Problems Activate Solves

C makes it easy to shoot yourself in the foot; C++ makes it harder, but when you do it blows your whole leg off. Bjarne Stroustrup, creator of the C++ programming language

ArcSight ESM Content provides a flexible, powerful tool for developing correlation rules targeted at detecting suspicious activity within an organization’s network. The fundamental concepts of ESM Content – Messages, Filters, Rules, and Lists – can be combined in an almost infinite number of ways to create correlation logic. Content can be looked at as a programming language optimized for processing the firehose of events that come into the ESM from all over the corporate network. As with any programming language, flexibility gives rise to complexity. An experienced software developer or scripter may be able to orient themselves quickly in the Content programming environment, while the security analyst who has not done any programming may be overwhelmed at the number of options for accomplishing a given task.

Say you want to track failed logins to a specific application host. One failed login is not that important, but a bunch of failed logins might be an indication of some kind of penetration attempt. But even a slightly sophisticated attacker might vary the attack by changing the pace of an attack such that those failed logins only come once an hour. If the Content Developer chooses to use rule aggregation to find these events, perhaps initially over short aggregation timeframe of 2 minutes, and then realizes that failed logins can be more spaced out in time, she might deal with this problem by simply extending the timeframe of the aggregation to 1 or 2 hours. But in a high-traffic environment this is a mistake serious enough to bring down an ESM!

A high performance environment (40-50K EPS) is going to be optimized in its use of processing and memory, and a great deal of time and effort goes into tuning such systems. Now introduce into this delicate environment a programming ability with which end-users – Content Developers – can enhance and extend the logic of the processing environment through rule development. These Rules and other Content Resources also use processor time and memory. So the way that Content uses memory and processing is going to affect the stability of the platform. This is a huge technical challenge for the product, and ESM Content largely manages to walk the tightrope of doing useful processing while not leaking memory or running away with the processor. BUT, you have to know how to use it properly.

Activate grew out of the experience of many Micro Focus/ArcSight Professional Services Engineers and Software Developers. As Professional Services went from customer to customer it became clear that there were similar ways that novice users of Content would go wrong ranging from misunderstanding the use of a particular Resource to doing something that seemed reasonable but which ran afoul of certain optimizations in the environment. Another phenomenon that was observed in large organizations was different groups developing their own Content to solve similar problems, leading to duplication of code and effort across the organization. Before long it became clear that what was needed was a framework for Content development that would
  • provide out-of-the-box useful Content that an organization could deploy to quickly start generating actionable alerts
  • provide a learning platform for new Content developers with strategies and best practices
  • promote code re-use across groups within an organization
  • support the development of new Content for new event feeds

Useful Content

Consider Microsoft Windows events. Practically every organization has Microsoft Windows installed on desktops and/or servers. Getting all of these machines “on-boarded” and sending event logs to ESM is a project in itself, but once you have that stream of events established, what do you do with it. Obviously there are numerous situations and events that can occur on Windows that the SIEM team would like to know about. For instance, we would like to know when a Group Policy changes, because that changes the security profile of that user group. Now, there are a LOT of Windows events. Typically when creating Content to handle a new event type in Windows, you first need to identify the event number, and then identify the CEF fields in the Event that are relevant to your processing. What if the Group Policy changes happens on a local machine? What if it happens on a Domain Controller? A simple problem can become complicated when you try to solve it with full generality.

Luckily in this case, you have installed Activate in your ESM, and you only need look in the folder “/All Rules/ArcSight Activate/Core/Product Rules/Microsoft Windows/System and Service Changes” and you will see the Rule “Group Policy Change Detected”. There are several groups of Rules organized by Product in the Core package. These are products which are common in enterprises, and it is likely that you will find a good amount of Content that you can deploy real-time "right out of the box".


Code Re-Use

Future Packages

Topic revision: r3 - 13 Aug 2018, YunPeng


Activate Wiki

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback