ArcSight Historical Correlation with Scheduling Rules

Summary:

This document is part of the HP Enterprise Security Products Reference Guide and focuses on using ArcSight for historical event correlation with scheduling rules in 2013. Key points include: 1. Scheduling Rules: These allow users to run rules at specific times or intervals, analyzing past events for forensic purposes without acting on real-time data. 2. Historical Correlation with Scheduling Rules: This feature helps identify threats found in historical data and predicts future occurrences by creating new correlation rules. 3. Testing Rules: It is important to test rules against captured events before deployment to ensure they are effective for forensic analysis without causing real-world impacts. 4. Scheduling Rules Usage: These rules can be set to run at predetermined intervals, processing historical data and identifying potential threats or patterns not immediately apparent in live data streams. 5. Document Details: The document outlines the specific build versions of ArcSight services used during the demonstration and provides step-by-step instructions for configuring and checking a scheduling rule group's status. The document also includes a query example that retrieves events from the `arc_eventevent1` table based on manager receipt time and device vendor, filtered by timestamps and conditions related to session IDs. This data is likely part of an event management or log analysis tool designed to handle and analyze events based on specific criteria. The content in this document may be updated or changed at any time without prior notice, as indicated by the copyright owned by Hewlett-Packard Development Company, L.P.

Details:

This document outlines the use of ArcSight for historical event correlation with scheduling rules in 2013, as part of HP Enterprise Security Products Reference Guide. The guide covers how to verify rule(s) with events and perform historical correlation using scheduling rules within the ArcSight Express 4.0 version. Key points include: 1. Scheduling Rules: These allow users to run rules at specific times or intervals without immediately acting on real-time data, enabling them to analyze past events for forensic purposes. 2. Historical Correlation with Scheduling Rules: This feature allows the creation of new correlation rules based on identified threats found in historical data, which can be used to predict future occurrences and take preemptive actions if necessary. 3. Testing Rules: It is crucial to test rules against captured events before deployment, ensuring they are effective for forensic analysis without causing real-world impacts. 4. Scheduling Rules Usage: These rules can be set to run at predetermined intervals (sp) to analyze past data and identify potential threats or patterns not immediately apparent in live data streams. 5. Build Versions: The document provides details on the specific build versions of ArcSight services, including conapp, esm, storage, process management, and installer used during this demonstration. Scheduling rules are useful for deploying rules that consider both historical data and live data, or controlling when the rules are executed. They can process historical data, take real-time actions, and generate correlated events similar to those from a real-time rules engine. Optimized rule schedules are best suited for execution after business hours, allowing them to be run during off-peak times like the middle of the night. These rules are designed to handle base events and can be used in conjunction with joint rules and active lists, enhancing their functionality and applicability across various scenarios. The document outlines the process for configuring and checking the status of a scheduling rule group in an unspecified system using Hewlett-Packard Development Company's software. It provides step-by-step instructions on how to set up the schedule, specifically indicating that the End Time or Manager Receipt Time should be configured. To monitor if the scheduling rule is running correctly, one can check the server logs by executing a command in the terminal: `

# tail -f /opt/arcsight/manager/logs/default/server.log`. The log entries will provide information on whether the scheduling rule was executed successfully or not, and any relevant details about the execution. This query retrieves a set of events from the `arc_eventevent1` table where certain conditions are met regarding the event's manager receipt time and device vendor. The columns selected include details such as base event count, type, device vendor, source address, originator, destination address, start time, priority, end time, destination zone, source zone, event ID, name, and domain. The query filters events based on the timestamp '2013-09-05 08:00:00.864' to '2013-09-05 09:00:04.589', ensuring that only those received within this timeframe are included. Additionally, it filters for events where the device vendor is either 'ArcSight' or 'TippingPoint', and ensures that session IDs are null or equal to zero. The results are then selected from a subquery named `unsortedInner` and ordered by the 'End Time' column in ascending order. This query seems to be part of a larger system, possibly an event management or log analysis tool, designed to handle and analyze events based on specific criteria related to their receipt time and device vendor characteristics. This data sheet from Hewlett-Packard (now known as HP Inc.) provides information about the company's enterprise security offerings, which are protected under a copyright owned by Hewlett-Packard Development Company, L.P. It states that the content within this document may be updated or changed at any time without prior notice.