Tune Active Alerts - Getting started

Expect to see a high number of FP alerts at the beginning of the entity's monitoring.

This guide will take you through our best practices to lower those high numbers to the possible minimum.

• Active channels

• Multiple Events

• Rule Condition Logic

• Reports

• Customer systems

• Authorized Remote Access Tools

• Stages

• Exclusions

• Best Practices

• Troubleshooting

Detailed Guide

Getting started

As soon as you start receiving alerts, we recommend issuing the following report:

Event Summary Report to see how much alert you have in the “Active” stage to start excluding.

Active Channel 1

Use Active channels to easily monitor your entity, see FP patterns, and make necessary exclusions to reduce FP alerts to a minimum.

There are several Active Channels with different stages. At the beginning of your monitoring process, you should focus on the “Active” stage alerts until you lower the alert number to the minimum possible.

Active Channel Path

Follow the path in ArcSight console 

1. In the “Navigator” window click on the “Resources” tab, and select “Active Channels”

2. Follow the path:

/All Active Channels/Mobula SOC/Active Alerts.

3. Double-click on the “Active Alerts”.

The default properties for this channel are to view the last 3 Days from your current time.

At the “Viewer” window, you will see your active channel that you just opened

Viewer Window

Your Active Alerts channel is built from 4 main objectives

• Active Channel Properties/Filter - set time frames/search for some specific information.

• Radar - Choose a specific time frame to focus your alerts list on that time range.

• List of alerts - the main screen of incoming alerts.

• Grid - The lower tabs for the “Analyze in channel” option.

Looking at your alerts list, find spamming alerts with the same name.

Double-click on the alert will show its information in the “Inspect/Edit” window.

The information will be shown on the right side of the screen in the “Inspect/Edit” window.

“Inspect/Edit” Window

In cases of normal alerts there are 2 lines: Correlation event and Base event.

Otherwise it will be a Correlation event and multiple base events.

The first line that contains the rule name is the Correlation log, here you will see the information that has been aggregated from the “Base event log”. Usually the “Base event” will have more information.

To access the “Base Event” just click on the second line.

In our case, the “Base Event” name is “File Created”.

The base event name will change from alert to alert based on the alert type.

***Follow these steps only the first time***

When double-clicking on an alert, you should configure these two options:

1. To avoid empty rows in the log, the folders icon should be highlighted at the bottom of the “Inspect/Edit” window.

2. Click on “Select a Field Set” and select “Clear” to see all available rows containing information.

The fields in the log may vary from alert to alert depending on the alert type.

We usually pay attention to the following fields, but not only them.

• External ID 

• Name

• Message

• End Time

• Manager Receipt Time

• Customer Name

• Device Host Name

• Device Address

• Device Vendor

• Device Product

• Source Address

• Source Host Name

• Source User Name

• Source Process Name

• Source  Service Name

• Destination Address

• Destination Host Name

• Destination User Name 

• Destination Process Name

• Destination Service Name

• File Path

• File Name

• Old File Path

• Request URL

• Device Custom String# (1-6)

Sometimes you can get more information from fields not listed above.

Looking at the alert from the example

We can see the reporting product (Sysmon)

And the Destination Process Name.

At this moment you should ask your entity if installation of TeamViewer is allowed in their organization.

If it's allowed and you don't need to see who installed a Team Viewer on their computers, you should exclude TeamViewer for this customer, otherwise inform your Entity about your findings.

To start excluding, you first must get familiar with Rule Condition Logics.

Rule Condition Logic

To access rule conditions, follow one of the steps below:

Alerts list (Viewer window) - 

1. In the Alerts list , left-click on the alert name to highlight it.

2. Right-click on it.

3. Navigate to Correlation Options.

4. Click on Correlation trigger.

5. The rule will open on the “Inspect/Edit” window.

Inspecting an alert(Inspect/Edit)

1. Double-click on some alert to see it in the “Inspect/Edit” window.

2. Left-click on the alert name to highlight it.

3. Right-click on it.

4. Navigate to Correlation Options.

5. Click on Correlation trigger.

6. A new tab will appear with rule information.

Example 1

We will continue with the same rule from the previous section.

“Installation of TeamViewer Desktop” (5mUV9aIoBABC+0ExEv1wwTw==)

Under the “Inspect/Edit” window you will see the rule you selected.

Under Rule Name you will see more tabs.

We will focus at the first 2 tabs

• Attributes - The information of the rule, name, Resource ID (The ID of this specific rule to find it more easily/to exclude it).

• Conditions - The rule conditions.

Click on the Conditions tab.

There are few conditions

• AND - Everything under the “AND” condition must be met, every Field/Active list/Filter.

• OR - One of the Conditions under the “OR” must be met.

• NOT - this condition will help you for exclusions, suppressions and more, the log will trigger only if its components are not meeting this condition.

NOTE: If there is no “OR” condition under the “NOT” condition and it has multiple options in it, the “NOT” condition will be used similar to “AND” condition.

Explanation of this rule condition

The rule will trigger only when these conditions will be met:

1. Must be a sysmon ID 11 log (File create)

2. Must be in the “File Path” that ends with “TeamViewer_Desktop.exe”

3. Not in all 3 active lists: Authorized Remote access tools, suppression list of 1 Hour to alert, and exclusion list by Hostname.

*(supression list used to avoid duplicate alerts with exactly same  information)

Example 2

Potential Persistence Via TypedPaths (5f+BRcooBABCijdm1OUh04A==)

Explanations of the rule condition

The rule will trigger if

1. Sysmon evenID 13 log triggered (Registry value set)

2. The “File Path” contains the string as shown in the picture above

3. It is not one of the “Destination processes” that ends with the paths shown in the picture.

4. It is not in one of the exclusion lists

5. It is not in the suppression list (suppression list used to avoid duplicate alerts with exactly same  information)

Excluding alerts

After understanding the rule condition logic from Example 1 you can see that you have 2 exclusion options:

1. Authorized remote access tools - follow this section if the entity allows to use TeamViewer in his environment.

2. File(Host) - Used to exclude specific HostName allowed to use TeamViewer.

Learn more about Exclusions in Exclusion list guide.

Active Channel 2

View/Hide alerts with same name

In order to focus on some specific alert or to hide it, you can use the “Analyze In Channel” option and it will open a separate Grid tab at the bottom of the “Viewer” window.

You can follow these steps for every field you want to focus on.

1. Left-Click to select some field (Alert name for example)

2. Right-Click on the selected field

3. Navigate to “Analyze in channel”

4. To view alerts with same name choose “Add [Name = Alert name] to channel”

5. A new grid will open, you can switch back to the global grid at any time from the lower left side at the “Viewer” window.

6. To hide alerts with the same name choose “Add [Name != Alert name] to channel”

Add/Remove Columns for easy investigations

You can make your investigations easier by adding relevant columns to your alerts list in the “Viewer” window, it will help you see the relevant information to make a better decision.

Works best with the “Analyze In Channel” option from the previous section.

1. At “Viewer” window, under the “Radar” you will see columns

2. Right-click where you want to add/remove a column.

3. Navigate to Columns > Add/Remove Column > Choose 

Example

To add File Path, navigate to File > File Path

*If the column was not added at first attempt, it is because it was already there and you removed it, just add it again.

4. Add Columns / move them from side to side to compare information from the same alert to get faster decisions of which exclusions to make.

Reports

Events report summary:

Events Report Summary is a very helpful tool to get a wide view of entities recent alerts.

This report can be generated once in a while or as a Scheduled report.

Based on the time range you choose (The default is 24 Hours) this report will show you all the alerts in any stage that were triggered on the entity you choose to view.

• Report Guide

• Report Path:

/All Reports/Mobula/Correlations/Events Report Summary

Remote access tools

Customer Systems

“Customer Systems” is well-known security and management software that triggers our alerts as FP, In our ability to prevent those FPs by excluding the software from the relevant list mentioned above, examples of software:

• Lenovo Computer

• Admin Arsenal PDQ

• Trend Micro Apex

• Admin by request

• ManageEngine

• SentinelOne

• Intune

 Ask your entity which systems he have so you can exclude them in the relevant list

/All Active Lists/Mobula/Enrichment & Inventory/Customers Informations/Customer Systems

Follow the guide to learn more about properly excluding customer systems and checking the correct software name in Arcsight.

Customer Systems Exclusion Guide

Stages

Exclusions

Exclusion Lists Guide

Best Practices

Troubleshooting

• I accidentally clicked on the graph in my Active Channel and now I see alerts only from a specific hour.

• Drag the white bar from the left and from the right of the selected hour to the edges