ArcSight Tips - Rule Actions Order
Have you ever wondered why ArcSight put those little buttons in rule actions?!
This is not accidental and they have a subtle purpose. Only a real-time example can clarify why they are needed and how much they matter.
Let's say we have events coming in the ESM at a high rate, and we have a Use Case that basically uses 2 rules and 2 active lists to get what we needed.
R1 evaluates base events and if NotInAL2 then actions by adding an entry in AL1
R2 evaluates against conditons DeviceEventClassID=activelist:103 & DCN1>=10 and if they match, then actions by removing from first list and add in second one.
And this is where the order counts. Picture above displays the right order. Let's think for a second what would be the implications if it was the the other way around. If we were to first choose to add to AL2 then to remove from AL1, what happens is in matter of miliseconds in the Correlation Engine although it may seem the entry was added to AL2 and that won't trigger in R1, the count (DCN1) is still incremented to 11, 12... thus making R2 to trigger multiple times. However, even if we cannot prevent that in the second approach, it won't have a huge impact on the outcome of our security scenario, that's because the DCN1 can still be incremented many times (after its removal from AL1) up until it is added to AL2 in action no.2 (picture again).
This would not be possible without existence of "MoveUp" and "MoveDown" in Actions Tab.
This is not accidental and they have a subtle purpose. Only a real-time example can clarify why they are needed and how much they matter.
Let's say we have events coming in the ESM at a high rate, and we have a Use Case that basically uses 2 rules and 2 active lists to get what we needed.
R1 evaluates base events and if NotInAL2 then actions by adding an entry in AL1
R2 evaluates against conditons DeviceEventClassID=activelist:103 & DCN1>=10 and if they match, then actions by removing from first list and add in second one.
And this is where the order counts. Picture above displays the right order. Let's think for a second what would be the implications if it was the the other way around. If we were to first choose to add to AL2 then to remove from AL1, what happens is in matter of miliseconds in the Correlation Engine although it may seem the entry was added to AL2 and that won't trigger in R1, the count (DCN1) is still incremented to 11, 12... thus making R2 to trigger multiple times. However, even if we cannot prevent that in the second approach, it won't have a huge impact on the outcome of our security scenario, that's because the DCN1 can still be incremented many times (after its removal from AL1) up until it is added to AL2 in action no.2 (picture again).
This would not be possible without existence of "MoveUp" and "MoveDown" in Actions Tab.
Comments
Post a Comment