I wanted to post something a little more positive when it comes to the ArcSight Lego concept. Several months ago a group at work was charged with justifying a particular line item of their budget relating to the use of online resources and subscription fees. What they didn’t have was a way to link users to particular site browsing. The issue was bounced around just a bit until it hit my plate and with ArcSight’s feeds the solution was fairly easy to craft (though the devil is in the details). Everyone’s environment is different and different vendors/solutions generate different logs. Again, I don’t have access to other SIEM solutions so not sure how easy or hard coming up with a similar solution would be. While this isn’t specifically a security use case, the concepts or individual elements could be useful for one down the road. I have reused the login tracker a number of times.
Frankly speaking, while I can dabble and eventually come up with something I’m not a natural, in depth coder. ArcSight, for me, provides not only a platform for correlation but also a front end to tie everything together. The first part of the solution was to link users to computers. This was done by creating a rule that looked for login events and write both the machine and user name to an active list. Now there are two keys to this. The first is indexing the machine field(s) and not the username field. The idea is the username field is capturing the most recent person to log into the machine so you want only one line in the active list per machine. Having an active list that is indexing both machine AND username can be useful but not for this use case. The second key is linking login events to firewall logs so you want to only include machine field(s) that will consistently show up in the firewall logs. When you use the variable getActiveListValue you have to create a map to EVERY indexed field. In other words while you can include IP address, MAC, host name, etc in the login tracker active list, if your firewall logs constantly only has 1 of those then you should limit the login active list index to just that field. This might require a couple different rebuilds to the first Lego to get right. The second major Lego block to put in place is an active list that contains the online resources you want to track and a way to tie that to the firewall logs. The easiest way to do that is via IP address but you might also have to use the url (this will be harder). You might also have to play with this active list in order to get everything you want. For example you will probably want a string field containing a name for the resource that you can use in graphs.
So now you have two components: a way to tie users to computers and your online resources. Create a rule that looks for the IP addresses in the resource active list and when there is a match uses the getActiveListValue variable to pull the username from your login tracker active list and whatever common name you might have used in the online resource active list. These fields are added to the event created by the rule firing using the set field action tab on the rule. The last step is to create a Trend to capture the relevant fields from the event created by the rule firing. Trends allow you to keep data beyond your online retention period and allow for very quick report generation. If you have a feed or active list that can link user names to business units that is something to throw into the mix and makes for good report graphs.
The following post might be helpful when it comes to the variable magic you are going to have to perform to tie all of these things together.
No comments:
Post a Comment