Every ArcSight user or administrator is faced with false positive rule triggers while delivering threat intelligence feed into ArcSight.
This mostly happens when threat intel source events are not excluded from rule condition or connector tries to resolve all IP addresses and host names that are processed.
Adherence to these simple rules will allow you to avoid false positive correlation:
- Install separate Syslog SmartConnector for all TI feeds. This is relevant for all threat intelligence feeds that are sending IOCs in CEF events via syslog.
- Install separate File Reader SmartConnector (for example for CSV files). This is relevant for IOCs in CSV file.
- Turn off ‘Name Resolution’ on Syslog/File Reader SmartConnector for threat intelligence feeds. If option ’Enable Name Resolution’ is set to ‘Yes’ or ‘Source/Dest Only’, the connector is trying to resolve all host names to IP addresses and IP addresses to host names in Source/Destination fields. If you have several Active Directory controllers in your network, this may cause a lot of DNS request for malicious hosts from each domain controller.
Also, the connector can try to get NETBIOS name of the host while resolving and you will get an event on your firewall that server, where threat intelligence feed SmartConnector is installed, is trying to rich ‘bad’ host on port 137.
- Exclude events from threat intelligence feed SmartConnector in rules. You can add a condition to every rule, for example: ‘Agent Name != TI Connector Name’.
As a result, you get a lot of excessive events that cause false positive rule triggers.
To disable ‘Name Resolution’ option on a connector, go to:
- In ESM Console: double click on connector. In ‘Inspect/Edit‘ panel open tab ‘Defaults’ and choose ‘Enable Name Resolution’ in ‘Network’ section – ‘No’. Click ‘Apply’.
- On connector: run command ‘%CONNECTORHOME%/current/bin/./runagentsetup.sh’ on Linux or run file ‘%CONNECTORHOME%\current\bin\runagentsetup.bat’ on Windows. Choose ‘Modify Connector’ -> ‘Add, modify, or remove destination’ -> choose destination -> ‘Modify Destination settings’ -> ‘Network’ -> ‘Enable Name Resolution’ set to ‘No’.
- Finish connector setup and restart connector service.
In all Use Cases from SOC Prime TI source events are excluded in the main filters.
- Active Lists in ArcSight, Automatic Clearing. Part 2 - 16.11.2017
- ArcSight. Optimizing EPS (Aggregation and Filtration) - 23.10.2017
- Active Lists in ArcSight, automatic clearing. Part 1 - 02.08.2017