ArcSight Discovery Scenario - Front Page 1

Summary:

The ArcSight Discovery Scenario focuses on using the "Pattern Discovery" feature to validate and assess ArcSight's configuration effectiveness. It involves setting up a specific profile within ArcNet Profiles software to uncover patterns of activity with at least two events appearing twice, evaluating these based on specified date/times (default demo data dates can be adjusted). The process includes configuring retention time, event order tracking, and using artificial intelligence for automatic pattern identification from large sets of security event data. This method helps in distinguishing between normal and suspicious activities, determining future monitoring needs, and ensuring effective network monitoring without unnecessary analysis of benign events.

Details:

ArcSight Discovery Scenario is about validating and assessing the effectiveness of ArcSight's configuration by using its feature called "Pattern Discovery." This helps in discovering what activity is occurring on a network, distinguishing between normal and suspicious activities, and determining future monitoring needs. The scenario involves setting up and running the "3.1 Pattern Discovery - No Rules" Discovery Profile to uncover 17 patterns, including Code Red Pattern from Snort event file demo.events. This proactive method helps in identifying unique patterns of activity specific to a network environment, avoiding unnecessary analysis of benign events and effectively monitoring previously unknown suspicious activities. The task involves opening a specific profile within ArcNet Profiles using rce tree software. This particular profile is designed to detect patterns with at least two events and appearing twice, evaluating events based on specified date/times (default demo data dates can be adjusted for your time zone). The profile settings include: 1. Minimum pattern length of 2 events. 2. Pattern must appear at least 2 times. 3. Events are evaluated within the given date/time frame. 4. Data resulting from this profile is retained according to "snapshot retention time." 5. Record time order keeps track of event occurrence sequence. 6. "Split on Inactivity" looks for events with pauses between sets. Steps include: 1. Expanding "Shared\All Profiles\ArcNet Profiles". 2. Double-clicking "3.1 Pattern Discovery - No Rules". 3. Configuring the profile to check for specific patterns using default demo data and dates (adjustable). 4. Setting up retention time and event order tracking in the profile editor. 5. Right-clicking the profile, selecting "Take Snapshot" to capture current pattern analysis. 6. Optionally scheduling snapshots for regular monitoring if time permits. 7. Using artificial intelligence and data mining techniques, ArcSight's Pattern Discovery automatically identifies behavioral patterns from large sets of security event data. 8. The overall pattern tree will display multiple nodes representing detected patterns when using default demo data settings. 9. Snapshot captures the current pattern analysis for further review or scheduling as needed. In summary, this process involves setting up and configuring a profile in ArcNet Profiles to find specific patterns from large sets of event data, capturing these patterns through snapshots, and utilizing AI-driven tools for automatic discovery and management within the software. To summarize the provided information about visualizing and inspecting pattern events using hierarchical layout in ArcSight, here's a simplified breakdown of the steps and actions involved: 1. **Locate FRONTPAGE Patterns**: Navigate to the first tree branching on the right, selecting the second node down from the top to view the specific patterns under the PATTERN window. 2. **Inspect Pattern Events**: Within the ArcSight interface, locate the pattern with multiple Snort events under the PATTERN window. Right-click on either of the groups here and select "INSPECT PATTERN" to open the PATTERN INSPECTOR. 3. **Identify Offending IP Addresses and Targets**: On the right panel of the inspector, you will see lists of attacker IP addresses (red boxes) and target IPs (white boxes). Use the context menu to select "Show Event Graph" for a visual representation. 4. **Expand Clusters**: To visualize clusters better, right-click each cluster icon and choose "Uncluster Selected Nodes." Repeat this process for all clusters to build a clearer hierarchical view. 5. **Distinguish Between Attackers and Targets**: Use red boxes for attackers and white boxes for targets, making it easy to distinguish between the two in the visual layout. 6. **Investigate Specific Events**: By selecting nodes from the snapshot, you can right-click and select "INSPECT" to view individual event channels. You will notice various filter options; for example, using the ATTACKER ADDRESS as a filter condition. 7. **Visualize Individual Events**: This interactive process allows for an active channel view of specific events related to each node selected. The provided example includes several SHELLCODE x86 NOOP signatures and a WEB-FRONTPAGE rad fp30reg.dll access event. By following these steps, you can efficiently visualize and analyze complex pattern events in ArcSight for effective incident response and forensic analysis. The text provided outlines a process for identifying and addressing vulnerabilities on unpatched IIS servers using ArcSight, an enterprise security information and event management (SIEM) tool. Firstly, the user is instructed to filter events related to specific vulnerabilities commonly found on unpatched IIS servers, such as WEB-MISC Chunked-Encoding transfer attempts. By selecting "RELATED EVENTS," a different set of events appears, allowing for more focused analysis. The next step involves setting up alerts for any further attempts based on this pattern identified. This is achieved by using the rule automation tool which creates a correlation rule automatically based on the details found in the event logs. Once created, users can annotate and close the pattern stage to focus only on newly discovered patterns. To view these closed or new patterns, navigate to the "PATTERN" tab under the "NAVIGATION" tab. From there, select the folder containing the group of patterns you wish to analyze, right-click, and choose "VIEW PATTERNS WITH FILTER." Here, users can create a filter to specifically show only CLOSED patterns for detailed review and action. This process is designed to enhance security by proactively monitoring and addressing vulnerabilities in real time, ensuring that systems are updated and secured against potential threats.