I was wondering if anyone has any standard rules and policies which can
be instantly deployed & added to Arcsight ESM for monitoring Windows,
UNIX, database and network devices. I understand the rules vary and are
specific to the OS and n/w devices. We have to setup the rules and
commission Arcsight in our company. If anyone has prior hands-on using
Arcsight or if you have any literature, please share. Also, if you have
any docs on how to setup rules on Tripwire tool for file integrity
checking please share the information. Thank you in advance.
ArcSight doesn't so much depend on rules, like an IDS. The agents just
grab log/event data and the main engine fondles it to make pretty charts
and correlations. The real benefit is in writing/modifying policies to get
you the info you want. Write me offlist if you'd like help with anything
ArcSight.
ArcSight doesn't do *packet-inspection* like an IDS. It absolutely does
depend on rules, or policies if that's what you'd rather call the series
of criteria which must be met to fire off a correlation event. All of
the Arcsight engineers I've spoken to call them rules, though.
I'm also not sure why the overposter is catching such flak for asking
about community rules. It's certainly true that you should be getting
training and documention on rule creation as part of your rollout, and
it's likely true that Arcsight will give you some site specific
rule-content as well. It still makes perfect sense to me to look for
community-created rules from other sites that have overlapping needs.
There are many examples of site-agnostic rules that would be widely
applicable... rules correlating related Emerging Threats sigs for snort
could cut down on falses significantly and would have very little
site-dependence.
It may be that you're looking in the wrong place. Most of the useful
information sharing regarding Arcsight seems to happen in the forums
they host, which cannot be accessed without a support account.
If you don't have one, ask for one and look there.
Thanks,
Mike Lococo
