Security Philosophy

The Activate Framework was created to help ArcSight users build and use security content. It provides a vocabulary and process to talk about security problems, identify solutions and develop reusable security content.

Use case

  • Appropriate to talk about with executive and business stakeholders because they address a business purpose
  • Detect suspicious external data transfer.

We advocate for describing use cases in terms of the behavior they try to detect, not how they detect that behavior (focus on the solutions, not the data)
  • Guide developers on how to implement use cases in a way that proscribes a path toward maturity in both breadth (detecting different behaviors) and depth

User Stories

  • Appropriate for technical end users to understand exactly how individual content features address the overall business purposes
  • Alert on data transfers above x size from internal network address to external network address.

User stories should identify indicators (data transfer), enrich them with additional information from ArcSight models (internal vs. external network addresses) and determine which individual or pattern of indicators requires an alert (above x size)
  • User stories are built up incrementally from base events to allow easy reuse in future user stories
  • Use cases contain many user stories (collectively addressing the business purpose) and a user story may belong to multiple business purposes
  • Package user stories for use in ways that make installation and set up easy: Defense Monitoring in Depth, Activate Levels.
  • Identify relevant characteristics (device, industry verticals, keywords, etc) to allow end-users to find relevant content easily.

Three Tiers of Commonality


An Epic is a collection of related use cases. Currently, most Activate packages are at the Epic level based on the DMiD layer and the DFM level. An example of an epic package is L1-Perimeter Monitoring - Indicators and Warnings .

A Use Case is a collection of related User Stories. An example of a use case package is L1-Data Security DLP - Indicators and Warnings .

A User Story is a problem to be solved, and is usually implemented by a collection of discrete objectives.

A Discrete Objective is a set of resources that work together to address a user story, or requirements on other discrete objectives that address a (the same) user story.

For example, a rule is a resource, and depending on how the rule is written, it may implement one or more discrete objectives. A single rule will most likely not be enough to completely address a user story. A single user story will most likely not be enough to completely address a use case.

From an ArcSight Activate Content Development perspective, the complete set of resources that address a user story is the smallest set of resources that should be a published package. The largest set of resources to be included in a package should be at the epic level. The use case level is probably the best level for packaging most resources that are beyond the "essential" set of user stories.

-- PrenticeHayes - 19 Sep 2017
Topic revision: r4 - 16 Aug 2018, OswaldoDimas


Activate Wiki

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback