ArcSight Activate Suppression System

The suppression system method is for use when events come into the system and cause problems. These events can come in for several reasons, many of which can cause them to be declared "False Positives." A false positive is a condition where a device generates an event, or a rule triggers on an event, but the root cause is not detrimental. One example is when a password for a system is changed, but scripts accessing that system are not updated to use the new password, and the result is a flood of login failures causing a rule looking for brute-force login attacks to trigger.

There are two aspects to the Activate Framework's Suppression System. The first is for workflow, and the second is for development. We will document both here.

Activate Workflow and the Suppression System

There are two sets of of suppression lists, Dynamic and Static:

suppressionLists001.png

The Dynamic Suppression Lists are set with a Time to Live (TTL) of 1 day (24 hours). The Static Suppression Lists do not have a TTL, effectively making any entries permanent. For this reason, we highly recommend that level 1 analysts do not have the ability to add entries to the Static Suppression Lists. We also recommend periodic review of the entries on the Static lists, semi-annually, or at least annually. Having the wrong entries on the suppression lists can blind you to attacks.

In the course of working with events, an analyst and the team may decide that an event with particular characteristics should be added to one of the suppression lists. Before we describe exactly how to do this, let's first take a look at the different suppression lists. With the exceptions of the TTLs, and two additional lists in the Static Suppression Lists, the suppression lists are identical.

suppressionLists002.png

The lists are either "Fields-based" or "Event-based." This means that entering suppression information can be different, depending on which type the list is. The easiest is "Event-based", as the adding to active list process for the workflow will automatically match the event's values with the appropriate fields in the list.

For fields-based lists that require comments, use the Event Annotation Comment field.

Attacker and Target Based Suppression

This event-based list should be used only when any events between a specific source and destination pair (Attacker Zone, Attacker Address, Target Zone, Target Address) should be ignored.

Device and Action with Comments

This field-based list should be used to ignore events with a specified action (Device Action) from a specific device (Device Address, Device Host Name, Device Zone), and the Event Annotation Comment field.

IDS Event ID Suppression with Comments

This field-based list should be used to ignore events with a specific IDS signature (Device Event Class ID), ticket information (External ID), and the Event Annotation Comment field.

IDS Event ID with Attacker Target and Comments

This field-based list should be used to ignore events with a specific IDS signature (Device Event Class ID), source information (source address), destination information (destination address, destination port), ticket information (External ID), and the Event Annotation Comment field.

Name and Attacker Based Suppression

This event-based list should be used to ignore events with a specific Name from a source (attacker address and zone).

Name and Target Based Suppression

This event-based list should be used to ignore events with a specific event Name from a destination (target address and zone).

Name Attacker and Target Based Suppression

This event-based list should be used to ignore events with a specific event Name between a source (attacker address and zone) and destination (target address and zone).

Name Based Suppression List

This event-based list should be used to ignore events with a specific event Name.

Name Target and Port Suppression with Comments

This field-based list should be used to ignore events with a specific event Name , destination information (destination address, destination port), ticket information (External ID), and the Event Annotation Comment field.

Target Address and Port Suppression

This event-based list should be used to ignore ALL events to a specific destination (target zone, address, host name, and port).

Trusted

This is the first Static Suppression List that has no dynamic counterpart. This fields-based list should be used to ignore ALL events from a specific source (source zone, address, and host name). It also requires two other fields, customer, and frequency (use the aggregated event count field).

Web Client Application Suppression

This is the second Static Suppression List that has no dynamic counterpart. It is also not referenced in /All Filters/ArcSight Activate/Core/Suppression List Filters/All Network Based Suppression Lists. This fields-based list should be populated with proxy client applications and used to ignore events from those clients that are known to be not malicious.

Using the Suppression Lists in the Real-Time Workflow

Part of the real-time workflow in Activate involves using the suppression lists to remove events from being processed by the Activate rules. This should not be done lightly, but nevertheless, it is sometimes necessary. These are the steps for getting information into the proper suppression list.

The example in the steps below use a generated scenario. We are going to suppress the base events causing the Egress RDP Communication Passed by Firewall rule to trigger for the source address 192.168.205.111 by using /All Active Lists/ArcSight Activate/Core/Suppression Lists/Dynamic Suppression Lists/Dynamic Name and Attacker Based Suppression. This is one of the event-based lists. Please note that this is an example of how to add an event to the suppression list. This is NOT a good example of what should be put on a suppression list!

1) Select the correlation event from the Main Channel (triage). suppressionLists003.png
-
2) Inspect the event, and look at the correlated (triggering) events in particular. suppressionLists004.png
-
3) Select one of the fields that will assist with finding the appropriate information to add to the suppression list. suppressionLists005.png
-
4) Right-click and select Investigate, then select Create Channel [conditions]. suppressionLists006.png
-
5) Go to the new active channel tab and find the event you want to add to the suppression list. suppressionLists007.png
-
6) If a comment is required by the AL, annotate the event you want to add to the suppression list. suppressionLists008.png
-
7) Right-click on the event you want added, then select Active List | Add To > Other... suppressionLists009.png
-
8) Select the appropriate list and map the fields, if necessary (not necessary in this example). suppressionLists010.png

More here...

-- PrenticeHayes - 07 Dec 2016
Topic attachments
I Attachment Action Size Date Who Comment
suppressionLists001.pngpng suppressionLists001.png manage 9.3 K 28 Apr 2017 - 17:53 PrenticeHayes  
suppressionLists002.pngpng suppressionLists002.png manage 17.1 K 28 Apr 2017 - 19:56 PrenticeHayes  
suppressionLists003.pngpng suppressionLists003.png manage 33.7 K 03 May 2017 - 20:31 PrenticeHayes  
suppressionLists004.pngpng suppressionLists004.png manage 37.3 K 03 May 2017 - 20:34 PrenticeHayes  
suppressionLists005.pngpng suppressionLists005.png manage 32.3 K 03 May 2017 - 20:38 PrenticeHayes  
suppressionLists006.pngpng suppressionLists006.png manage 51.9 K 03 May 2017 - 20:52 PrenticeHayes  
suppressionLists007.pngpng suppressionLists007.png manage 36.0 K 03 May 2017 - 20:42 PrenticeHayes  
suppressionLists008.pngpng suppressionLists008.png manage 44.2 K 03 May 2017 - 20:45 PrenticeHayes  
suppressionLists009.pngpng suppressionLists009.png manage 51.7 K 03 May 2017 - 20:47 PrenticeHayes  
suppressionLists010.pngpng suppressionLists010.png manage 58.7 K 03 May 2017 - 20:50 PrenticeHayes  
Topic revision: r8 - 10 May 2017, PrenticeHayes


 


Activate Wiki 2.1.0.0

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback