Tag: ArcSight

Proactive detection content: CVE-2019-0708 vs ATT&CK, Sigma, Elastic and ArcSight

I think the most of security community has agreed that CVE-2019-0708 vulnerability is of critical priority to deal with. And while saying “patch your stuff!” feels like the first thing that one should think of, the memories of WannaCry and NotPetya are still fresh in my mind. We know that patching ain’t gonna happen at […]

Read More
Sigma Rules Guide for ArcSight

Introduction to Sigma Sigma, created by Florian Roth and Thomas Patzke, is an open source project to create a generic signature format for SIEM systems. The common analogy is that Sigma is the log file equivalent of what Snort is to IDS and what YARA is for file based malware detection. However, unlike Snort and […]

Read More
Active Lists in ArcSight, Automatic Clearing. Part 2

A very common task for all ArcSight content developers is cleaning active lists on a scheduled basis or on-demand automatically. In the previous post I have described how to clear Active Lists on scheduled basis using trends: https://socprime.com/en/blog/active-lists-in-arcsight-automatic-clearing-part-1/ Today I will show you another two ways how this can be achieved. Automatic clearing of Active Lists […]

Read More
ArcSight. Optimizing EPS (Aggregation and Filtration)

Almost all of the ArcSight beginners face a situation when there are a high incoming EPS from the log sources, especially when it is critical to License limits or causes performance issues. To reduce incoming EPS, ArcSight has two native methods for event processing: Event Aggregation and Filtration. In this article, I will try to […]

Read More
Enriching events with additional data

In the previous article, we examined Additional Data fields and how to use them. But what if events do not have needed/required/necessary information even in Additional Data fields? You may always face the situation when events in ArcSight don’t contain all needed information for Analysts. E.g., user ID instead of username, host ID instead of […]

Read More
Additional Data in ArcSight ESM

Everyone who had ever installed a single ArcSight SmartConnector knows about ‘Device Event Mapping to ArcSight Fields’ chapter in the installation guide where you can find information on mapping of Device-Specific fields to ArcSight Event Scheme. It’s an essential chapter for Analysts, right? Certainly, you noticed that for some SmartConnectors there are ‘Additional Data’ fields. […]

Read More
Active Lists in ArcSight, automatic clearing. Part 1

ArcSight beginners and experienced users very often face a situation when they need to automatically clear Active List in a use case. It could be the following scenario: count today’s logins for every user in real-time or reset some counters that are in Active List at the specified time.

Read More
Historical Correlation

What if I deployed or designed new Use Case and I want to know if my company was exposed to the threat in the past? While working with ArcSight a lot of people are wondering whether there is a way to realize historical correlation. They even have several real life scenarios for this. The first […]

Read More
Deliver TI feeds into ArcSight without false positive triggers

Every ArcSight user or administrator is faced with false positive rule triggers while delivering threat intelligence feed into ArcSight. This mostly happens when threat intel source events are not excluded from rule condition or connector tries to resolve all IP addresses and host names that are processed.

Read More
International conference on cyber security “Cyber For All”

24.11.2016 SOC Prime, Inc hosted the first international conference on cyber security “Cyber For All” in Kyiv, Ukraine. SOC Prime staff and business partners made presentations and several customers shared their real success stories of their usage of SOC Prime products. Conference was attended mainly by representatives of the telecom and finance business community of Ukraine. Kyiv […]

Read More