Enhance cybersecurity awareness and survivability for DoD, industry partners, and academia in the face of the ever-increasing threat of cyber attacks. Cybersecurity (CS) includes managing risks related to the use, processing, storage, and transmission of information and the systems and processes used for those purposes, including analog and physical form. CS includes information availability, identification and authentication, confidentiality, integrity, and non-repudiation as well as the economic considerations with respect to selection of CS techniques, CS processes, and industry trends.
Sigma rules guide: threat hunting for ESM, ArcSight Command Center and Logger
- This topic has 0 replies, 1 voice, and was last updated 2 years, 6 months ago by .
-
Topic
-
Do you know about Sigma, a new revolutionary way to make better and faster threat detection content for your SIEM? With a help of Sigma new rules can be created and exported directly to SIEM within just a couple of hours or even faster. This guide will help you to use Sigmas for Arcsight. It also contains a link to online Sigma UI, a tool that will allow you to convert Sigmas to most common SIEM platforms instantly and free of charge.
https://community.softwaregrp.com/t5/ArcSight-User-Discussions/Sigma-rules-guide-threat-hunting-for-ESM-ArcSight-Command-Center/td-p/1662079Check whether you have configured everything correct by creating test Sigma Rule Job. In case everything is configured well you should see test events in the ESM console.
Go to Logger or ArcSight Command Center web console Event Search page.
Put test query to search field and choose time frame ‘Last 10 minutes’:deviceVendor = "ArcSight" and deviceProduct = "ArcSight" and deviceEventClassId = "monitor:146" | cef flexString1 | rex field = flexString1 mode=sed "s//Sigma: Test Rule/g" You should see 10 events with changed flexString1 field to 'Sigma: Test Rule'. 3. Save query as a Saved Search with the name 'Sigma: Test Rule'. Choose option 'Schedule it'. 4. In Schedule parameters please choose: to run every 15 minutes, choose option 'Save to ArcSight Command Center' leave 'Export directory name' empty Uncheck option 'All Fields'” Put to 'Fields' list of fields:
endTime,name,sourceAddress,destinationAddress,priority,deviceVendor,deviceProduct,categoryBehavior,categoryDeviceGroup,categoryOutcome,categorySignificance,destinationHostName,destinationPort,destinationProcessName,destinationServiceName,destinationUserId,destinationUserName,deviceAction,deviceAddress,deviceHostname,deviceProcessName,deviceCustomNumber1,deviceCustomNumber1Label,deviceCustomNumber2,deviceCustomNumber2Label,deviceCustomString1,deviceCustomString1Label,deviceCustomString2,deviceCustomString2Label,deviceCustomString3,deviceCustomString3Label,deviceCustomString4,deviceCustomString4Label,deviceCustomString5,deviceCustomString5Label,deviceCustomString6,deviceCustomString6Label,fileName,filePath,flexString1,flexString1Label,flexString2,flexString2Label,sourceHostName,sourcePort,sourceProcessName,sourceServiceName,sourceUserId,sourceUserName
Note: Parser is configured to parse files in this field sequence. Don’t change fields. In case you need to add new fields contact SOC Prime.
Choose option ‘Include only CEF events’.
Enable ‘Sigma: Test Rule job’.
In 15 minutes Saved Search should run and save output to csv file into the /opt/arcsight/logger/userdata/logger/user/logger/data/savedsearch directory, which Flex Connector (installed in p.1) will processed that file and send event to the ESM.
/Good Hunting!
You must be logged in to reply to this topic.