ArcSight Rules

Resources Needed:

• Active Channel
• Active List
• Rule
• Notification

There used to be an example of this in the default content of ESM.  Hopefully, it is still there.
Example Use Case (from reader):
Observe external computer scanning and set priority to 1.  Observe a priority 1 computer attempt an exploit set it priority 2.  Observe a successful exploit or C2 traffic from target ring a siren and blink a red light.
Basic solution:

1. Create an Active List (AL) called “Suspicious External Hosts” that keeps track of at least Source IP and Source Zone URI.  Set TTL on AL to something reasonable for your organization.  Could be one hour; could be 30 days.
2. Create a rule with your definition of “scanning” with an Action of “Add to Active List”.   Put the source IP in the Suspicious External Hosts” AL.  Make part of the rule condition NOT in AL to prevent repeat firing of the rule.
3. Create an Active List called “Malicious External Hosts” just like Suspicious External hosts in Step 1.
4. Create an Active List called “Targeted Internal Hosts” just like Suspicious External hosts in Step 1.
5. Create a Rule looking for attempted exploit or attempted unauthorized access.
6. Include a condition that the Source IP of this event be in the Suspicious AL.   Add an Action of “Add to Active List”.  Put the source IP in the Malicious External Hosts” AL.  Put a second Action of “Add to Active List”.   Add the Destination IP into the “Targeted Internal Hosts” AL.
7. Create a rule looking for C2 traffic with a condition that the source IP be in the “Targeted Internal Hosts” AL.  Add an Action of Notification which will send you an email when the rule fires.
8. Same as Step 7 except looking for successful exploit instead of C2 traffic for the condition.
9. Create one or more active channels that use the Name field and looks for the names of the Rules created above.  Your analysts can either watch this channel to be proactive or wait for the notifications to come in.  Really depends on their workload.

Closing Tips
I would personally add another Active List and AL condition for Steps 7 and 8 to do what I call “throttling” to prevent the rule from firing excessively.   I’ll write about throttling rules later if anyone is interested.  Essentially, it uses the SIEM’s intelligence to prevent the “Boy Cried Wolf” syndrome and the reason for so many ignored email alerts in IT.
Make sure every field you use in the Condition tab is added to the Aggregation tab in the Rule.  Otherwise, the Rule will never fire.  Wish I had a dollar for every time I made that mistake.

How can I backup the complete data from the container so that the restore is successful?

Using the default "Backup Files" repository to backup up my container only contains the agent.properties file and the agent.wrapper.conf file. As a result, SmartConnectors that have needed certs, parser overrides, map files, etc, are not restored is successfully.

How can I backup the complete data from the container so that the restore is successful?

By default, the "Backup Files" Repository has the following regular expressions:

Download

Exclude regular expression : (agentdata/ |cwsapi_fileset_).*$

Upload

Delete exclude regular expression: (agentdata/ | agent.wrapper.conf | cwsapi_fileset_).*$

These regular expressions cause the necessary SmartConnector files (certs, parsers, etc) to not be copied over to the container backup.

Workaround:

Create a new Repository and do not include the "exclude regular expression" for either the Download nor the Upload section, as follows:

1. From the Connector Appliance UI, go to Setup > Repositories

2. Select New Repository

3. Enter the Name, Display Name, Item display name and Filename Prefix

4. Save the created Repository.

What is ArcSight Connector Appliance?

Connector Appliance in a nutshell is a self-contained, hardened appliance with:

1. Connector Software
SmartConnectors are pre-installed and are constantly running in their own 'Container'. Even without any configured connectors, they continue to run in their own Java memory space.

2. Connector Management functionality (web process)
A GUI that allows SmartConnectors to be locally and remotely managed, including configuration and monitoring of the processes.

Capabilities:

• Centralized management and full control of local, remote and software connectors
• Wizard based interface designed to automate common management tasks

There are three main types of appliance models : C1x00, C3x00, and C5x00.

For more information, refer to the Connector Appliance Release Notes (for platform changes and updates) and the Connector Appliance Administrator Guide.

I need to restore a Connector Appliance from an Appliance Backup. What are the requirements and how do I perform the restore?

Sometimes you need to completely reconfigure a Connector Appliance using an Appliance Backup. This can occur if you had to RMA your Connector Appliance and want to restore the entire configuration from your backup to this new Connector Appliance. Important Notes: For a successful restore, the following conditions must be met: 1. The backup file must be taken from a Connector Appliance which has the same number of onboard containers as the Connector Appliance to which you are restoring. Examples: A C1000 has only 1 container, while a C5200 has 8 containers, thus a backup from a C1000 to a C5200 will fail. However, a C5000 appliance and a C5200 both have 8 containers, thus the backup will succeed. 2. The Connector Appliance versions must be the same on both source and destination Connector Appliances. 3. The hostname must be the same on both source and destination Connector Appliances. Resolution: 1. Create an Appliance Backup, as follows: a. Go to Setup > Backup/Restore in the UI. b. Click on Appliance Backup c. Enter the paramters and click Save. d. The backup file created is named configs.tar.gz. 2. Ensure that the hostname on the Connector Appliance you are restoring to is the same as the hostname from the Connector Appliance where the backup was created. Note: If you still have access to the Connector Appliance where the backup was created, check the file /etc/sysconfig/network and compare the value for hostname (see example below) to that found in the same file on the Connector Appliance you are restoring to. Example: HOSTNAME= 3. Restore the Appliance Backup, as follows: a. Go to Setup > Backup/Restore in the UI. b. Click on Appliance Restore c. Click Browse and navigate to the location where you have the stored the configs.tar.gz file d. Click Upload. 4. If after restoring from the backup, the Web GUI is not available, modify /etc/sysconfig/network to reflect the correct HOSTNAME value.

We are getting slow response from UI on the Connector Appliance; all of the pages take long time to load or refresh.

This issue can often be caused by a mismatch between the hostname recorded in the 'hosts' file on the appliance and the actual hostname set via the UI.

If there is a mismatch, as it can cause local hostname lookup errors, which can cause severe delays when accessing certain features of the UI. This mismatch can also cause issues such as failure to generate and upload the Container SSL certificate to the UI after restoring a Container, making it unreachable or un-configurable.

Resolution:

1. View the Setup > System Admin > Network tab. Note the System Hostname string configured.

2. View the Setup > System Admin > Network > Hosts tab. Confirm that the hostname listed in System Hostname, as you observed in Step 1, is listed.

3. If the System Hostname is not listed in the Hosts tab, add an entry for it and click Update File.

What commands are available under the ArcSight appliance Console?

rom console or DRAC, you see this prompt:

ArcSight Platform Console
Login:

Use the same login credentials as you use to access the web GUI (e.g Login as admin)

Type 'help' to get a list of possible commands:

System Command	Description
help	Prints this help
halt	Halts and powers off the Appliance
reboot	Reboots the Appliance
exit	Exits (restarts) the CLI
show admin	Shows Default Administrator Name
show config	Shows Appliance Configuration
show date	Shows current date
set date	Sets current date
show defaultgw	Shows Default Gateway for the interface
set defaultgw	Sets Default Gateway for the interface
show dns	Shows DNS Configuration
set dns	Sets DNS Configuration
show hostname	Shows Host Name
set hostname	Sets Host Name
show ip	Shows Ip Addresses of Network Interfaces
set ip	Sets IP Address of Network Interface
set password	Sets the password for this account
show sslcert	Shows SSL Server Certificate
reset sslcert	Installs/restarts https with temporary certificate
restart sslcert	Restarts https server
diag sslcert	Displays the SSL connection
show status	Shows System Configuration

Use shift+pageup and shift+page down to page up/down in the list.

How many of the suffixes listed will be used by the SmartConnector for DNS resolution?

When entering suffixes on the Setup > Network > DNS > Search Domains page on Connector Appliance running v6.1, only the first 6 search domains listed are used by the SmartConnectors for DNS resolution.

Any additional search domains added beyond the first 6 are not used for resolution by the DNS server.

Workarounds:

Depending on how many entries you have, there are a few options to work around this limitation:

1. Place the short names into /etc/hosts on the appliance.

2. Use fully-qualified names.

3. Create a 'virtual' domain to hold all the short names and re-configure DNS servers for that virtual domain to forward accordingly.

Note: For more information on virtual domains and forwarding, refer to the following site:

http://www.linuxquestions.org/questions/linux-general-1/resolv-conf-search-limited-to-six-725254/