Attention
By clicking proceed, you will be redirected from this site because of the impossibility of working with this site without allowing a cookie.
Cancel Confirm
My account
Exact matches only
Search in title
Search in content
Search in posts
Search in pages
Search in:
Blog
News

Deliver TI feeds into ArcSight without false positive triggers


594
July 26, 2017

Every ArcSight user or administrator is faced with false positive rule triggers while delivering threat intelligence feed into ArcSight.
This mostly happens when threat intel source events are not excluded from rule condition or connector tries to resolve all IP addresses and host names that are processed.

Adherence to these simple rules will allow you to avoid false positive correlation:

  1. Install separate Syslog SmartConnector for all TI feeds. This is relevant for all threat intelligence feeds that are sending IOCs in CEF events via syslog.
  2. Install separate File Reader SmartConnector (for example for CSV files). This is relevant for IOCs in CSV file.
  3. Turn off ‘Name Resolution’ on Syslog/File Reader SmartConnector for threat intelligence feeds. If option ’Enable Name Resolution’ is set to ‘Yes’ or ‘Source/Dest Only’, the connector is trying to resolve all host names to IP addresses and IP addresses to host names in Source/Destination fields. If you have several Active Directory controllers in your network, this may cause a lot of DNS request for malicious hosts from each domain controller.
    Also, the connector can try to get NETBIOS name of the host while resolving and you will get an event on your firewall that server, where threat intelligence feed SmartConnector is installed, is trying to rich ‘bad’ host on port 137.
  4. Exclude events from threat intelligence feed SmartConnector in rules. You can add a condition to every rule, for example: ‘Agent Name != TI Connector Name’.

As a result, you get a lot of excessive events that cause false positive rule triggers.

To disable ‘Name Resolution’ option on a connector, go to:

  • In ESM Console: double click on connector. In ‘Inspect/Edit‘ panel open tab ‘Defaults’ and choose ‘Enable Name Resolution’ in ‘Network’ section – ‘No’. Click ‘Apply’.
  • On connector: run command ‘%CONNECTORHOME%/current/bin/./runagentsetup.sh’ on Linux or run file ‘%CONNECTORHOME%\current\bin\runagentsetup.bat’ on Windows. Choose ‘Modify Connector ->Add, modify, or remove destination’ -> choose destination -> ‘Modify Destination settings’ -> ‘Network’ -> ‘Enable Name Resolution’ set to ‘No’.
  • Finish connector setup and restart connector service.

In all Use Cases from SOC Prime TI source events are excluded in the main filters.

Aleks Bredikhin

Aleks Bredikhin

CTO, Co-founder at SOC Prime
Aleks Bredikhin

Latest posts by Aleks Bredikhin (see all)

Related Posts

An insight into the 1st year of SOC automation operations
Active Lists in ArcSight, automatic clearing. Part 1
Configuration, Events and Content Backup in IBM QRadar
Creating Rules in IBM QRadar
How to fix parsing issues in QRadar without technical support
MENU