SN120 ESM RULES

Summary:

This document outlines the framework for forward-looking statements about future operations, product development, and availability of products within Hewlett-Packard's operations management system (ESM). These statements are subject to various uncertainties that could alter outcomes significantly. The information provided should not be solely relied on for purchasing decisions. Within Hewlett-Packard's operations management system, rules play a pivotal role in evaluating incoming events based on specific conditions and patterns, inferring significance to take appropriate actions. Rules can be categorized into Simple and Join types, with each defined by its own set of conditions, aggregation methods, actions, and triggers that dictate their application. The document also covers the specifics of rule components such as Conditions (using Boolean logic), Aggregation (in Join Rules), Actions (pre-configured responses to triggered events based on condition matches), and Triggers (defined intervals or dynamic circumstances). Furthermore, the text emphasizes the importance of testing rules in development environments before deployment to ensure effectiveness and efficiency. It provides guidance on defining aggregation rules for network security systems like CiscoWorks, focusing on criteria such as time windows and field uniqueness, with recommendations for managing rule complexity based on business needs and timing parameters. Advanced settings offer flexibility in rule performance by considering factors affecting event occurrences. The document also addresses the creation of rules using ArcSight Event Schema, emphasizing the integration of key words and network topology to craft multiple rules efficiently. It underscores the significance of documenting use cases, understanding business requirements, leveraging stock content from ArcSight solutions, continuously learning through documentation and community sharing, and demonstrating rule creations in practical scenarios. In summary, this document provides a comprehensive guide for configuring and managing rules within various systems like Hewlett-Packard ESM and network security systems such as CiscoWorks, ensuring they are both effective and efficient in detecting potential threats while minimizing false positives or unnecessary alerts.

Details:

This document contains forward-looking statements about future operations, product development, and the availability of products. These are subject to various uncertainties and could change without prior notification. The information provided here reflects current predictions and expectations but may differ significantly from actual results due to technological, market, or other changes. It should not be relied upon for purchasing decisions. The document discusses rules in the context of a process used within Hewlett-Packard's operations management system (ESM). These rules are designed to evaluate incoming events based on specific conditions and patterns, inferring significance from these evaluations to take action accordingly. Rules operate in real-time and require activation by being saved or linked into the "Real-Time Rules" folder. The rule components include: 1. Conditions - Define the set of events that are looked for using Boolean logic (AND, OR, NOT). 2. Aggregation - Involves matching more than one event against multiple sets of conditions in Join Rules. 3. Actions - These are pre-configured responses to triggered events based on condition matches. 4. Triggers - Define when the rule should be applied, either at specific intervals or dynamically depending on circumstances. The main purpose of rules is to evaluate incoming events and take actions based on predefined conditions. When an event meets its conditions, it triggers configured actions, resulting in a correlation event which becomes new events for further evaluation by the engine. Types of rules include: 1. Simple Rules - Match one or more events against single set of conditions. 2. Join Rules - Match multiple events against two or more sets of conditions. In conclusion, rules are crucial for analyzing and responding to real-time event streams in cybersecurity management systems like those used by Hewlett-Packard, allowing for precise identification and response to potential threats based on detailed condition definitions and aggregation settings. This text discusses various aspects of aggregating events in network security systems, specifically focusing on rules and their application within CiscoWorks. The content provides a detailed breakdown of how to define aggregation rules for events based on specific criteria such as time windows, field uniqueness, and the selection of fields like event name, attacker/target hostnames, addresses, domains, usernames, etc. The text emphasizes the importance of testing new aggregation rules in development environments before deployment to ensure they perform effectively without causing unnecessary resource consumption or alerts due to over-aggregation. It advises that while aggregating on unique fields can help reduce noise from repetitive events, it should be done judiciously based on specific business needs and timing parameters. Advanced aggregation settings allow for more nuanced control over rule firing by considering factors such as time evaluation criteria which affect the occurrence of events and triggering actions like sending notifications or executing commands. This flexibility is crucial in managing complex security scenarios where rapid response to threats is essential. The text also outlines various action types that can be triggered upon meeting certain conditions, including setting event fields, sending data to external systems, creating cases, adding/removing items from lists, and more. It highlights the use of different trigger options such as "On First Event," "On Every Event," and "On Time Unit" to manage how actions are taken based on rule firings. In summary, this text provides a comprehensive guide for configuring and managing aggregation rules within network security systems, ensuring that they effectively respond to threats while minimizing false positives or unnecessary alerts. It underscores the importance of understanding business requirements when designing these rules and recommends keeping conditions simple for easier management and scalability. The text provides guidelines for effectively working with ArcSight Event Schema, creating simple yet multiple rules based on key words and network topology, documenting use cases and business requirements, utilizing stock content from ArcSight solutions, continuously learning through documentation and community sharing, and demonstrating rule creation in action.