Application Logging Demo Quick Start Guide v3.1

Summary:

The Quick Start Guide for Application Logging DEMO is designed to enhance security operation groups by improving application log visibility and analyzing security events more effectively. It includes features such as automatically unifying existing log entries, monitoring user authentication, identifying file, database access, and SQL queries related to data theft, and monitoring attacks and suspicious activities using ArcSight ESM (Enterprise Security Manager) and App Defender Agent. The DEMO VM included in the guide has: - Latest ArcSight ESM 6.9.1C installed under /opt/arcsight/manager - Latest App Defender 16.2 ESM Solution content, including Application Logging and Application Protect ESM content - An ArcSight Replay Agent with sample events for dashboard population and alert triggering - Riches App (a vulnerable Java Web App) - An ArcSight Syslog Connector forwarding events from the installed App Defender Agent at /opt/arcsight/connector The guide suggests using the replay agent to populate most of the dashboards and alerts, minimizing manual data population. Additional ArcSight ESMs can be used for a more dynamic demonstration experience by installing additional App Defender Agents. Key points: - The VM specifications include CentOS 7.1 OS, 4 CPU cores, 6GB RAM (recommended to upgrade to 8GB), and 80GB disk space. - Network Configuration is NAT with IP address 192.168.40.130/24; DHCP can be configured if needed. - The guide provides steps for setting up the App Logging Demo VM, including importing, extracting, configuring NAT network settings, and starting the ArcSight ESM console. - Appendix A details how to set up an App Defender Server for vulnerability assessment using a Riches Java Web App demo environment on a Linux server. Key points include installing agents, modifying configuration files, setting up risk groups, and directing logs to Syslog via the connector. - Users can access the Riches App at http://192.168.40.130:8080/riches and log in with credentials 'demo'/'demo'. This guide helps security operation teams quickly deploy a demo environment, understand basic functionalities of ArcSight ESM and HP Fortify App Defender Agent, enabling them to demonstrate the capabilities of these tools effectively.

Details:

The Quick Start Guide for Application Logging DEMO provides a comprehensive overview of how it helps Security Operation groups by enhancing application log visibility and security event analysis to better respond to threats and reduce risks. It includes values such as automatically unifying existing log entries, monitoring user authentication for potential fraudulent access, identifying file, database access, and SQL queries related to data theft, and monitoring attacks and suspicious activities using the ArcSight ESM (Enterprise Security Manager) and App Defender Agent. The DEMO VM included in this guide features:

• Latest ArcSight ESM 6.9.1C installed under /opt/arcsight/manager

• Latest App Defender 16.2 ESM Solution content, including Application Logging and Application Protect ESM content

• An ArcSight Replay Agent with sample events to populate App Logging dashboards and active channels, triggering alerts

• Riches App (a vulnerable Java Web App)

• An ArcSight Syslog Connector for forwarding events from the App Defender Agent installed at /opt/arcsight/connector

This VM also includes GLIDE demo use cases similar to past App View Demo scenarios. The guide suggests using the replay agent to populate most of the dashboard and triggering alerts, minimizing manual effort in data population. To see live attacks in action within the ArcSight ESM, consider installing additional App Defender Agents for a more dynamic demonstration experience. The document provides a summary of setting up and utilizing an App Defender Server for vulnerability assessment using a Riches App or Vulnerable App, which requires installation of the App Defender agent and assignment to a risk group. It mentions that no Demo Glide is needed to generate live events; instead, use the provided demo content from the previous App View Demo VM with updates reflecting new protection event data. The Virtual Machine (VM) specifications include:

• Operating System: CentOS 7.1

• CPU: 4 cores

• Memory: 6GB (recommended upgrade to 8GB for optimal performance)

• Total Disk Space: 80GB

• OS User/Password: arcsight/arcsight, root/arcsight

• ESM Console: admin/runtime

• Network Configuration: NAT with IP address 192.168.40.130/24; DHCP can be configured if necessary.

• Hostname: vm-esm691c

For the App Logging Demo VM setup, follow these steps: 1. Import and extract the demo VM using WinZip or a similar tool from VMware Workstation. 2. Configure NAT network settings to 192.168.40.0/24. 3. Start the Demo VM with credentials arcsight/arcsight, then start the ArcSight Replay Agent and enable all replay event files to populate ESM with relevant events. 4. Launch the ArcSight ESM console using the provided credentials. This setup is intended for demonstrating App Defender's capabilities in detecting and protecting against vulnerabilities within applications. This document provides a summary of common issues and solutions for using a specific VM (vm-esm691c) with ArcSight ESM, including how to run certain applications like Riches App and App Defender, troubleshooting login issues, and shutting down the VM. It also includes details on installing and configuring the App Defender Agent as part of Appendix A. Key points: 1. **Running Applications**:

• **Riches App**: Can be run but requires installation of the App Defender Agent (Appendix A).

• **App Defender**: Users need to install the App Defender Agents themselves, though it is included in this VM setup.

• **Demo Glide**: Can be run but also requires installing the App Defender Agent (Appendix A).

2. **Troubleshooting Login Issues**:

• Allow 5 minutes for ArcSight ESM to fully boot up.

• Check network connection if issues persist.

• Review logs at `/opt/arcsight/manager/logs/defaults/server.std.log` or reboot the VM.

3. **Shutting Down the VM**:

• Close the console and stop the replay agent.

• Use the command `shutdown` as root user to power off the VM.

4. **Starting Riches App Issues**:

• By default, Riches App is configured to start the App Defender Agent. Install the App Defender Agent if it hasn't been installed already.

• Check the status of Riches App running with the command `$ ps –efa | grep demo`.

Appendix A provides detailed instructions on how to generate live events from Riches App and the App Defender Agent:

• Prerequisite is an active account on the App Defender Platform.

• Download the App Defender Java agent from the App Defender portal.

• Install the agents under `/opt/fortify`.

• Modify `catalina.sh` to include comments for the old runtime agent and enable the new one.

This guide should help in setting up, using, and troubleshooting this specific ArcSight ESM demo VM setup. The provided text outlines a series of steps to configure and set up an application, specifically focusing on the Riches App, using the HP Fortify AppDefender Agent. Here's a summarized version of the instructions: 1. **Configure Environment Variables**: Set environment variables for Java options to include the Fortify agent by uncommenting and adjusting the following line: ```bash export CATALINA_OPTS="-javaagent:/opt/fortify/AppDefender_Agent/lib.latest/FortifyAgent.jar $CATALINA_OPTS" ``` 2. **Start Riches App and Agent**: Start the Riches application and ensure that the App Defender agent is also started by default with Catalina. Execute the following commands to start the app: ```bash cd /demo/riches/bin/ ./catalina.sh start ``` Note: The desktop icon for the Riches App should be deleted if starting via terminal, as double-clicking might cause issues. 3. **Access Riches App**: Use a web browser to access the app at `http://127.0.0.1:8080/riches`. 4. **Assign Agent to Risk Group**:

• Log in to the HP Fortify AppDefender Platform (https://app.hpappdefender.com).

• Create a new risk group and assign the App Defender agent with a unique name instead of using the default hostname.

5. **Configure Event Output and Logging**: Set up event output for application protection and logging to syslog, directing it to the "demo" destination even if the actual hostname differs. This can be configured in the system settings under application protection and logger options. 6. **Appendix B: App Defender 16.2 ESM Solution Content**: The text references a section that is not provided here but would typically contain additional information or steps specific to version 16.2 of HP Fortify AppDefender for the ES (Extended Support) solution. In summary, this guide provides detailed instructions on how to integrate and configure the HP Fortify AppDefender Agent with the Riches App, including setting up environment variables, starting the application, configuring agent settings, and directing event logs appropriately.