Using Variables*

HP ArcSight Proof of Concept Boot Camp Training

TECHNICAL DAY-2
Philippe Jouvellier - HP ESP | Global Partner Enablement
[email protected]

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
* Lab during this session
Objectives

Upon successful completion on this Lab, you will be able to:

• Understand what Global and Local Variables are
• Know Variables Functions that can be used
• Use Variables functions within rules
• Create and test rules using Variables

2 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Variables
Variables are functions used to derive values from events,
assets, and other resources (for example, a target IP address in an attack
event, the MAC address or the zone of a vulnerable asset, the timestamps on a user
login session, entries in a hot list, and so forth).

Benefits: increased flexibility to obtain new values during

correlation with Data Monitors and Rules. Expose more
informations.

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Variables : Quick Reminders !
Variables
2 Types of Variables increase
processing
overhead and
• Local variables: can affect
performances

 Always belong to parent resource

 Values definition and variables cannot be shared among multiple resource
 Administration distributed in parent resources
• Global variables:
 Use principle of “define once and re-use multiple places”
 Values definition and variables available among multiple resource
 Administration centralized under Field Sets resource (Navigator Panel)

4 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Functions
Alias: creates alternate name for a specified field
Arithmetic: Ceil, Round, Add, Absolute functions
Category Model: test whether 2 actors (IdentityView), or 1 actor and 1 group have relationship
Condition: conditional filter with 3 arguments (value returned)
Group: operations on Network zones, Asset Groups,
IP Address: parse IP address ( retuning integer from 0 to 255 representing 1 octet)
List: return specific field of specified lists (Active or Session)
String: operations on strings (ToUpper, LastIndexOf, Substring, LenghtOf, IndexOf, ToLower)
Timestamp: time related function (date, time)
Type Conversion: conversion operations (strings, integers)

5 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Use Cases with Variables
• Calculate network latency in the ESM Event Flow
• View location of attacker and target, plus number of events communicated between them
• Display location within the network model of an attacked asset in a report or graphical display
• Modify priority of a correlation event based upon an evaluation of base event’s target zone
• Track a user’s activity regardless of the case structure utilized for the login credentials – Jdonan,
jdonan, JDonan, JDONAN – should be shown as a single line in the Active List

6 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Global Variables
Where are Global Variables located ?
• Go in the Navigator Panel
• Select ‘Field Sets’ from the Dropdown list

...to be continued next slide

7 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Global Variables
Where are Global Variables located ?
• Select ‘Fields and Global Variables’ tab

See Global Variables

8 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Creating Global Variables
Select Field Sets Resource
 Go in Navigator Panel
 Select Field Sets Resource
 Select “Fields & Global Variables” tab
 Right Click on ‘<admin>’s Fields’
 Select “New Global Variable”
 In the Attributes tab give a Name to the GV
 Select ‘Parameters’ tab
 From the Function drop down list
 Select a category
9
 Select a function in this category
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Creating Local Variables
Local variables can be created within the
following ArcSight resources, using ‘Local
Variables’ tab
• Active Channels
• Field Sets*
• Filters
• Rules
Local Variables
• Data Monitors add, edit, remove or promote
• Query Viewers
• Reports

10 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Creating Local Variables
Select Local Variable in a parent resource
 Select “Add”
 Give a Name
 Select a desired Function
 Provide arguments as needed
 Click OK

11 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Example #1: Global Variable in Active Channel
Use Case: Display Network Latency values during event transmission from
devices to ESM
• How do we do ?
• We will make use of a Global Variable using Time Stamp difference function
• What Content do we need ?
• Create 1global variable using a function evaluating time difference
• Create 1Field Set with columns – 1 will display the time difference
• 1 Active Channel to display events
• Result:
• Active Channel will display in 1 Column time difference in seconds between End Time
and Manager Receipt Time
12 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
 Start/End Time, Device Time, Connector Time, Manager Time ?
Device Agent Manager
EVENT ! receipt Receipt Receipt
Time Time Time

Log source Raw log Connector CEF event ESM CORRe

Log is Smartconnector ESM server receives a

recorded/generated receives a raw log CEF format event and
by the source and processes it write into CORRe
Device/Sensor Connector Receipt Time
The timestamp applied by the ArcSight SmartConnector's JVM (Java Virtual
Device Receipt Time Machine) when the event is received from the originating sensor device.
The timestamp applied by the source sensor device when an event is received from its source.
Manager Receipt Time
Start Time The timestamp applied by the ArcSight Manager's JVM (Java Virtual
This is the time at which the event actually began, as recorded by the source Machine) when the event is received from the ArcSight SmartConnector.
sensor device or, possibly, a secondary source monitored by that device.

End Time
The
13 time at which
© Copyright the event
2012 Hewlett-Packard actually
Development ended,
Company, asinformation
L.P. The recorded by the
contained hereinsource
is subject tosensor
change without notice.

device or, possibly, a secondary source monitored by that device.

 Start/End Time, Device Time, Connector Time, Manager Time ?
Device Agent Manager
EVENT ! receipt Receipt Receipt
Time Time Time

Log source Raw log Connector CEF event ESM CORRe

Log is Smartconnector ESM server receives a

recorded/generated receives a raw log CEF format event and
by the source and processes it write into CORRe
Device/Sensor

Start TimeDevice Receipt Time Connector Receipt Time Manager Receipt Time
This is the time
The timestamp
at which the
applied
event by
actually
the source
began,
The
sensor
astimestamp
recorded
device when
by
applied
thean
source
event
by theisArcSight
received
TheSmartConnector's
from
timestamp
its source.
applied
JVMby(Java
the ArcSight
Virtual Manager's JVM (Java Virtual
sensor device or, possibly, a secondary source monitored
Machine) when
by that
thedevice.
event is received from
Machine)
the originating
when the event
sensoris device.
received from the ArcSight SmartConnector.

End Time
The time at which the event actually ended, as recorded by the source sensor
device or, possibly, a secondary source monitored by that device.

14 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Display Network Latency

 Go in Navigator Panel
 Select Field Sets Resource
 Select “Fields & Global Variables” tab
 Right Click on ‘<admin>’s Fields’
 Select “New Global Variable”

15 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Display Network Latency

 Give a name in the ‘Attributes’ tab

 Select ‘Parameters’ tab

16 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Display Network Latency

 Select ‘TimeStamp’ from Categories

 Select ‘TimeDifferenceInSeconds’ from function
 Select Arguments:
Number Manager Receipt Time
Number End Time
 Click OK

17 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Display Network Latency

 Under ‘Field Sets’ resource in the Navigator select the

Field Sets tab
 Right Click on ‘<admin>’s Fields Sets’
 Select “New Field Set”

18 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Display Network Latency

 Under ‘Field Sets’ resource in the Navigator select the

Field Sets tab
 Right Click on ‘<admin>’s Fields Sets’
 Select “New Field Set”
 Give a name to the Field Set in the ‘Attributes’ tab
 Select the ‘Fields’ tab
 From the Field Sets tab ( down the screen), select
Manager Receipt Time
Name

19 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Display Network Latency

 Select ‘Fields & Global Variables’ tab (down the screen)

 Select the previously created Global Variable
Click ‘Apply’

We are ready to display an Active Channel involving

network latency

20 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Display Network Latency

 Open an Active Channel

 Go in Navigator and Select ‘Field Sets’
 Select the previously created Field Set
 Right Click on it
 Select ‘Set as ‘Current Field Set’

Active Channel shows-up

See time latency in Column ‘Time
difference’

21 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Want to Highlight Events with Significant Latency ?

 Create a new filter

 Go in Attributes tab and give a name
 Click on Filter tab and:
Click +/- Global Variables
Check the GV previously created
Click OK
Select GV in the ArcSight Schema
Define the condition >= 2
Click OK
 Add a Grid View Option
22 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Example #2: Using a Local Variable with a Rule
• Use case: Detecting users login activity after office hours
(from 8pm to 8am next morning)
• How do we do ?
• Rule will evaluate time of occurrence in conditions
• What Content do we need ?
• Conditions:
 Search for successful authentication occurrence's: categoryBehavior and
categoryOutcome will do the job
 Local variable (TimeStamp function) verify the End Time Field
• Aggregation:
• Threshold will be set to 1 Match within 1 minutes

23 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Creating Rule with Local Variable
Rule is created as we did in previous lab
 We create a New Rule and give a Name to it
 Then we select the ‘Conditions’ tab
 We add two lines
 categoryBehavior and categoryOutcome
 Then we create a local variable by
clicking on ‘Local Variables’ tab
 Click Add (with a + sign)
 A new window opens

24 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Creating Local Variable in Rules
We use Timestamp function here
 We give a name for the Local Variable
 From the scroll down ‘Function’ list we select
« Timestamp »
 In right panel we select the « GetHour » function
 Click OK
We map the Event Field we want to get the
time (hour) from
 Select End Time
 Click OK
Local Variable function will derive time from the
End Time Field in the evaluated event
25 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Creating Local Variable in Rules
We can verify how the function operates
 Click on calculate to test this function
 Function (hour) displays result
 Click OK
Local Variable is created and ready for use
We can add as much as variables we needed
Time when we created
this Variable

26 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Creating Local Variable in Rules
We can verify how the function operates
 Click on calculate to test this function
 Function (hour) displays result
 Click OK
Local Variable is created and ready for use
We can add as much as variables we needed
Time when we created
this Variable

27 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Creating Rule with Local Variable
We can now add a time based
condition in filter using the Variable
we just created
 Click back on “Conditions” tab
 Add New Condition
 Then select « Variables »
 Then select our new Local Variable
« Time_of_Day »
 Click OK
 We need a time range defined

28 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Creating Rule with Local Variable
We define the Office Hours time range
 Double Click on “=“
 Scroll Down and select “Between”
See the NOT
 Enter 8,20 operator

 Click OK Is this that we want ?

No ‘Out Office Hours’ is what we are
interested in
 Go to the list in lower part of editor
 Select “Time_of_Day”
 Check the NOT column
29
 Click Apply
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Next steps
We then need to aggregate
 Select “Aggregate” tab
 #of matches is 1 and Time Frame is set 2 mn
 AttackerAddress, TargetAddress,
TargetUsername aggregated

We define Action upon rule firing

 Select “Actions” tab
 Add « Set Event Field » to « On First Event »
 Enter “Unauthorized Login After Office
Hours” as Name Field
 Click OK then Click Apply
30 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Setting Rule in Motion
• Rule is now complete
• It must be activated
• Select the new rule
• Left Click and Hold
• Drag it to “Real-Time Rules” Folder
• You can choose to Copy, Link or Move the Rule
• Select “Link”
• This is a best practice
The rule is created under a project folder but active on the system

This is the most common reason for rules not triggering!

31 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Did the Rule Fire?….Yes

EVENT 1
Fired Rule

32 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Lab 10-1 Create a Rule with 2 Local Variables
Use Case: Detecting Root user login in a specified time range
• Conditions will filter:
 successful logins events
 Destination User Name is root
 Time of day and day of week evaluation requires 2 Local Variables here:
GetHour As we use CloudShare in a different time
GetDayOfWeek (make sure it’s today) ! zone – West Cost US based- the time range
will be set between XXX and XXX TODAY
• Aggregation
 Attacker Address, Target Address and Target User Name
• Action
• First Event SET EVENT FIELD NAME “Unauthorized ROOT login in a time range”

33 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank You

Questions ?

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use