You are on page 1of 12

Device Status Monitoring Content Pack

User Guide
v 0.1 Beta


2011 Secmon Ltd, trading as EdgeSeven

This document may not be copied, modified, shared or released without prior consent of the author. Permission may
be sought from the author in writing to: EdgeSeven, Wyche Innovation Centre, Walwyn Road, Malvern, WR13 6PL
Security Situational Awareness

EDGESEVEN.COM

1. Description
The success of any SIEM system relies on receiving events from the respective in scope source
devices and servers. Without any events, the SIEM platform effectively becomes useless. Part of
setting up a good SIEM system is creating mechanisms to ensure that these events are received and
the most effective approach to do this is by using the Device Status Monitoring (DSM) capability builtin to the ArcSight platform.
This content pack utilises the DSM capability to track and alert on any event sources that stop
sending events, so that you can take the appropriate action to re-establish the event flow. The pack
also contains mechanisms to detect servers/devices that have potentially been removed from the
network.

2. How the Content Pack Works with DSM


DSM is a bit of functionality that exists within the connector framework. It has a single parameter
called Enable Device Status Monitoring that is measured in milliseconds and is found under the
Processing section of the connectors default settings tab (see below).

This parameter effectively controls how often the connector will report on devices it is seeing events
from. The event is identified by deviceEventClassId = agent:043 and contains a vital part of
information called Events Since Last Check (SLC). The SLC value lets us know how many events the
connector has received since the last check. The last check being the time window configured (in the
example above, every 30 minutes).
Security Situational Awareness

EDGESEVEN.COM

If the value is not zero, then it means that the connector has seen some events (the value
representing the number of events seen) from the respective device within the time window. If the
value is zero then we can assume that the connector has not received any events from the device
within the time window indicating a possible feed issue.
The DSM setting is a global value. In other words the time value set is applicable for all devices
reporting to that connector, whether they only send a few events per day or are streaming at high
EPS rates. This brings in a challenge to work out the best time window for all respective devices, so
that you dont get to many false positives.
Rather than having to configure and constantly tune all the connectors with differing times, the
EdgeSeven DSM pack makes use of active lists and asset categorization to control the time window
functionality, easing your overall administration. You can simply configure a standard set time on all
connectors (recommended at 30 minutes) and then tune the active list Time To Live (TTL)
accordingly.
The other content in the pack takes care of controlling which hosts are monitored and alerted against
as well as providing useful administration reports and dashboards.

3. Compatability
The content pack was developed on a version 5, service pack 2 system and should be installed onto
a system with the same version. It should however be possible to install this pack on any version 5
system, however it should be tested first.

4. Requirements
To be able to install and use the content pack you will need to have the following:

ArcSight ESM version 5 service pack 2 (the package should work on any version 5 system)

Access to an ESM console

ESM account with privileges to install and modify content packs

Valid ArcSight ESM license

List of all devices to be monitored

5. Files Included
The following files are included with the package:

Device Status Monitoring Content Pack v1.0.0.0.arb

Asset Import Template for use with the Console Network Model Wizard

Asset Import Template for use with the Asset Import Connector

6. Feedback
For any bugs or feature requests please email development@edgeseven.com

Security Situational Awareness

EDGESEVEN.COM

7. Downloading
The content pack is available from our website under http://www.edgeseven.com/resources.html

8. Additional Resources
Please have a look at our other resources for tools, tips and techniques:
Twitter https://twitter.com/#!/Edge_Seven
EdgeSeven Videos https://www.youtube.com/user/EdgeSevenVideo/videos
Total SIEM Blog https://totalsiem.blogspot.com
Facebook https://www.facebook.com/pages/EdgeSeven/123138681100924

9. Installing the Content Pack


Step

Description

Step 1

Open up a console and in the navigator select the packages tab.

Security Situational Awareness

EDGESEVEN.COM

Step 2

Click import and browse to the content pack.

Step 3

Click Next to install the package, the package will begin to install.

Security Situational Awareness

EDGESEVEN.COM

Step 4

Click OK. The pack should now be installed and visible in the navigator tree.

Step 5

Note that the rules are automatically linked into the Real-Time Rules folder.

Security Situational Awareness

EDGESEVEN.COM

10.Configuring the Content Pack


Step

Description

Step 1

Import and/or tag your existing assets with the corresponding asset category (see below). Use
Streaming for event sources that constantly send events and use Batch for sources that send
events at pre-defined intervals.

/All Asset Categories/EdgeSeven/System Monitoring/Devices/Device Status Monitoring/Batch


/All Asset Categories/EdgeSeven/System Monitoring/Devices/Device Status Monitoring/Streaming

Note1: The pack contains sample asset import templates for use with the Asset Import Connector
and Console Network Model Tool. Please refer to the respective documentation of each of those
for further information and usage.
Note2: The necessary categories can also be applied at the group (folder) level. Any assets under
this group will then inherit the respective categories applied.

Security Situational Awareness

EDGESEVEN.COM

Step 2

Setup the respective connectors to use Device Status Monitoring. This will need to be done for all
connectors that process events from in-scope devices.
To configure, double click the respective connector in the navigator and then select the Default
tab. Under the Processing sub-section alter the Enable Device Status Monitoring parameter to
suit. Note that the time must be entered in milliseconds. Click Apply when done.
A good value to start with is every 30 minutes (1800000 milliseconds). This means that the
connector will report on all devices sending events every 30 minutes (this can be changed at a later
stage if needed).
Once the setting has been configured, restart the connector.

Security Situational Awareness

EDGESEVEN.COM

Step 3

Configure the Time To Live (TTL) for the Active Lists. This only needs to be done if you would like
to increase/decrease the alert notification period. For example, you can change the TTL of
Streaming Devices active list to 1 hour to be alerted if any streaming device has not sent any
events for a 1-hour period. The default TTLs are as follows:
Batch Devices = 25 hours
Devices Not Reporting = 7 days
Device Potentially Removed From Network = Indefinite (admin should delete entries)
Streaming Devices = 2 hours
Navigate to /All Active Lists/EdgeSeven/System Monitoring/Devices/Device Status Monitoring
To configure, double click the respective active list and alter the TTL values, then click Apply.

Step 4

Enable notifications on the respective rules to receive alerts should a host stop sending events.
Navigate to /All Rules/EdgeSeven/System Monitoring/Devices/Device Status Monitoring
To configure, double click on Device Not Reporting and select the Actions tab. Right click
Send Notification and select Enable Action. You can also change the destination by right
clicking and selecting Edit then selecting the appropriate Destination Group from the drop
down menu. Do the same for Device Potentially Removed From The Network

Security Situational Awareness

EDGESEVEN.COM

11.Content Overview
The table below lists all the content that is used within the package along with its corresponding
description.

Content Name

Description

ACTIVE LISTS /All Active Lists/EdgeSeven/System Monitoring/Devices/Device Status Monitoring


Batch Devices

List of all devices currently sending events in batch mode

Devices Not Reporting

List of devices that are currently not sending events

Devices Potentially Removed From Network

List of devices that have not sent events for 7 (this is configurable) days

Streaming Devices

List of devices currently sending events in stream mode

ASSET CATEGORIES /All Asset Categories/EdgeSeven/System Monitoring/Devices/Device Status Monitoring


Batch

Used to define batch devices

Streaming

Used to define streaming devices

DASHBOARDS /All Dashboards/EdgeSeven/System Monitoring/Devices/Device Status Monitoring


Device Status Overview

Graphical view of hosts that have stopped sending events

FILTERS /All Filters/EdgeSeven/System Monitoring/


Device Status Monitoring - Exclusions

Used for rule conditions

FILTERS /All Filters/EdgeSeven/Vendor Events


ArcSight Base Events

Used for rule conditions

QUERIES /All Queries/EdgeSeven/System Monitoring/Devices/Device Status Monitoring/Query Viewers


Devices Not Reporting

Used for query viewers

Devices Potentially Removed From Network

Used for query viewers

QUERIES /All Queries/EdgeSeven/System Monitoring/Devices/Device Status Monitoring/Reports


Devices Not Reporting

Used for reporting

Devices Potentially Removed From Network

Used for reporting

QUERY VIEWER /All Query Viewers/EdgeSeven/System Monitoring/Devices/Device Status Monitoring/


Devices Currently Not Reporting

Shows all hosts that are not sending events

Devices Potentially Removed From Network

Shows all hosts that have potentially been removed from the network

REPORTS /All Reports/EdgeSeven/System Monitoring/Devices/Device Status Monitoring/


Devices Currently Not Reporting

Shows all hosts that are not sending events

Devices Potentially Removed From Network

Shows all hosts that have potentially been removed from the network

RULES /All Rules/Real-time Rules/EdgeSeven/System Monitoring/Devices/Device Status Monitoring/


Batch Device Sending Events

Controls which hosts are added to the Batch Devices Active List

Device Not Reporting

Fires when a device expires from either the Batch / Streaming Devices Active List

Device Potentially Removed From Network

Fires when a device expires from the Device Not Reporting Active List

Streaming Device Sending Events

Controls which hosts are added to the Streaming Devices Active List

Security Situational Awareness

10

EDGESEVEN.COM

12.Trouble Shooting
The following section discusses common questions/issues encountered regarding the usage of the
content pack.
1. How do I find Device Status Monitoring Events?
The easiest way to find DSM events is to open an Active Channel and add a filter where
deviceEventClassId = agent:043 and deviceVendor = ArcSight.
2. Im not seeing any devices in the Streaming/Batch Active List?
The most common cause is that the device details the agent is reporting on dont match the
imported asset. This is especially true for multi-homed devices. To verify, find the
corresponding DSM event (see issue 1) and double click the event to open it in the Event
Inspector.
Browse down to the Attacker section. The Attacker Asset ID field should be populated with
an asset id and should be blue in colour (if no value is present, then the device is not
associated with an asset).

Double click on Attacker Asset ID and it should open the corresponding asset in the
Inspect/Edit panel. Select the categories tab for the device and ensure that it has the
appropriate categories tab applied.

Security Situational Awareness

11

EDGESEVEN.COM

3. What fields are relevant within the DSM event?


deviceEventClassId Used to find the events (value = agent:043)
attackerHostName Hostname of the device where events were received from
attackerAddress IP Address of the device where events were received from
deviceCustomNumber1 Number of events received by the connector since last start
deviceCustomNumber2 Number of events received by the connector since last check
deviceCustomString1 Vendor of the device where events were received from
deviceCustomString2 Product of the device where events were received from
4. Why is ArcSight Vendor/Product excluded from being monitored?
The connector generates events itself (start/stop etc) and thus it counts itself as a source
device and sends DSM information.

13.Known Issues
None

14.Disclaimer
This software is provided by EdgeSeven as is and any express or implied warranties are disclaimed.
In no event shall EdgeSeven be liable for any direct, indirect, incidental, special, exemplary, or
consequential damages (including, but not limited to, procurement of substitute goods or services;
loss of use, data, or profits, or business interruption) however caused and on any theory of liability,
whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of
the use of this software, even if advised of the possibility of such damage.

Security Situational Awareness

12

EDGESEVEN.COM

You might also like