Embedded Files
Exclusion Lists are pre-defined lists of exclusions that can be quickly applied to your data to remove known false positives. These lists can be customized to fit your specific needs and can be updated as necessary to ensure ongoing accuracy.
The Exclusion Lists within Mobula can be found by navigating to the following path: /All Active Lists/Mobula Exclusion Lists, Or from rule condition. Once you've located the necessary Exclusion Lists, you can further refine your settings by following the same path as the Rule Path. This will allow you to easily manage your exclusions and ensure that your monitoring settings are optimized for your specific needs. By using Exclusion Lists in conjunction with Mobula's comprehensive content, you can achieve a finely tuned security monitoring system that provides optimal protection for your network.
Exclusion Through “Arcsight ESM”
Exclusion Through “Arcsight ESM”
Connect to your Arcsight console.
Search for the rule Generator ID on the top right corner of the Arcsight console.
*The generator ID is the ID of a specific rule. If you don't have the Generator ID, follow the next step.
Search for the rule using the rule name in quotes for example:
“Egress Restricted Services Communication Passed by Firewall”.
For more accurate results, in the search box, click on the magnifying glass Icon, select “Rules,” and press Enter.
In the “Viewer” window, you should see the “Egress Restricted Services Communication Passed by Firewall” rule on the first line. Double-click on the rule to open it in the “Inspect/Edit” window.
In the “Inspect/Edit” window navigate to the “Conditions” rule tab.
You can see all the exclusion options under the condition
NOT > OR > InActiveList
8. As you can see there are 5 exclusion options, you can view the meaning of each one of them by clicking on one of the lists
9. As shown in the picture above, the information in the list of (IP,Port) for exclusion will be:
Customer
CRule: (The rule ID that located in the rules “Attributes” tab {Resource ID})
IPAddress: is a Source Address
Port: is Destination Port.
10. Select the exclusion option that suits you the best.
11. Under the rules “Condition” tab, you will see the “Edit” and “Summary” tabs. Click on the “Summary” tab.
12. Navigate to the list you want to use, in our example, it will be (IP,Port).
13. Clicking on the “Firewall(IP,Port)” option will open the active list properties in a new tab.
14. In this step, you have 2 options:
a. Add Entry for exclusion
b. Navigate to view the list and add an entry from there.
15. For option “A” just click on the “+ Add Entry” button
a. In the new tab fill in the information described in step 9 and click Add twice.
16. For option “B” - right-click on the Active List:Firewall(IP,Port) tab and select “Find Active List In Navigator”.
17. You will find the list you want to view in its path, under the “Navigator” window, Resources -> Lists
18. Right-click on the list and select “Show entries”
19. The “Viewer” window lists all the rules that use the same exclusion option, “Source Address and Destination Port.”
20. At the top right corner of the “Viewer” window, you will see a “+” sign. Click on it to add an entry to the exclusion list.
21. Fill in the information described in step 9 and click Add twice.
Important Information for excluding in Arcsight
Important Information for excluding in Arcsight
There are several options for excluding the information you want.
Please review this section to get the best results.
String in Upper case
String in Upper case
When making exclusions in Arcsight, you may need to exclude a destination or Source process name or anything else. In these situations, you must pay attention to the list conditions described in steps 8 and 9.
Strings must be entered in the UPPER case
You always must enter your strings in UPPER.
DCS4Stripped
DCS4Stripped
In this case you must enter the exact information from correlation event FlexString1
Double-click on the alert you want to exclude from.
In “Inspect/Edit” tab, click on its Correlation event, for example :
3. Scroll down to Flex String 1.
4. Copy all the string that comes after “{DCS4Stripped:”
In our example it will look like that:
Pay attention to delete the } at the end of the string if you have copied it too.
Zone exclusion
Zone exclusion
In order to exclude a zone, you must create one first.
Then, you can easily navigate to the zone you want to exclude.
Review the “Network Modeling” guide zones section to get more information about configuring Zones.
Part of a string
Part of a string
If there is a string that some values are constantly changing, you should contact mobulasupport@cyray.io for assistance.
Remote Access Tools / Customer Systems Exclusion
Remote Access Tools / Customer Systems Exclusion
If there are tools you want to exclude you will need to find out the correct name of the tool.
To find the name, in the “Navigator” window, “resource” tab, select “Field Sets”.
Choose “Fields & Global Variables” tab
4. follow the path:
/All Fields/Mobula Use Cases/Remote Access Tools/Remote Controls
5. Select the tool you need (for example: GoToAssist) Double click.
6. In “Inspect/Edit” window you will see your “Global Variable” tab opened
7. Go to “Parameters” tab
8. Copy the information in the “Velocity Template” box.
9. In “Navigator” window under “Resources” tab select “Lists”
10. Follow the path:
/All Active Lists/Mobula/Enrichment & Inventory/Customers Systems/Customer Systems
11. Right click on the list and select “Show Entries”
12. In the “Viewer” window Click on “+” to add the allowed tool to the list
13. Fill the first 3 lines
14. In the “Product” line you should paste what you copied from section 16.
15. Click on Add and Modify.
Don't break the rule
Don't break the rule
You should consider your exclusions and check the rule condition before deciding to exclude something.
Sometimes, you will have the ability to exclude some of the key conditions of a rule.
Example:
The rule condition says trigger alert when:
[Microsoft EventID is 4688 / Sysmon ID 1
and
Source Process name is CMD.exe]
If you have the option to exclude SourceProcessNameUPPER in this rule,
excluding cmd.exe will break the rule and it will never trigger as it is a part of the rule condition.
Ask for new Exclusions options
Ask for new Exclusions options
The Exclusion Lists within Mobula are updated in conjunction with the content updates. This ensures that any new exclusions that are added will be automatically replicated to your platform, appearing on both the Mobula App and Arcsight ESM.
If you require a new exclusion option that does not currently exist within Mobula, you can reach out to the Mobula Support Team at MobulaSupport@Cyray.io. The dedicated Mobula Content Team will carefully examine your request to ensure that there are no logic issues or duplications and will create the new Exclusion List if appropriate. This commitment to providing tailored support and content is part of our ongoing effort to deliver our customers the best possible security monitoring experience.
Page updated
Report abuse