Arcsight Alert Suppression System
Suppression System
Analysts frequently need a method to suppress rules from firing until misconfigurations are resolved or point solutions are tuned. To support this activity a set of active lists will be maintained so the analysts can suppress correlation rules and data monitor alerts.
There are two sets of active lists. The first set is writable by all analysts and will have a TTL of 24 hours. These lists will be stored in "/All Active Lists/ArcSight Activate/Core/Suppression Lists". The second set of lists is only writable by L2 analysts and the TTL will be '0'. These lists will be stored in "/All Active Lists/ArcSight Activate/Core/Suppression Lists/Static".
NOTE: lists should have no more than 100 or so entries.
All logic used to compare new events to the suppression lists are stored in a filter under "/All Filters/ArcSight Activate/Core/Suppression List Filters". Should the need arise, simply create more lists and/or filters and document the hooks below.
To create more suppression lists, simply
- Add an L1 list with 24hr TTL, "/All Active Lists/ArcSight Solutions/Administration/Suppression Lists"
- Copy the list to the static directory and change the TTL to 0, "/All Active Lists/ArcSight Solutions/Administration/Suppression Lists/Static"
- Change the appropriate filter, "All Filters/ArcSight Solutions/Administration/Suppression List Filters"
- Update the documentation below
Hooking into the methodology
- Include the appropriate filter from "/All Filters/ArcSight Activate/Core/Suppression List Filters"
- For network based events where all network based lists should take affect use: "All Network Based Suppression Lists"
Well explained…great work…thank you so much for sharing such a valuable information. Looking for the best cloud penetration testing services in Hyderabad Contact Cyanous software solutions now.
ReplyDeleteBest cloud penetration testing services in Hyderabad
Best software & web development company in Hyderabad