SN16 ESM Rules

Summary:

This document is designed for software engineers working with ArcSight Event Correlation Module (ESM) rules. It explains the architecture and components of ESM rules, including their structure, conditions, aggregation methods, triggers, actions, audit events, correlation events, and rule chains. The primary purpose is to provide detailed information for enhancing functionality or troubleshooting issues related to these rules. ### Summary: - **Rule Structure**: Rules consist of events, conditions, aggregation, matching, triggers, actions, audit events, correlation events, and rule chains. - **Condition Matching**: Multiple conditions can match different types of events based on specific criteria. - **Aggregation Methods**: Use threshold-based methods to identify patterns across multiple events. - **Trigger Definition**: Triggers define when a rule should activate or fire, such as upon the first event, subsequent events, or reaching a threshold. - **Actions**: Actions involve modifying event fields, sending notifications, creating new cases, and executing various commands in response to triggering the rule. - **Audit Events**: Record actions taken by rules for auditing purposes. - **Correlation Events**: Track how events are correlated within a rule. - **Rule Chain**: Sequence of events leading to the activation of the rule, including base events and additional triggered chains based on thresholds or time windows. ### Key Components: - **Condition Matching** allows rules to match specific fields from different types of events (e.g., login attempts). - **Aggregation Engine Details** are configurable for both identical and unique field value aggregation with a threshold for triggering actions. - **Triggers and Actions** provide dynamic responses based on rule conditions, including sending alerts, creating cases, or terminating sessions. - **Audit Events** ensure transparency in decision making processes through records of actions taken by rules. - **Rule Chain** helps trace the sequence of events that led to a particular alert being triggered. This document is valuable for technical staff in cybersecurity operations to understand how ArcSight ESM rules work together to analyze and respond to complex security threats, optimizing performance with efficient memory usage and handling rule chaining effectively.

Details:

This document provides a deep dive into the architecture and components of ArcSight Event Correlation Module (ESM) rules, detailing their structure, conditions, aggregation methods, triggers, actions, audit events, correlation events, and rule chains. The primary purpose is to provide detailed information for software engineers working with these rules in order to enhance their functionality or troubleshoot issues. ### Structure of a Rule: 1. **Events**: The initial data points that are evaluated by the rule. 2. **Conditions**: Sets of criteria that determine if an event matches the rule's requirements. Multiple conditions can match different events. 3. **Aggregation**: Threshold-based aggregation to identify patterns across multiple events. 4. **Matching**: This involves correlating information from different events based on set criteria. 5. **Triggers**: Define when a rule should activate or fire, such as upon the first event, subsequent events, or reaching a threshold. 6. **Actions**: Define the response to triggering the rule, including modifying event fields, sending notifications, creating new cases, and executing various commands. 7. **Audit Events**: Records of actions taken by rules for auditing purposes. 8. **Correlation Events**: Track how events are correlated within a rule. 9. **Rule Chain**: A sequence of events that led to the activation of the rule, including base events and additional triggered chains based on thresholds or time windows. ### Key Components:

• **Condition Matching**: Each condition can match specific fields from different types of events (e.g., login attempts).

• **Aggregation Engine Details**: Configurable to aggregate data either by identical or unique field values, with a threshold for triggering actions.

• **Triggers and Actions**: Dynamic response based on the rule's conditions; triggers initiate actions like sending alerts, creating cases, or terminating sessions.

• **Audit Events**: Ensure transparency and accountability in decision making processes.

• **Rule Chain**: Helps trace the sequence of events that led to a particular alert being triggered.

This document is crucial for understanding how ArcSight ESM rules work together to analyze and respond to security threats by correlating multiple data points from various sources, which is particularly valuable for technical staff in cybersecurity operations. The text provided appears to be a technical overview of a cybersecurity system, likely from ArcSight, discussing the structure and functioning of rules within their platform. Here's a summarized breakdown of the key points discussed in the text: 1. **Rule Chain Configuration**: A rule is set up with specific parameters such as a threshold (3 in this case), aggregation time window (1 minute), and triggers activated for events based on thresholds, time units, and expiry of the time window. 2. **Partial Matching Rules**: The system supports two types of rules - Filter Rule (single alias) and Join Rule (multiple aliases). Events can either partially or fully match these rules depending on whether they meet the criteria specified by the rule aliases. 3. **Filter Rule Example**: This type of rule is used to identify events like multiple failed logins in a minute from the same source, across different systems (UNIX/Windows). The example shows how such rules are configured and matched within the system. 4. **Join Rule Example**: Join rules correlate two or more distinct types of events, for instance, correlating an attempted brute force attack with a successful login to identify potential security breaches more comprehensively. This type of rule requires more memory due to partial match maintenance and tracking unmatched events in time windows. 5. **Time Constraints**: Rules have parameters such as aggregation time (time to wait for specified number of matches) and alias expiration time (how long partially matched events are kept in memory). These constraints impact both the performance and resource usage of the rule engine. 6. **Rule Engine Functionality**: The rule engine processes incoming security events against deployed rules, storing them in a working memory which is then processed by aggregation engines to recognize patterns from repetitive events (e.g., five failed logins triggering an alert). 7. **Aggregation and Memory Usage**: Rule aggregation helps identify patterns of repetitive events. However, excessive aggregation cells can increase memory usage, leading to performance issues. The system supports unique set aggregation as well, which is useful for capturing widespread problems not just based on matching values but also by uniqueness (e.g., identifying computer viruses affecting different machines). 8. **Performance Considerations**: To avoid overloading the system with excessive rule firings, considerations should be given to gated aliases and batch processing of events. This overview provides a technical insight into how cybersecurity rules are configured, matched, aggregated, and managed within ArcSight's platform to detect potential security threats effectively while considering performance implications. This document discusses various aspects related to rule matching, aggregation, memory usage, chaining (recursive rules), excessive firing, negated aliases, batched replay with schedules in the context of a security system called ArcSight. Here's a summary of its key points: 1. **Rule Matching Details**: The text explains that when conditions for events are set too loosely (e.g., rule having relaxed conditions) or triggers are not defined well, it can lead to excessive firing where a single rule might trigger repeatedly due to correlated alerts, potentially causing multiple firings in a loop if they form a recursive cycle. 2. **Rule Aggregation Details**: Excessive rule firing and recursion are identified using audit events, with the involved rules being temporarily deactivated or cut off from loops once recognized. This includes handling situations like denial of service attacks where rules might fire too frequently, which can be mitigated by defining appropriate triggers for different stages (start, ongoing notification, end) of an attack. 3. **Memory Aspects of Rule Matching and Aggregation**: The document highlights the importance of memory management in rule matching to ensure efficient processing without overloading system resources. It suggests using negated aliases in join rules to take action on missing events, which helps identify situations where expected triggers are not met. 4. **Rule Chains (Recursive Rules)**: Recursive rules can form a loop causing mutual firing among multiple rules. The text provides strategies for dealing with this by cutting off the chain of firings from triggering events that cause recursion. 5. **Avoiding Excessive Rule Firings**: Measures to handle long-running attacks include defining triggers at different stages (first threshold, periodic notifications during the attack, and notification when an attack ends) rather than firing on every event or every threshold. This helps in managing excessive rule firings effectively. 6. **Use of Negated Aliases**: These are used to take action when expected events do not occur, such as using negated aliases in rules that require a sequence of events where one must happen before the other (e.g., server console login requiring a badge scan). 7. **Batched Replay and Schedules**: Rules can be configured to process either real-time data or historical data in batches. The text discusses how scheduled replay tasks run on events with end times within specific time periods, allowing for the execution of rules over extended periods while managing performance through event filtering. 8. **Summary**: The document concludes by summarizing key points discussed throughout, including rule matching details, aggregation methods, memory usage in rule processing, handling excessive firing, using negated aliases, and batched replay with schedules. This summary provides a comprehensive overview of how these aspects are considered and implemented within the system to improve performance and accuracy in event detection and response.