Activate Categorization

Common Categorization

When categorizing Activate correlation rules, choose one from each column (except for the Notes column, of course).

Category Device Groups and Types

Please note that the table below does not map Category Device Groups to Category Device Types.
Category Device Group Category Device Type Notes
/IDS/Network Anti-Malware Anti-Virus
/IDS/Host Application  
/IDS/Host/File Integrity CASB Cloud access security broker
/IDS/Host/Antivirus Data Security  
/Application Database  
/Operating System DLP Data Loss Prevention
/Network Equipment Encryption  
/Network Equipment/Router Endpoint Detection and Response  
/Network Equipment/Switches File Integrity Monitor  
/VPN HoneyPot  
/Identity Management Host  
/Identity Management/AAA IDAM Identity and Access Management
/Security Information Manager IDS  
/Assessment Tool Integrated Security  
  IPS  
  KMS Key Management Service
  Log Consolidator  
  Mainframe  
  Network Access Control  
  Network Device  
  Network Monitoring  
  Operating System  
  Payload Analysis  
  Physical Access Control  
  Physical Security  
  Policy Management  
  Printer  
  Proxy  
  Security Information Manager  
  Security Management  
  Ticketing System  
  Universal Threat Management  
  VPN Virtual Private Network
  Vulnerability Management  
  Vulnerability Scanner  
  Web Application Firewall  
  Web Server  
  Wireless Security  

Device Event Category

The Device Event Category (DEC) is used to inform and track a few attributes, such as the Multi-Sensor Data Fusion Model (DFM) level, such ase Indicators and Warnings (I&W), Situational Awareness, etc., and the Activate Defense Monitoring in Depth ( DMiD) layer. The more information that is added to the DEC field, the more refined the Activate metrics can be (this is for the L3-Impact and Threat Analysis and L4-Process Refinement levels).

The information in the DEC is based on the default ArcSight ESM DEC for a correlation event from a rule, and should be in this format:

/Rule/Fire/Activate/< DMiD Layer>/<DFM Level>[/<I&W category>[/<use case>[ /<user story>] ] ]

Examples:

Consider Entity Monitoring use cases.

/Rule/Fire/Activate/Entity Monitoring/Indicators and Warnings

/Rule/Fire/Activate/Entity Monitoring/Indicators and Warnings/User Authentication

/Rule/Fire/Activate/Entity Monitoring/Indicators and Warnings/Entity Authentication/Suspicious Failed Login Attempts

/Rule/Fire/Activate/Entity Monitoring/Indicators and Warnings/Entity Authentication/Suspicious Failed Login Attempts/Failed Login to Disabled Account

/Rule/Fire/Activate/Entity Monitoring/Situational Awareness

/Rule/Fire/Activate/Entity Monitoring/Situational Awareness/Entity Management

/Rule/Fire/Activate/Entity Monitoring/Situational Awareness/Entity Management/Suspicious Failed Login Attempts

/Rule/Fire/Activate/Entity Monitoring/Situational Awareness/Entity Management/Suspicious Failed Login Attempts/Failed Login to Privileged Account

Category Custom Format

The Category Custom Format field is used to indicate where the event falls in the ArcSight Attack Life Cycle. The currently recommended values are:
  • /Attack Life Cycle/Recon
  • /Attack Life Cycle/Delivery
  • /Attack Life Cycle/Exploit
  • /Attack Life Cycle/Activities NOTE: try not to use this, it isn't tracked, and probably won't ever be!
  • /Attack Life Cycle/Activities/C2
  • /Attack Life Cycle/Activities/Lateral Recon
  • /Attack Life Cycle/Activities/Expand Access
  • /Attack Life Cycle/Activities/Lateral Movement
  • /Attack Life Cycle/Activities/Establish Persistence
  • /Attack Life Cycle/Activities/Concealment
  • /Attack Life Cycle/Objectives NOTE: try not to use this, it isn't tracked, and probably won't ever be!
  • /Attack Life Cycle/Objectives/Confidentiality NOTE: this is not yet tracked.
  • /Attack Life Cycle/Objectives/Integrity NOTE: this is not yet tracked.
  • /Attack Life Cycle/Objectives/Availability NOTE: this is not yet tracked.
In some cases, where an event precisely fits into the Attack Life Cycle could be dependent upon many unknown factors, such as the intent of the attack (i.e., what the attacker's exact objectives are).

-- PrenticeHayes - 24 May 2017
Edit | Attach | Print version | History: r8 | r7 < r6 < r5 < r4 | Backlinks | View wiki text | Edit WikiText | More topic actions...
Topic revision: r6 - 05 Feb 2018, PrenticeHayes


 


Activate Wiki 2.1.0.0

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback