Historical Correlation

What if I deployed or designed new Use Case and I want to know if my company was exposed to the threat in the past?

While working with ArcSight a lot of people are wondering whether there is a way to realize historical correlation. They even have several real life scenarios for this. The first one is batched events, e.g. events are not coming to ESM in real time but rather once per time frame (once an hour, once a day, etc.). The second is applying correlation to historical data, e.g. to take actions not only on future occurrences but also in the past. The third is an ability to run rules on required time, e.g. to run ‘non-critical’ rules after business hours to unload correlation engine.

ArcSight ESM has the capability of doing all that tasks. It’s called Scheduled rules.

Scheduled rules are a useful alternative to real-time rules in situations where you want to deploy rules that take into account historical data along with live data, or when you only want to control when the rules are run. The scheduled rules engine can process historical data, take real actions and generate correlated events, which are the same as those generated by the real-time rules engine.

How to schedule a rule? You may not schedule a single rule but rather a rule group. To schedule one or more rules, place them in a folder.

To schedule a rule group, you need to:

1. Go to Rules resources in the Navigator.
2. Select a rule group, right-click and choose Schedule Rule Group from the context menu. (If required rules are not in a group, create new rule group, link or move rules into it).
3. Add a job, name and describe it. Specify a schedule on which to run the rule group by clicking on ‘Click here to set up schedule frequency’ at the bottom.
4. Specify a filter for these rules. By default, the filter is set to All Events. Click Filter Results to refine the filter to display only events relevant to the rule. Narrowing the filter optimizes performance when the rule is run.
5. Click Apply or OK to deploy.

The rules are deployed according to the schedule specified in the Rule Group editor on the Jobs tab and are triggered if the rule conditions are met.

One thing you need to keep in mind regarding Job Frequency editor and time parameters.

On the first run, the rule will evaluate all events starting from ‘Start’ timestamp till $Now (execution time). On the next runs, only events from the last run until $Now will be observed.

Now you are ready to apply the most complicated and sophisticated scenarios.