Customer Systems

Purpose: Exclude known customer systems to prevent unnecessary FP alerts.
Check the List: Verify that all systems listed for exclusion are accurate.
Approve or Update: Review and approve the list of excluded systems.
Why Important: Reduces alert fatigue and operational overhead by minimizing FP.

Quick Guide:

Get customers systems software list from the entity.
Configure the list of “Customer systems”.

Detailed Guide:

Overview

Excluding known customer systems from triggering false positive alerts is a strategic approach to optimize security operations. By identifying and excluding trusted systems from triggering alerts unnecessarily, your Security Operations Center (SOC) can enhance efficiency and accuracy in threat detection and response.

Actions

Customer Systems List

ESM

Follow the path to view a list of “Customer systems”.

Navigate to the “Resources” tab, and select “Lists”
Follow the path:

/All Active Lists/Mobula/Enrichment & Inventory/Customers Informations/Customer Systems

Right-click on the “Customer Systems” list and click “Show Entries”
The list will be opened in the “Viewer” tab.
On the top right side of the “Viewer” tab click on the “+” icon.
Start filling in the information in the “Inspect/Edit” tab.

Customer
Product
ModifiedBy

Click on “Add” twice.

Example

For example from alert triggered / rule condition, the rule “Potential Recon Activity Via Nltest.EXE” (5+cXHJ4oBABDhU1Oou5MdQQ==) will be used.

The rule triggered from a customer who has “Admin Arsenal PDQ” product in his environment.

In the base event of the alert we see that a “Source Process Name” contains the path: \AdminArsenal\PDQInventory-Scanner\

And we confirmed with the customer that he is using the product.

Navigate to rule condition

Under the rule condition click on the “Summary” tab
Scroll down until you find the “Customer Systems” list, and click on it.
A new tab of the active list will be opened, click on the “+ Add Entry”
Fill in the information of PDQ product which is: “Admin Arsenal PDQ”
Click “Add” twice.

Identify the correct product

Resource path

In ArcSight console

In the “Navigator” under “Resources” select the “FIelds Sets” resource.
Select the “Fields & Global Variables tab.
Navigate to All Fields/Mobula/Products/ and find your product, in our case it is PDQ.

Double-click on the “PDQTag” global variable
A “Global Variable: PDQTag” will be opened In the “Inspect/Edit” window.
Click on the “Parameters” tab.
The correct string of the PDQ product is shown in the “Arguments, Velocity Template” window.

Copy the string as is to your “Customer Systems” list -

Admin Arsenal PDQ

From rule condition

In the rule “Conditions” tab find the list of “Customer Systems” and click on it.
At the lower part of the “Inspect/Edit” window, you will find the “Customer Systems” list requirements
Click on the “PDQTag” drop list next to the “Product” line to see the path of the Global Variable being used in this list.

Follow the steps from the “Resource Path”

Recommendations

If there is repeated alerts with same source process name from some software and you dont have this software in “Products” under “Field Sets” the “Fields & Global Variables” tab
All Fields/Mobula/Products
Please contact our support team to create one.

At mobulasupport@cyray.io.

Review the “customers systems” from time to time to check for updates.

Risks

Lots of FP alerts.

Monitoring Best Practices with SIEM (ArcSight)

Monitor the effectiveness of the exclusion mechanism through metrics such as false positive rates and incident response times.

Conclusion

Excluding known customer systems from triggering false positive alerts is a proactive measure to enhance the efficiency and effectiveness of your SOC. By implementing and maintaining a robust process for managing exclusions, your organization can minimize distractions caused by false alarms and focus on promptly detecting and responding to genuine security threats. Regular updates and reviews of exclusion lists are essential to adapting to evolving security landscapes and maintaining high protection for critical assets.

Page updated

Report abuse