Start Everything with a Filter

Author: Gregory Hedge
August 6, 2018

In the ArcSight SIEM, the ESM, all content should start with a Filter. When making content such as an Active Channel, Query or Rule always reference Filters in the Conditions and Filter tabs. Even a Filter should start with a Filter, when possible.

This important principal makes ArcSight content manageable for the long term by being more organized, easier for others to understand and allows for faster changes and continual improvements. It also helps ESM content developers to work smarter. If something changes at the base level such as with an event source in the future, it is much easier to reconfigure the base Filter than to touch every Filter and Condition tabs for all the custom content that has already been developed. ArcSight’s own Activate Framework is built upon this principal.

Starting everything with a Filter is one of the important practices I have learned during my many years of managing ArcSight systems across the United States for a diverse group of customers. With this practice, there is no need to build the same content repeatedly with each new Filter, Query or Active Channel. Even a Filter should start with a base Filter. A Filter can also be nested, referencing another Filter from within the Filter tab.

What do I mean by this? Here is an example.

The Filter for Cisco teardowns of TCP connection events references another Filter for the base Cisco firewall events.

In the future, when the networking team purchases the firewall services module for Cisco switches, it is just a matter of adding that product to the base Cisco firewall Filter without having to modify every firewall Filter, Rule and Query.

Active Channels should also reference a Filter.

When making an Active Channel from Create Channel with Filter, immediately go into the Inspect/Edit window and replace the contents of the Conditions with the actual Filter you used to create the Active Channel. If that Filter is ever changed, the Active Channel that it is built from that Filter will also change. When creating a Rule, reference a Filter but add any necessary unique components to the Conditions that define its purpose. If the Rule is to notify the SOC when I have a successful Active Directory login, add my user name as part of the Conditions.

To be successful with ESM there are fundamental practices that need to be followed. ArcSight, like any quality SIEM, needs daily care and feeding. Very quickly an ESM can get messy and unmanageable. Make content for the long term. Start everything with a Filter.