I think the most of security community has agreed that CVE-2019-0708 vulnerability is of critical priority to deal with. And while saying āpatch your stuff!ā feels like the first thing that one should think of, the memories of WannaCry and NotPetya are still fresh in my mind. We know that patching aināt gonna happen at […]
Introduction to Sigma Sigma, created by Florian Roth and Thomas Patzke, is an open source project to create a generic signature format for SIEM systems. The common analogy is that Sigma is the log file equivalent of what Snort is to IDS and what YARA is for file based malware detection. However, unlike Snort and […]
Almost all of the ArcSight beginners face a situation when there are a high incoming EPS from the log sources, especially when it is critical to License limits or causes performance issues. To reduce incoming EPS, ArcSight has two native methods for event processing: Event Aggregation and Filtration. In this article, I will try to […]
In the previous article, we examined Additional Data fields and how to use them. But what if events do not have needed/required/necessary information even in Additional Data fields? You may always face the situation when events in ArcSight don’t contain all needed information for Analysts. E.g., user ID instead of username, host ID instead of […]
Everyone who had ever installed a single ArcSight SmartConnector knows about ‘Device Event Mapping to ArcSight Fields’ chapter in the installation guide where you can find information on mapping of Device-Specific fields to ArcSight Event Scheme. It’s an essential chapter for Analysts, right? Certainly, you noticed that for some SmartConnectors there are ‘Additional Data’ fields. […]
ArcSight beginners and experienced users very often face a situation when they need to automatically clear Active List in a use case. It could be the following scenario: count today’s logins for every user in real-time or reset some counters that are in Active List at the specified time.
What if I deployed or designed new Use Case and I want to know if my company was exposed to the threat in the past? While working with ArcSight a lot of people are wondering whether there is a way to realize historical correlation. They even have several real life scenarios for this. The first […]
Every ArcSight user or administrator is faced with false positive rule triggers while delivering threat intelligence feed into ArcSight. This mostly happens when threat intel source events are not excluded from rule condition or connector tries to resolve all IP addresses and host names that are processed.
24.11.2016 SOC Prime, Inc hosted the first international conference on cyber security “Cyber For All” in Kyiv, Ukraine. SOC Prime staff and business partners made presentationsĀ and several customers sharedĀ their real success stories of their usage of SOC Prime products. Conference was attended mainly by representatives of the telecom and finance business community of Ukraine. Kyiv […]