Using Active Lists in ArcSight is the correct solution for managing scenarios to exclude from rules conditions.
When an Active List is being created as an exclusion list, you can choose to either use a static TTL for the entries that will delete them after a specific period or manage them yourself and delete entries manually.
But what if you have a few rules that cover different scenarios, and you are making an exclusion for an unusual period each time?
What happens, for example, if you have a rule that monitors sensitive Active Directory groups, but you want to exclude an IT worker who needs to perform a special action (like adding multiple users, creating new sensitive group, deleting users or similar scenarios), and each time he performs such an action, he lets you know how much time it will take him—it can be ten minutes, an hour or a few days?
In such cases, you will need to manage the exclusions manually (or create different Active Lists).
The CyberSIEM team has developed a tool that makes taking care of these exclusions as simple as creating an Active List.
Create the Active List:
- While creating your Active List, set the following attributes to 0 to disable the TTL:
- TTL Days
- TTL Hours
- TTL Minutes
- In the data section, select Fields-based and enter the required fields for the exclusion.
You can select as many fields as you want to be key fields in accordance with the desired scenario.
- Add a field called “expiredDate” and set its type to be Date.
- Click Apply to save the Active List.
The Active List configuration should look like this:
- Copy the resource ID of the Active List; we will use it later in the tool configuration.
- Add entries to the Active List and set the expiredDate field to the desired expiration time.
Running the tool
- Download the tool zip file from [here] and unzip it into a new folder on your computer.
There will be two files in it:
- Make sure the machine you are running the tool on has open communication to the ArcSight ESM server on port 8443.
- Run the installer.exe file and follow the instructions on the screen.
Fill the ArcSight ESM hostname, port, user, and password.
Then, enter the Active List resource ID from stage 5 in the “Create the Active List” section.
The installer should be executed again only if the Active List is changed or a different password is set for the ArcSight user.
The installer will create a file called “CyberSIEM.properties,” which will contain the key and the hash to the password you entered. We recommend giving read permissions to this file only for a trusted user.
If you set permissions to the file, make sure you are running the following as a user with the right permissions.
- Run the activeListDynamicTTL.exe file.
This application can also run as a service in your system using the sc command:
sc create CyberSIEMDynamicTTL binpath= [EXE PATH] start= auto
- Note that there is a space between the binpath= and the exe path.
The application will create a log file that will log each deleted line and errors in run time.
The application is limited only to one Active List. For the unlimited version and more features, please contact us at [email protected]
Yochay Ezra, SIEM Orchestration Specialist