Real Time Workflow

The Real Time Workflow Method for the Activate Framework is based on several SIOC concepts. The first of these is having a Main Channel to see the actionable correlation events as the rules engine correlates all the incoming events. The Main Channel is an active channel, and is also known as the triage channel. we will use these terms interchangeably. The second SIOC concept is the SOC stages, which tells the analysts the state of an event. The SOC stages are accessed for each event by the active channel by selecting an event in the channel, right-clicking on it, and selecting "Annotate Events..." (or Ctrl+T).

Working with the Main Channel

The Main Channel (/All Active Channels/ArcSight Activate/Workflow/Main Channel) selects correlation events from Activate rules that have set the Event Annotation Stage to Triage. This triage channel is typically monitored by a Level 1 Analyst throughout the day. The responsibility of the analyst monitoring the triage channel is to evaluate the event, decide whether it can be quickly remediated or needs further investigation. If it can be quickly remediated, then the triage analyst can perform the remediation steps. If further investigation is needed, the triage analyst can change the stage of the event and assign it to another analyst for investigation and remediation.

Note that monitoring the triage channel for hours on end can be tedious and cause events to be accidentally closed. We recommend that analysts be rotated on and off "triage duty" every couple of hours or so.

The SOC Stages

The SOC stages are comprised of three levels, System, 1: Investigating, and 2: Final.

System Stages

The System stages have three different stages. These are the stages that most rules will be set in the event annotation stage field.

Triage

The Triage stage (/All Stages/SOC Stages/System/Triage) is the stage that the Activate Framework uses for events that are actionable and warrant the time of an analyst to investigate.

System Monitored

The System Monitored stage (/All Stages/SOC Stages/System/System Monitored) is used for building baselines and tracking event as they continue. Events in this channel should be periodically reviewed, but they are mostly continuations of ongoing conditions that have already been sent to the triage channel, or they are conditions that do not meet the criteria of an actionable event, but may be used by other rules when the conditions become actionable.

Testing

The Testing stage (/All Stages/SOC Stages/System/Testing) is used for testing rules under production conditions. This stage is typically used by content developers once the rule(s) they are developing have been developed on a test environment, and moved to a staging environment, and are considered ready for production. This is the final stage of testing (in a production environment) before changing the rule to set the event annotation stage to Triage or System Monitored. The goal of this stage is to determine the behavior of the rule and its impact on the system.

1: Investigating

The investigating stages are used by analysts to help with assigning events to other analysts. A triage analyst will typically use the Level 1 Investigating stage when assigning an event to another Level 1 analyst. Based on your processes, your triage analyst may also use the other stages.

Level 1 Investigating

The Level 1 Investigating stage (/All Stages/SOC Stages/1: Investigating/Level 1 Investigating) is used for the initial investigation of an event after it has been triaged. After this investigation is completed, one of the other "1: Investigating" stages may be selected and the event assigned to another analyst, or the event may be closed by setting the stage to one of the "2: Final" stages.

Level 2 Review

The Level 2 Review stage (/All Stages/SOC Stages/1: Investigating/Level 2 Review) is used when a Level 1 analyst has completed their investigation, but either needs review by a more senior analyst before closing or the event needs a more experienced or specialized analyst to complete the investigation. After this investigation is completed, one of the other "1: Investigating" stages may be selected and the event assigned to another analyst, or the event may be closed by setting the stage to one of the "2: Final" stages.

Engineer Review

The Engineer Review stage (/All Stages/SOC Stages/1: Investigating/Engineer Review) is used when the event is caused by some deficiency somewhere in the system. This deficiency could be due to a potential false positive condition, an error in the way a device logs, a misconfiguration in a connector, or a problem with a rule's conditions or aggregation settings, or some other issue. Changing the event annotation stage to Engineer Review should be accompanied by assigning it to the proper ArcSight engineer responsible for that area of ESM management. After this investigation is completed, one of the other "1: Investigating" stages may be selected and the event assigned to another analyst, or the event may be closed by setting the stage to one of the "2: Final" stages, but typically, the engineer will use a specific 2: Final stage once any issues have been resolved (e.g., No Further Action Required - Engineer).

Engage External Team

The Engage External Team stage (/All Stages/SOC Stages/1: Investigating/Engage External Team) is used when your process dictates that an event or incident should be turned over to another team or organization, such as HR, law enforcement, etc. Depending on your processes, this may be the final stage for this event, or it could be set to one of the "2: Final" stages (e.g., Case Created).

2: Final

The stages in the 2: Final group are used for closing out events in the active channel workflow.

-- PrenticeHayes - 22 Mar 2017
Edit | Attach | Print version | History: r5 | r4 < r3 < r2 < r1 | Backlinks | View wiki text | Edit WikiText | More topic actions...
Topic revision: r2 - 05 Apr 2017, PrenticeHayes


 


Activate Wiki 2.1.0.0

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback