This isn’t what I was going to post but I’m still toying with that one. There are some discussions, topics, and people that make me just a lil frustrated and full of hate so instead of possibly tipping my hand too far I’ll divert and post this since it seems like forever since I have posted anything. Lots going on at work and at home (I know I’m unique there right?).
One of the challenges of being in a smaller shop is having tools but maybe not having them open all the time. Anyone in a smaller shop have their SIEM console open all day while at work? One thing I struggle with for dashboards covering things like firewall drops or failed logins is what timeframe should the information cover. If you aren’t looking at the dashboard but once a day having it focus on the last hour’s events doesn’t make a whole lot of sense to me. One option is to have the timeframe cover midnight to the current time. Another, maybe more common(?), is to cover all of yesterday. The third is a continuously rolling timeframe of say the last 24hr hours. All have their strengths. Ideally you would have a multi column approach where the first shows the current count going back however far you like with subsequent columns covering previous time slices. Last hour, previous 24hrs, average per day over the last week for example. This would allow for a quick visual on a rise or fall relative to its own average. That’s a little beyond tricky to do in ArcSight (or other/many/some/lots of other SIEMs).
In the mean time one thing you can do if you have ArcSight ESM 4.5 or beyond is develop these sorts of dashboards to cover whatever time slice ya please and then develop and link a series of query viewers to perhaps break up those counts by hour over the last 24hrs. That quick drill down capability would at least allow you to dive into what otherwise is just a number.
I would be curious how others have tackled this.
Hi Mark,
ReplyDeleteInteresting blog so far. Actually I would choose to work with query viewer and trends for this kind of purpose. The advantage is that the load on the system is mainly due to the trend but, after that, you can use a lot of different views with the query viewer without adding a lot of extra load.
The QV is also giving you a lot more flexibility than the dashboard thanks to the drilldown. You will also be sure to get accurate results over a long period of time ( a manager restart could make you loose the information stored in your Data monitor ).
Finally, the QV will allow you to work with baselines which might be very interesting to detect unusual change in your network behavior.
Your idea regarding the break down for the last 24hours is interesting but you must compare what can be compared. For instance you shouldn't compare an hour of activity between 2-3:00 pm with an hour of activity between 2-3:00 am. So if you want to make accurate comparison you should compare the same timeframe between different days. Personally I would also choose a timeframe of 4-6 hours per view instead of a 1 hour view. This will make the content building and display easier and make the comparison more reliable ( too small timeframe always show a lot of difference when they are compared together )
HTH
Keep on posting
Gaetan
Gaetan
ReplyDeleteThanks for stopping by and posting a comment! Sorry for my own delayed response. I totally agree with you on using QVs. In fact I haven't created a dashboard using the traditional data monitors in probably 9 months or so. Now if they would only fix the issue where if you try to copy/paste from one cell in a QV you end up getting the whole line. That doesn't happen on any other structure within AS and drives me crazy. The first thing I open after opening AS in the morning is notepad so I can paste from AS and then copy the individual strings I need even if that is somewhere else in AS!
Would love to be able to compare a particular time slice against the same time slice from say 24hrs ago....but I haven't figured out a good way to do that. The closest I can think of is run a series of Trends all gathering data from the different time slices and then a separate Trend pushing something like IP address to an AL. Since the linking data is in an AL you can create a series of variables to pull the timeframes from the different Trends and put them in the same QV/Report/whatever. That is all theoretical as I haven't developed down those lines; am concerned about resources since I would want to be able to compare quite a number of things. Maybe 4 6hr QVs side by side would be able to help disect the data...or now that I re-read my comments maybe just 2 QV where the second QV shows the previous 24hrs. The problem is getting the data to line up. You could again use an IP address in AL approach but requires you to open the DB, open the AL, flip back to the DB. I also talked with David W. from ArcSight at the user conference about getting more than the 3d bar chart for visualizations of data in QVs.