Security Situational Awareness EDGESEVEN.COM  

1

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Device Status Monitoring Content Pack

User Guide

v 0.1 Beta

© 2011 Secmon Ltd, trading as EdgeSeven

This document may not be copied, modified, shared or released without prior consent of the author. Permission may be sought from the author in writing to: EdgeSeven, Wyche Innovation Centre, Walwyn Road, Malvern, WR13 6PL

Security Situational Awareness EDGESEVEN.COM  

2

1. Description The success of any SIEM system relies on receiving events from the respective in scope source devices and servers. Without any events, the SIEM platform effectively becomes useless. Part of setting up a good SIEM system is creating mechanisms to ensure that these events are received and the most effective approach to do this is by using the Device Status Monitoring (DSM) capability built-in to the ArcSight platform.

This content pack utilises the DSM capability to track and alert on any event sources that stop sending events, so that you can take the appropriate action to re-establish the event flow. The pack also contains mechanisms to detect servers/devices that have potentially been removed from the network.

2. How the Content Pack Works with DSM DSM is a bit of functionality that exists within the connector framework. It has a single parameter called “Enable Device Status Monitoring” that is measured in milliseconds and is found under the “Processing” section of the connectors default settings tab (see below).

This parameter effectively controls how often the connector will report on devices it is seeing events from. The event is identified by “deviceEventClassId = agent:043” and contains a vital part of information called Events Since Last Check (SLC). The SLC value lets us know how many events the connector has received since the last check. The last check being the time window configured (in the example above, every 30 minutes).

Security Situational Awareness EDGESEVEN.COM  

3

If the value is not zero, then it means that the connector has seen some events (the value representing the number of events seen) from the respective device within the time window. If the value is zero then we can assume that the connector has not received any events from the device within the time window indicating a possible feed issue.

The DSM setting is a global value. In other words the time value set is applicable for all devices reporting to that connector, whether they only send a few events per day or are streaming at high EPS rates. This brings in a challenge to work out the best time window for all respective devices, so that you don’t get to many false positives.

Rather than having to configure and constantly tune all the connectors with differing times, the EdgeSeven DSM pack makes use of active lists and asset categorization to control the time window functionality, easing your overall administration. You can simply configure a standard set time on all connectors (recommended at 30 minutes) and then tune the active list Time To Live (TTL) accordingly.

The other content in the pack takes care of controlling which hosts are monitored and alerted against as well as providing useful administration reports and dashboards.

3. Compatability The content pack was developed on a version 5, service pack 2 system and should be installed onto a system with the same version. It should however be possible to install this pack on any version 5 system, however it should be tested first.

4. Requirements To be able to install and use the content pack you will need to have the following:

• ArcSight ESM version 5 service pack 2 (the package should work on any version 5 system)

• Access to an ESM console

• ESM account with privileges to install and modify content packs

• Valid ArcSight ESM license

• List of all devices to be monitored

5. Files Included The following files are included with the package:

• Device Status Monitoring Content Pack v1.0.0.0.arb

• Asset Import Template for use with the “Console Network Model Wizard”

• Asset Import Template for use with the “Asset Import Connector”

6. Feedback For any bugs or feature requests please email development@edgeseven.com

Security Situational Awareness EDGESEVEN.COM  

4

7. Downloading The content pack is available from our website under http://www.edgeseven.com/resources.html

8. Additional Resources Please have a look at our other resources for tools, tips and techniques:

Twitter à https://twitter.com/#!/Edge_Seven

EdgeSeven Videos à https://www.youtube.com/user/EdgeSevenVideo/videos

Total SIEM Blog à https://totalsiem.blogspot.com

Facebook à https://www.facebook.com/pages/EdgeSeven/123138681100924

9. Installing the Content Pack Step Description Step 1 Open up a console and in the navigator select the packages tab.

Security Situational Awareness EDGESEVEN.COM  

5

Step 2 Click import and browse to the content pack.

Step 3 Click Next to install the package, the package will begin to install.

Security Situational Awareness EDGESEVEN.COM  

6

Step 4 Click OK. The pack should now be installed and visible in the navigator tree.

Step 5 Note that the rules are automatically linked into the “Real-Time Rules” folder.

Security Situational Awareness EDGESEVEN.COM  

7

10. Configuring the Content Pack Step Description Step 1 Import and/or tag your existing assets with the corresponding asset category (see below). Use

“Streaming” for event sources that constantly send events and use “Batch” for sources that send events at pre-defined intervals.

• /All Asset Categories/EdgeSeven/System Monitoring/Devices/Device Status Monitoring/Batch • /All Asset Categories/EdgeSeven/System Monitoring/Devices/Device Status Monitoring/Streaming

Note1: The pack contains sample asset import templates for use with the Asset Import Connector and Console Network Model Tool. Please refer to the respective documentation of each of those for further information and usage. Note2: The necessary categories can also be applied at the group (folder) level. Any assets under this group will then inherit the respective categories applied.

Security Situational Awareness EDGESEVEN.COM  

8

Step 2 Setup the respective connectors to use Device Status Monitoring. This will need to be done for all connectors that process events from in-scope devices. To configure, double click the respective connector in the navigator and then select the “Default” tab. Under the “Processing” sub-section alter the “Enable Device Status Monitoring” parameter to suit. Note that the time must be entered in milliseconds. Click Apply when done. A good value to start with is every 30 minutes (1800000 milliseconds). This means that the connector will report on all devices sending events every 30 minutes (this can be changed at a later stage if needed). Once the setting has been configured, restart the connector.

Security Situational Awareness EDGESEVEN.COM  

9

Step 3 Configure the Time To Live (TTL) for the Active Lists. This only needs to be done if you would like to increase/decrease the alert notification period. For example, you can change the TTL of “Streaming Devices” active list to 1 hour to be alerted if any streaming device has not sent any events for a 1-hour period. The default TTL’s are as follows: Batch Devices = 25 hours Devices Not Reporting = 7 days Device Potentially Removed From Network = Indefinite (admin should delete entries) Streaming Devices = 2 hours Navigate to /All Active Lists/EdgeSeven/System Monitoring/Devices/Device Status Monitoring To configure, double click the respective active list and alter the TTL values, then click Apply.

Step 4 Enable notifications on the respective rules to receive alerts should a host stop sending events. Navigate to /All Rules/EdgeSeven/System Monitoring/Devices/Device Status Monitoring To configure, double click on “Device Not Reporting” and select the “Actions” tab. Right click “Send Notification” and select “Enable Action”. You can also change the destination by right clicking and selecting “Edit” then selecting the appropriate “Destination Group” from the drop down menu. Do the same for “Device Potentially Removed From The Network”

Security Situational Awareness EDGESEVEN.COM  

10

11. Content Overview The table below lists all the content that is used within the package along with its corresponding description.

Content Name Description ACTIVE LISTS à /All Active Lists/EdgeSeven/System Monitoring/Devices/Device Status Monitoring

Batch Devices List of all devices currently sending events in batch mode

Devices Not Reporting List of devices that are currently not sending events

Devices Potentially Removed From Network List of devices that have not sent events for 7 (this is configurable) days

Streaming Devices List of devices currently sending events in stream mode

ASSET CATEGORIES à /All Asset Categories/EdgeSeven/System Monitoring/Devices/Device Status Monitoring

Batch Used to define batch devices

Streaming Used to define streaming devices

DASHBOARDS à /All Dashboards/EdgeSeven/System Monitoring/Devices/Device Status Monitoring

Device Status Overview Graphical view of hosts that have stopped sending events

FILTERS à /All Filters/EdgeSeven/System Monitoring/

Device Status Monitoring - Exclusions Used for rule conditions

FILTERS à /All Filters/EdgeSeven/Vendor Events

ArcSight Base Events Used for rule conditions

QUERIES à /All Queries/EdgeSeven/System Monitoring/Devices/Device Status Monitoring/Query Viewers

Devices Not Reporting Used for query viewers

Devices Potentially Removed From Network Used for query viewers

QUERIES à /All Queries/EdgeSeven/System Monitoring/Devices/Device Status Monitoring/Reports

Devices Not Reporting Used for reporting

Devices Potentially Removed From Network Used for reporting

QUERY VIEWER à /All Query Viewers/EdgeSeven/System Monitoring/Devices/Device Status Monitoring/

Devices Currently Not Reporting Shows all hosts that are not sending events

Devices Potentially Removed From Network Shows all hosts that have potentially been removed from the network

REPORTS à /All Reports/EdgeSeven/System Monitoring/Devices/Device Status Monitoring/

Devices Currently Not Reporting Shows all hosts that are not sending events

Devices Potentially Removed From Network Shows all hosts that have potentially been removed from the network

RULES à /All Rules/Real-time Rules/EdgeSeven/System Monitoring/Devices/Device Status Monitoring/

Batch Device Sending Events Controls which hosts are added to the Batch Devices Active List

Device Not Reporting Fires when a device expires from either the Batch / Streaming Devices Active List

Device Potentially Removed From Network Fires when a device expires from the Device Not Reporting Active List

Streaming Device Sending Events Controls which hosts are added to the Streaming Devices Active List

Security Situational Awareness EDGESEVEN.COM  

11

12. Trouble Shooting The following section discusses common questions/issues encountered regarding the usage of the content pack.

1. How do I find Device Status Monitoring Events?

The easiest way to find DSM events is to open an Active Channel and add a filter where “deviceEventClassId = agent:043 and deviceVendor = ArcSight.

2. I’m not seeing any devices in the Streaming/Batch Active List?

The most common cause is that the device details the agent is reporting on don’t match the imported asset. This is especially true for multi-homed devices. To verify, find the corresponding DSM event (see issue 1) and double click the event to open it in the “Event Inspector”.

Browse down to the “Attacker” section. The “Attacker Asset ID” field should be populated with an asset id and should be blue in colour (if no value is present, then the device is not associated with an asset).

Double click on “Attacker Asset ID” and it should open the corresponding asset in the Inspect/Edit panel. Select the categories tab for the device and ensure that it has the appropriate categories tab applied.

Security Situational Awareness EDGESEVEN.COM  

12

3. What fields are relevant within the DSM event?

deviceEventClassId à Used to find the events (value = agent:043)

attackerHostName à Hostname of the device where events were received from

attackerAddress à IP Address of the device where events were received from

deviceCustomNumber1 à Number of events received by the connector since last start

deviceCustomNumber2 à Number of events received by the connector since last check

deviceCustomString1 à Vendor of the device where events were received from

deviceCustomString2 à Product of the device where events were received from

4. Why is ArcSight Vendor/Product excluded from being monitored?

The connector generates events itself (start/stop etc) and thus it counts itself as a source device and sends DSM information.

13. Known Issues None

14. Disclaimer This software is provided by EdgeSeven “as is” and any express or implied warranties are disclaimed. In no event shall EdgeSeven be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits, or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage.