This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2-Perimeter Monitoring - Situational Awareness

This is the official forum for the discussion of the L2-Perimeter Monitoring - Situational Awareness package.

 

This content is coming soon!

 

The installation/update package will be available from the ArcSight Marketplace. All new and updated Activate Framework packages will be made available on the ArcSight Marketplace (https://marketplace.microfocus.com/arcsight).

 

The documentation is available at https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/L2PerimeterMonitoring .

--
Prentice S. Hayes
Principal Product Manager | Cybersecurity Enterprise, Security Analytics
OpenText Cybersecurity

LinkedIn: https://www.linkedin.com/in/prenticeshayes/ 

Website: https://www.opentext.com/

  • 0

    The package currently on Marketplace (0.1.0.0) has two rules that will not validate due to a missing Active List:

    /All Rules/ArcSight Activate/Solutions/Perimeter Monitoring/Situational Awareness/Ingress Communications from Suspicious Region

    /All Rules/ArcSight Activate/Solutions/Perimeter Monitoring/Situational Awareness/Egress Communications to Suspicious Region

    depends on resource

    /All Active Lists/ArcSight Activate/Solutions/Perimeter and Network Monitoring/Situational Awareness/Suspicious Region - ITAR_OFAC Countries

    that cannot be found

    Jeff

  • 0  

    Are you using the latest version of Activate Base?

    --
    Prentice S. Hayes
    Principal Product Manager | Cybersecurity Enterprise, Security Analytics
    OpenText Cybersecurity

    LinkedIn: https://www.linkedin.com/in/prenticeshayes/ 

    Website: https://www.opentext.com/

  • 0

    I am running 2.4.0.0 on ESM 6.9.1.

    I just dug into this a little more. The Active List is present but the located at /All Active Lists/ArcSight/Core/Common. The rule in the package is looking for it under /All Active Lists/ArcSight Activate/Solutions/Perimeter and Network Monitoring/Situational Awareness.  Looks like the rule just need updating.

  • 0  

    You are correct, which is why I asked which version. It's weird, because I was creating Activate Base 2.4.0.0 when I was splitting up the Perimeter and Network Monitoring packages into the respective Network Monitoring and Perimeter Monitoring packages. Must be a minor bug in the package framework, where it was looking for the old location (apologies, I thought I had fixed that...I'll try again). Glad you figured it out.

    --
    Prentice S. Hayes
    Principal Product Manager | Cybersecurity Enterprise, Security Analytics
    OpenText Cybersecurity

    LinkedIn: https://www.linkedin.com/in/prenticeshayes/ 

    Website: https://www.opentext.com/

  • 0

    Hi,

    I installed the L2-Perimeter Monitoring - Situational Awareness package I noticed 2 broken resources.  The rule "Egress Communications to Suspicious Region" and "Ingress Communications from Suspicious Region".

    Rule /All Rules/Real-time Rules/ArcSight Activate/Solutions/Perimeter Monitoring/Situational Awareness/Egress Communications to Suspicious Region depends on resource /All Active Lists/ArcSight Activate/Solutions/Perimeter and Network Monitoring/Situational Awareness/Suspicious Region - ITAR_OFAC Countries that cannot be found

    and

    Rule /All Rules/Real-time Rules/ArcSight Activate/Solutions/Perimeter Monitoring/Situational Awareness/Ingress Communications from Suspicious Region depends on resource /All Active Lists/ArcSight Activate/Solutions/Perimeter and Network Monitoring/Situational Awareness/Suspicious Region - ITAR_OFAC Countries that cannot be found


    On a side note, I also installed the L2-Network Monitoring - Situational Awareness package and noticed a broken resource.  The rule "Web Proxy Identified Exploit Traffic" is dependent on an Active List that does not exist.

    Rule /All Rules/Real-time Rules/ArcSight Activate/Solutions/Network Monitoring/Situational Awareness/Web Proxy Identified Exploit Traffic depends on resource /All Active Lists/ArcSight Activate/Solutions/Perimeter and Network Monitoring/Situational Awareness/Proxy Identified Exploit Kit Queries that cannot be found.

     

    I used the latest packages available from the HP Marketplace and installed them in the order below.  Older versions of the packages which require migration were never installed.

    ArcSight Activate Base 2.4.0.0

    L1-Perimeter Monitoring - Indicators and Warnings

    L2-Perimeter Monitoring - Situational Awareness

    L1-Network Monitoring - Indicators and Warnings

    L2-Network Monitoring - Situational Awareness

    Has anyone else experience this?  What's the best way to resolve this issue with the broken resources?  From the post above, I can confirm the list is available at the location /All Active Lists/ArcSight Activate/Core/Common.  Is it advisable to update the rule and keep it in the current location?  Or update the rule and move the list to the proper location?

    ​

  • 0  

    We are working on fixing this. In the meantime, the lists belong in Activate Base, so the preferred "fix" is to update the rules and leave the lists where they are.

    --
    Prentice S. Hayes
    Principal Product Manager | Cybersecurity Enterprise, Security Analytics
    OpenText Cybersecurity

    LinkedIn: https://www.linkedin.com/in/prenticeshayes/ 

    Website: https://www.opentext.com/

  • 0

    Is this problem fixed yet or not?

  • 0

    ​​

    Hi ,

    Fresh installed ESM 6.11 with latest Activate base package 2.5.1.0 but faced the same issue.

    After installing the L2-Perimeter Monitoring - Situational Awareness package I noticed 2 broken resources.  The rule "Egress Communications to Suspicious Region" and "Ingress Communications from Suspicious Region". but I found and used the respective active list from the Activate Base package, so both rules were fixed.

    However, I am not able to fix this rule as there is no such active list available. So my question is that from where should I get this active list & why it's not part of this package or base package ?

    Rule /All Rules/Real-time Rules/ArcSight Activate/Solutions/Network Monitoring/Situational Awareness/Web Proxy Identified Exploit Traffic depends on resource /All Active Lists/ArcSight Activate/Solutions/Perimeter and Network Monitoring/Situational Awareness/Proxy Identified Exploit Kit Queries that cannot be found

  • 0

    ​

    Also wondering if Perimeter & Network Monitoring package is split into following 4 different packages then why I still see a folder\group "Perimeter and Network Monitoring" (See the selected group in the screenshot)

    L1-Perimeter Monitoring - Indicators and Warnings

    L2-Perimeter Monitoring - Situational Awareness

    L1-Network Monitoring - Indicators and Warnings

    L2-Network Monitoring - Situational Awareness

  • 0   in reply to 

    If you upgraded from the L<1|2>-Perimeter and Network Monitoring packages, then it is possible that some of the groups didn't get cleaned up when you (or the update scripts) uninstalled them. If you had them installed and uninstalled them, then installed the new versions, they probably weren't cleaned up.

    There are several reasons why they might not have been cleaned up with their parent package uninstallation. The most common being that some of the resources in the group were modified or were somehow linked to resources outside of the package. Worst-case, there was something not quite properly cleaned up in the DB. You should be able to delete the offending groups. They're not in the new packages.

    --
    Prentice S. Hayes
    Principal Product Manager | Cybersecurity Enterprise, Security Analytics
    OpenText Cybersecurity

    LinkedIn: https://www.linkedin.com/in/prenticeshayes/ 

    Website: https://www.opentext.com/