/Activities/Concealment
  • /Attack Life Cycle/Objectives NOTE: try not to use this, it isn't tracked, and probably won't ever be!
  • /Attack Life Cycle/Objectives/Confidentiality NOTE: this is not yet tracked.
  • /Attack Life Cycle/Objectives/Integrity NOTE: this is not yet tracked.
  • /Attack Life Cycle/Objectives/Availability NOTE: this is not yet tracked.
In some cases, where an event precisely fits into the Attack Life Cycle could be dependent upon many unknown factors, such as the intent of the attack (i.e., what the attacker's exact objectives are).

-- PrenticeHayes - 24 May 2017
Topic revision: r8 - 13 Apr 2018, PrenticeHayes


 


Activate Wiki 2.1.0.0

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback