Deliver TI feeds into ArcSight without false positive triggers

[post-views]
July 26, 2017 Ā· 2 min read

Every ArcSight user or administrator is faced with false positive rule triggers while delivering threat intelligence feed into ArcSight.
This mostly happens when threat intel source events are not excluded from rule condition or connector tries to resolve all IP addresses and host names that are processed.

Adherence to these simple rules will allow you to avoid false positive correlation:

  1. Install separate Syslog SmartConnector for all TI feeds. This is relevant for all threat intelligence feeds that are sending IOCs in CEF events via syslog.
  2. Install separate File Reader SmartConnector (for example for CSV files). This is relevant for IOCs in CSV file.
  3. Turn off ā€˜Name Resolutionā€™ on Syslog/File Reader SmartConnector for threat intelligence feeds. If option ā€™Enable Name Resolutionā€™ is set to ā€˜Yesā€™ or ā€˜Source/Dest Onlyā€™, the connector is trying to resolve all host names to IP addresses and IP addresses to host names in Source/Destination fields. If you have several Active Directory controllers in your network, this may cause a lot of DNS request for malicious hosts from each domain controller.
    Also, the connector can try to get NETBIOS name of the host while resolving and you will get an event on your firewall that server, where threat intelligence feed SmartConnector is installed, is trying to rich ā€˜badā€™ host on port 137.
  4. Exclude events from threat intelligence feed SmartConnector in rules. You can add a condition to every rule, for example: ā€˜Agent Name != TI Connector Nameā€™.

As a result, you get a lot of excessive events that cause false positive rule triggers.

To disable ā€˜Name Resolutionā€™ option on a connector, go to:

  • In ESM Console: double click on connector. In ā€˜Inspect/Edit‘ panel open tab ā€˜Defaultsā€™ and choose ā€˜Enable Name Resolutionā€™ in ā€˜Networkā€™ section – ā€˜Noā€™. Click ā€˜Applyā€™.
  • On connector: run command ā€˜%CONNECTORHOME%/current/bin/./runagentsetup.shā€™ on Linux or run file ā€˜%CONNECTORHOME%\current\bin\runagentsetup.batā€™ on Windows. Choose ā€˜Modify Connectorā€™ -> ā€˜Add, modify, or remove destinationā€™ -> choose destination -> ā€˜Modify Destination settingsā€™ -> ā€˜Networkā€™ -> ā€˜Enable Name Resolutionā€™ set to ā€˜Noā€™.
  • Finish connector setup and restart connector service.

In all Use Cases from SOC Prime TI source events are excluded in the main filters.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts