Documente Academic
Documente Profesional
Documente Cultură
User Guide
v 0.1 Beta
2011 Secmon Ltd, trading as EdgeSeven
This document may not be copied, modified, shared or released without prior consent of the author. Permission may
be sought from the author in writing to: EdgeSeven, Wyche Innovation Centre, Walwyn Road, Malvern, WR13 6PL
Security Situational Awareness
EDGESEVEN.COM
1. Description
The success of any SIEM system relies on receiving events from the respective in scope source
devices and servers. Without any events, the SIEM platform effectively becomes useless. Part of
setting up a good SIEM system is creating mechanisms to ensure that these events are received and
the most effective approach to do this is by using the Device Status Monitoring (DSM) capability builtin to the ArcSight platform.
This content pack utilises the DSM capability to track and alert on any event sources that stop
sending events, so that you can take the appropriate action to re-establish the event flow. The pack
also contains mechanisms to detect servers/devices that have potentially been removed from the
network.
This parameter effectively controls how often the connector will report on devices it is seeing events
from. The event is identified by deviceEventClassId = agent:043 and contains a vital part of
information called Events Since Last Check (SLC). The SLC value lets us know how many events the
connector has received since the last check. The last check being the time window configured (in the
example above, every 30 minutes).
Security Situational Awareness
EDGESEVEN.COM
If the value is not zero, then it means that the connector has seen some events (the value
representing the number of events seen) from the respective device within the time window. If the
value is zero then we can assume that the connector has not received any events from the device
within the time window indicating a possible feed issue.
The DSM setting is a global value. In other words the time value set is applicable for all devices
reporting to that connector, whether they only send a few events per day or are streaming at high
EPS rates. This brings in a challenge to work out the best time window for all respective devices, so
that you dont get to many false positives.
Rather than having to configure and constantly tune all the connectors with differing times, the
EdgeSeven DSM pack makes use of active lists and asset categorization to control the time window
functionality, easing your overall administration. You can simply configure a standard set time on all
connectors (recommended at 30 minutes) and then tune the active list Time To Live (TTL)
accordingly.
The other content in the pack takes care of controlling which hosts are monitored and alerted against
as well as providing useful administration reports and dashboards.
3. Compatability
The content pack was developed on a version 5, service pack 2 system and should be installed onto
a system with the same version. It should however be possible to install this pack on any version 5
system, however it should be tested first.
4. Requirements
To be able to install and use the content pack you will need to have the following:
ArcSight ESM version 5 service pack 2 (the package should work on any version 5 system)
5. Files Included
The following files are included with the package:
Asset Import Template for use with the Console Network Model Wizard
Asset Import Template for use with the Asset Import Connector
6. Feedback
For any bugs or feature requests please email development@edgeseven.com
EDGESEVEN.COM
7. Downloading
The content pack is available from our website under http://www.edgeseven.com/resources.html
8. Additional Resources
Please have a look at our other resources for tools, tips and techniques:
Twitter https://twitter.com/#!/Edge_Seven
EdgeSeven Videos https://www.youtube.com/user/EdgeSevenVideo/videos
Total SIEM Blog https://totalsiem.blogspot.com
Facebook https://www.facebook.com/pages/EdgeSeven/123138681100924
Description
Step 1
EDGESEVEN.COM
Step 2
Step 3
Click Next to install the package, the package will begin to install.
EDGESEVEN.COM
Step 4
Click OK. The pack should now be installed and visible in the navigator tree.
Step 5
Note that the rules are automatically linked into the Real-Time Rules folder.
EDGESEVEN.COM
Description
Step 1
Import and/or tag your existing assets with the corresponding asset category (see below). Use
Streaming for event sources that constantly send events and use Batch for sources that send
events at pre-defined intervals.
Note1: The pack contains sample asset import templates for use with the Asset Import Connector
and Console Network Model Tool. Please refer to the respective documentation of each of those
for further information and usage.
Note2: The necessary categories can also be applied at the group (folder) level. Any assets under
this group will then inherit the respective categories applied.
EDGESEVEN.COM
Step 2
Setup the respective connectors to use Device Status Monitoring. This will need to be done for all
connectors that process events from in-scope devices.
To configure, double click the respective connector in the navigator and then select the Default
tab. Under the Processing sub-section alter the Enable Device Status Monitoring parameter to
suit. Note that the time must be entered in milliseconds. Click Apply when done.
A good value to start with is every 30 minutes (1800000 milliseconds). This means that the
connector will report on all devices sending events every 30 minutes (this can be changed at a later
stage if needed).
Once the setting has been configured, restart the connector.
EDGESEVEN.COM
Step 3
Configure the Time To Live (TTL) for the Active Lists. This only needs to be done if you would like
to increase/decrease the alert notification period. For example, you can change the TTL of
Streaming Devices active list to 1 hour to be alerted if any streaming device has not sent any
events for a 1-hour period. The default TTLs are as follows:
Batch Devices = 25 hours
Devices Not Reporting = 7 days
Device Potentially Removed From Network = Indefinite (admin should delete entries)
Streaming Devices = 2 hours
Navigate to /All Active Lists/EdgeSeven/System Monitoring/Devices/Device Status Monitoring
To configure, double click the respective active list and alter the TTL values, then click Apply.
Step 4
Enable notifications on the respective rules to receive alerts should a host stop sending events.
Navigate to /All Rules/EdgeSeven/System Monitoring/Devices/Device Status Monitoring
To configure, double click on Device Not Reporting and select the Actions tab. Right click
Send Notification and select Enable Action. You can also change the destination by right
clicking and selecting Edit then selecting the appropriate Destination Group from the drop
down menu. Do the same for Device Potentially Removed From The Network
EDGESEVEN.COM
11.Content Overview
The table below lists all the content that is used within the package along with its corresponding
description.
Content Name
Description
List of devices that have not sent events for 7 (this is configurable) days
Streaming Devices
Streaming
Shows all hosts that have potentially been removed from the network
Shows all hosts that have potentially been removed from the network
Controls which hosts are added to the Batch Devices Active List
Fires when a device expires from either the Batch / Streaming Devices Active List
Fires when a device expires from the Device Not Reporting Active List
Controls which hosts are added to the Streaming Devices Active List
10
EDGESEVEN.COM
12.Trouble Shooting
The following section discusses common questions/issues encountered regarding the usage of the
content pack.
1. How do I find Device Status Monitoring Events?
The easiest way to find DSM events is to open an Active Channel and add a filter where
deviceEventClassId = agent:043 and deviceVendor = ArcSight.
2. Im not seeing any devices in the Streaming/Batch Active List?
The most common cause is that the device details the agent is reporting on dont match the
imported asset. This is especially true for multi-homed devices. To verify, find the
corresponding DSM event (see issue 1) and double click the event to open it in the Event
Inspector.
Browse down to the Attacker section. The Attacker Asset ID field should be populated with
an asset id and should be blue in colour (if no value is present, then the device is not
associated with an asset).
Double click on Attacker Asset ID and it should open the corresponding asset in the
Inspect/Edit panel. Select the categories tab for the device and ensure that it has the
appropriate categories tab applied.
11
EDGESEVEN.COM
13.Known Issues
None
14.Disclaimer
This software is provided by EdgeSeven as is and any express or implied warranties are disclaimed.
In no event shall EdgeSeven be liable for any direct, indirect, incidental, special, exemplary, or
consequential damages (including, but not limited to, procurement of substitute goods or services;
loss of use, data, or profits, or business interruption) however caused and on any theory of liability,
whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of
the use of this software, even if advised of the possibility of such damage.
12
EDGESEVEN.COM