Deliver TI feeds into ArcSight without false positive triggers

Aleks Bredikhin
Latest posts by Aleks Bredikhin (see all)
WRITTEN BY
Aleks Bredikhin
[post-views]
July 26, 2017 · 2 min read

Every ArcSight user or administrator is faced with false positive rule triggers while delivering threat intelligence feed into ArcSight.
This mostly happens when threat intel source events are not excluded from rule condition or connector tries to resolve all IP addresses and host names that are processed.

Adherence to these simple rules will allow you to avoid false positive correlation:

  1. Install separate Syslog SmartConnector for all TI feeds. This is relevant for all threat intelligence feeds that are sending IOCs in CEF events via syslog.
  2. Install separate File Reader SmartConnector (for example for CSV files). This is relevant for IOCs in CSV file.
  3. Turn off ‘Name Resolution’ on Syslog/File Reader SmartConnector for threat intelligence feeds. If option ’Enable Name Resolution’ is set to ‘Yes’ or ‘Source/Dest Only’, the connector is trying to resolve all host names to IP addresses and IP addresses to host names in Source/Destination fields. If you have several Active Directory controllers in your network, this may cause a lot of DNS request for malicious hosts from each domain controller.
    Also, the connector can try to get NETBIOS name of the host while resolving and you will get an event on your firewall that server, where threat intelligence feed SmartConnector is installed, is trying to rich ‘bad’ host on port 137.
  4. Exclude events from threat intelligence feed SmartConnector in rules. You can add a condition to every rule, for example: ‘Agent Name != TI Connector Name’.

As a result, you get a lot of excessive events that cause false positive rule triggers.

To disable ‘Name Resolution’ option on a connector, go to:

  • In ESM Console: double click on connector. In ‘Inspect/Edit‘ panel open tab ‘Defaults’ and choose ‘Enable Name Resolution’ in ‘Network’ section – ‘No’. Click ‘Apply’.
  • On connector: run command ‘%CONNECTORHOME%/current/bin/./runagentsetup.sh’ on Linux or run file ‘%CONNECTORHOME%\current\bin\runagentsetup.bat’ on Windows. Choose ‘Modify Connector ->Add, modify, or remove destination’ -> choose destination -> ‘Modify Destination settings’ -> ‘Network’ -> ‘Enable Name Resolution’ set to ‘No’.
  • Finish connector setup and restart connector service.

In all Use Cases from SOC Prime TI source events are excluded in the main filters.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.
Join for Free Book a Meeting

Related Posts

Blog, Latest Threats — 12 min read
Proactive detection content: CVE-2019-0708 vs ATT&CK, Sigma, Elastic and ArcSight
Andrii Bezverkhyi
Blog, SIEM & EDR — 5 min read
Sigma Rules Guide for ArcSight
Jordan Camba
Blog, SIEM & EDR — 4 min read
ArcSight. Optimizing EPS (Aggregation and Filtration)
Aleks Bredikhin

This site uses cookies and other tracking technologies to assist with navigation and your ability to provide feedback, analyse your use of our products and services, assist with our promotional and marketing efforts, and provide content from third parties. Cookie Policy. Details

Refuse Cookies Accept Cookies

You previously chose to disable cookies. This site uses cookies and other tracking technologies to assist with navigation and your ability to provide feedback, analyse your use of our products and services, assist with our promotional and marketing efforts, and provide content from third parties. Cookie Policy. Details

Details Accept Cookies