June 10, 2012 Leave a comment
In my previous post Using CIF to create content for ArcSight – Part 1 I quickly went over how to populate an active list with data from CIF. Now we are going to take it a step further and start monitoring for hits on that active list and generate some other content for ArcSight. This post is quite long so the TL:DR version
Create active list for monitoring, create rule to populate the active list when a domain query matches a domain you are monitoring, create active channel/data monitor to watch for events.
This is a very basic active list/correlation rule example you can do much more but this should be a decent starting point.
Also please note for this example I am using ISC Bind DNS logs so the query field gets mapped to the DeviceCustomString4 field in ArcSight
First let’s create another active list :
In the Navigation Panel go to Active Lists and right click your personal folder and select New Active List
Next in the Inspect/Edit Panel modify the Active List to meet your needs but in this example it will have the name “Suspicious Traffic”, it will expire entries in 3 days if an entry is not updated, 10,000 entries will be allowed. These are all changeable fields after the active list is created.
Now set the fields the Active List will use (These can not be changed after the list has been created). I have entered:
Attacker Address (Key Field), Target Address, Target Port, Domain, Category Outcome, Description, Source
Now let’s create a filter so that we can match the events we are looking for:
I gave the filter the name “Discover Malicious Domain Lookup” and started with creating the following conditions
I then add an InActiveList Condition
Then I added a condition that checks if Device Custom String 4 (The BIND DNS Query field) matches the Domain Name filed in the Malicious Domains Active List
The filter should look something like this:
Click apply to create the filter and move on to creating the Correlation Rule:
For this example we will be firing on every hit which can be noisy. You might want to tune for your environment and capabilities but this should be a good starting point.
Start by creating your rule
Give it a name then click on the conditions tab. Right click and select matches filter:
Select the filter we created above:
Next we will build some local variable that will help with populating the Suspicious Traffic Watchlist we created. Click the Local Variables Tab.
Click the + button and add a new Local Variable select List from the Categories Window on the Left and the GetActiveListValue in the functions window.
Give the variable a name I chose getDomainWatchList and map Domain Name to Device Custom String4. Click Ok and create another local variable
Next we create a variable using the String Categories and the Concatenate function:
The variable name is getWatchlistSource and it’s settings are below. The first string argument source is from the getDomainWatchList variable we just created above. The second string argument is blank for this rule variable because we are only matching on this one source.
Next create one more variable using the Concatenate function caused getWatchListDescription. The first string argument source is from the getDomainWatchList variable we just created above. This two has a blank string argument for the Concatenate function.
Now that all of our variables are set we need to make sure they are aggregated so they get populated when a rule hits. Click on the aggregation tab and under the Aggregate only if these fields are identical and click the Add button. Select the variables getWatchListDescription and getWatchListSource we just created. Click ok and let’s get to working on the actions for the rule.
First we need to set a few fields that we will use to populate the event created when the rule fires. Deactivate the On First Event Action and enable the On Every Event Action then right click and Select Add -> Set Event Field . Let’s use Flex String 1 and Flex String 2 for that purpose and use the variables we created above and click OK.
We are almost done I promise 🙂
Now we need to add any systems that match the rule to the Suspicious Traffic Active List we created at the beginning of this post. Right Click the On Every Event Action then right click and Select Add -> Active List -> Add to Active List below are the mappings for the fields in the Active List.
Now click ok and then go back to the aggregation tab and add the following fields so that your fields match the ones below:
Now we are ready to apply all the conditions for the rule and deploy it as a real time rule. Once it is deployed as a rule you can try and generate some test hits by doing lookups of domains in the active list against the server creating the DNS logs. Just make sure you know the address of your system :). To monitor for events create an Active Channel where the filter is Name = Discover Malicious Domains or whatever name you gave the rule above. If everything works you should soon see events in your active channel.
You can then look at the entries for your Suspicious Traffic Active List and you should see entries in there that match the results in the active channel.
Now you can start to have some fun and create dashboard with data monitors around these type of events below is a screen shot of a sample dashboard. The top half is of an event graph and the bottom is the top bucketized count of malicious domains queried.
Now the rest of the content creation is up to you but hopefully this gets your juices flowing and you come up with some other great use cases for CIF related data. As always happy hunting!