top of page
Search

ArcSight ESM Command Center Demo Script 1

  • Writer: Pavan Raja
    Pavan Raja
  • Apr 8, 2025
  • 39 min read

Summary:

### Summary of IdentityView 2.0 Use Case in Tracking Shared Account Activity **Objective:** The primary objective of using IdentityView 2.0 within an organizational environment is to monitor and report on shared account activities, particularly focusing on successful logins attributed back to specific users. This helps ensure compliance with access controls and auditing requirements by allowing tracking of these activities to accountable individuals. **Setup and Process:** 1. **Accessing the System:** The process starts by logging into the Command Center as an administrator. Any existing notifications are acknowledged, and a Demo Replay Connector is initiated using specified event files for controlled replay at a pace that can be adjusted according to specific needs. 2. **Dashboard and Reporting:** IdentityView 2.0 provides a dashboard that displays any activities from the SystemUser account. The system generates reports on archived login sessions for auditors, which are accessible in an archive section of the IdentityView interface. **Key Features and Tools:** - **IdentityView Dashboard:** Displays shared account activity including successful logons and Cisco NetFlow events without usernames. - **Actor Investigation:** Uses both username and IP attribution methods to trace events back to specific users like David West. - **Normalization via SmartConnector:** Collects data on event danger levels ranging from Very Low to Very High based on event-rating scales. - **Visualizing Events:** Reports are created showcasing selected fields such as Name, Device Product, and Target Address using ArcSight’s Visualize Events feature. - **Archived Reports:** A report titled "Logins to Known Shared Accounts - Summary" is archived for reporting purposes in the system's reporting module. **Default Reports:** - **All Archived Reports:** Includes logins, accounts, applications, and general activity location details in a human-readable format. - **SU (Single User) and SUDO (Superuser Duper Override) Activities:** Detailed information on user interactions beyond standard access is provided. **Legacy Application Use Case:** - **Human-Readable Subnet Name:** The system uses "sj-arcnet-desktops" as a naming convention for network activities, aiding in quick understanding without detailed technical drawings or spreadsheets. - **Summary Reports of SU and SUDO Activities:** Essential for auditing and compliance to ensure proper access controls are maintained. **Adjusting Event Replay Speed:** - The initial replay speed is set at 50 events per minute but can be adjusted up to approximately 25 events per second based on operational needs. **Broader Use and Clarity:** - **Naming Convention Applicability:** "sj-arcnet-desktops" can be applied across various content types like notifications, reports, rules, and cases for broader usability and clarity. **Contact Information:** Users are directed to contact arst-gfs@microfocus.com for further assistance or feedback regarding the user login monitoring process or any specific suggestions. This use case effectively demonstrates how IdentityView 2.0 can be leveraged within an organizational context to monitor shared account activities and generate detailed reports, aiding in compliance and auditing efforts.

Details:

ArcSight ESM / ESM Express 7.0 Patch 1 is a software update that includes several new features and enhancements, such as improved Security Use Case, Reputation Security Monitor Plus, ArcSight Activate Threat Intelligence, ArcSight Activate and Marketplace, ArcSight Marketplace, Compliance Use Case, NetFlow Use Cases, Command Center, and Privileged User Monitoring Use Case (Afterhours Activity), along with a Shared Accounts Use Case (Policy Violation). These updates aim to enhance security measures, compliance, and user monitoring capabilities. This document provides a demonstration script for using ESM/ESM Express with ArcSight Command Center, focusing on two specific security use cases: shared accounts (legacy application) and privileged user monitoring (activity monitoring and modeling). The script outlines the steps to set up and perform an investigation using these features. To begin, login as admin in the ArcSight Command Center and switch to the dark theme. Next, delete any existing notifications and cases from the admin's Cases section. Then, start a demo replay connector with specified event files, setting the replay rate at 50 events per minute. The use case synopsis outlines how an analyst can navigate through notification, dashboard, active channel, report, and case steps to investigate suspicious or malicious activity detected by ESM/ESM Express. The document also includes a summary of action talking points for each step in the investigation process: receiving notifications via email and SMS, accessing My Notifications from the interface, navigating through dashboards, and generating reports and cases based on the observed activity. This script is designed to showcase how efficient ArcSight's ESM/ESM Express can be in detecting and investigating suspicious activities, providing a clear workflow for analysts to follow during an investigation. The text describes a system for handling malicious activity alerts in real-time within a Command Center environment. When an alert is triggered by multiple login attempts to a locked Windows account, it results in a "pending notification." This notification leads through a workflow process where the user logs into the Command Center and acknowledges the notification. If no acknowledgment is received within a specified time interval, the notification escalates to the next level. Upon clicking on the notification, users are provided with details about events associated with it, including a correlated event indicated by a red lightning bolt and normalized base events that triggered it. This correlation helps in understanding what occurred. The user can then select specific fields of interest from ArcSight Foundation/ArcSight Express field sets to focus their investigation. The system uses the SmartConnector for normalization of events, converting unstructured data into structured format for use with applications like ESM/ESM Express. Additionally, it categorizes events automatically based on behavior type and authentication status. This setup aids in efficient handling and analysis of malicious activities by providing relevant, focused information during investigations. This text discusses categorization in device groups and its benefits for understanding system events, making content more portable across different devices or vendors, and avoiding the need to rewrite rules and reports when event IDs change with new software versions. It also explains how a topology view of user activity can be used to explore relationships between nodes, allowing users to visualize communication among various sources, targets, and events. Additionally, it mentions the Geo View pane for geographical visualization of where events are coming from or going, which might raise concerns for companies operating within specific regions. Finally, it describes how dashboards dynamically update with new events and provide interactivity by drilling down into supporting data to gain more insights. When starting an investigation from a main dashboard page, one should explore cases related to notifications received. Upon clicking on a case created upon notification, you can observe events categorized as "Multiple Login Attempts to Locked Windows Account: swright." As the designated analyst for this case, lock it and change its stage from 'Queued' to 'Initial.' Add a note about starting your investigation by clicking 'Add Note,' then proceed with creating an Active Channel targeting the user name 'swright' through the User Activity pane. This channel will help visualize events related to swright within the selected timeframe using specific fields such as Name, Target Address, and Target User Name from ArcSight Foundation/ArcSight Express field sets. Through this process, you can trace the journey of swright from outside connections via VPN to internal authentication failures and other activities assigned to his internally-assigned IP address. This document discusses integrating ESM (a security tool) with ArcSight Investigate using an IP address as a reference point. The process involves looking at events related to the specific IP address and analyzing various aspects such as user activity, login attempts, and network traffic that may indicate potential threats. It also describes how SmartConnector in ESM/ESM Express normalizes event danger levels into five categories: Very Low, Low, Medium, High, and Very High. The document suggests focusing on a DNS domain name for further investigation by adding it to the search criteria within ArcSight Investigate. The text provided outlines a series of steps for customizing field sets in an Active Channel, adding related events to a case, and generating reports to validate findings from an investigation. Here's a summarized version of the process: 1. **Customize Field Sets**: You can change the Field Set for the Active Channel by selecting it and making adjustments. This allows you to tailor the channel according to your needs. 2. **Select Events in the Active Channel**: Identify additional events that are related to the incident, such as FTP_User, FTP_Pass, Multiple Login Attempts, etc., and add them to the case. This helps maintain a central repository for all relevant information about the investigation. 3. **Manage Case Details**: Click on "Add to Case" when needed (like if you want to save or share your search). You can also select the case from the Active Channel by clicking "Select the Case". 4. **Breadcrumbs and Stages**: If you need to revisit parts of your investigation, you can easily see the steps and stages through breadcrumbs within the Active Channel interface without starting over or using additional browser tabs. 5. **Save or Share Searches**: You can save a search for future reference by clicking "Save As..." in the Active Channel. This allows you to run the search again at a later time, share it with other analysts, etc. 6. **Generate Reports**: To validate and document findings, create reports based on specific criteria like failed login attempts. Use terms such as "Failed Logins by Destination Address" and specify parameters (like timeframe) when generating these reports. For example, you might run a report named "Failed Logins by Destination Address" with the runtime parameters set to last day's timeframe in PDF format. 7. **Download and Attach Report**: After generating the report, download it as a PDF and attach it to the case for documentation purposes. This helps ensure that all relevant information is kept together and can be easily accessed by other analysts or management. The provided text appears to be a description of an incident response process using ArcSight and ESM/ESM Express, with specific steps for handling a compromised account (swright) and subsequent forensic investigation involving a malicious external host/domain through FTP activity. Here's a summarized version of the key points from the text: 1. **Compromised VPN Access**: It was identified that an attacker used the swright account to gain access to the network via a compromised VPN. 2. **Malicious Activity**: Post-VPN compromise, FTP activities were observed pointing towards a malicious external host/domain. 3. **Initial Actions**:

  • Disabled the swright VPN account.

  • Took the infected host offline.

4. **Forensic Investigation**: The recommendation was to connect the infected host to an isolated quarantine network for a detailed forensic investigation. 5. **Case Management and Workflow**: Utilized ESM/ESM Express for case management, where changes in the case attributes were made based on the findings of the initial investigation. 6. **Operational Impact**: The impact was rated as high priority (3). 7. **Integration with Existing Systems**: ArcSight's capabilities are highlighted to integrate seamlessly with existing case management and ticketing systems tailored to specific processes and procedures. 8. **Incident Response Lifecycle**: Demonstrated how the analyst would use ESM/ESM Express and ArcSight for efficient incident handling, integrating these tools into standard operational practices. 9. **Reputation Security Monitor Plus Setup**: A section detailed steps on setting up a Reputation Security Monitor Plus to detect malicious activities within the network. The text does not provide any new information or findings but rather serves as a guide on how to implement and use ArcSight for managing incidents related to compromised accounts and external threats. The document describes a security monitoring tool called "Security Monitor Plus." It has four main features: 1. **Reputation Domain Database Overview:** This feature monitors the number of domain entries being tracked for potential threats using threat intelligence feeds. The domains and IP addresses involved are simplified for demonstration, with actual systems having millions of entries. Entities in the database have a reputation score from 0 to 100, where higher scores indicate greater risk. Scores below 40 suggest undesirable but not malicious activity, while those below 20 pose minimal threat. Entities scoring 0 are still tracked as potential threats and used cases ignore them unless necessary. 2. **Reputation IP Database Overview:** Similar to the domain overview, this feature monitors IP addresses for threats using the same intelligence feed. The dashboard shows details on internal infections, dangerous browsing, and interactions with malicious entities. 3. **RepSM Overview (Reputation Security Monitor Plus):** This is a comprehensive dashboard that detects malware infections, zero-day attacks, and risky online behavior to protect the network from potential threats. It provides an overview of all such activities within the network. Overall, these features help in maintaining a vigilant security posture by monitoring for potential malicious activity based on threat intelligence feeds and providing actionable insights into detected threats. To summarize this information, it appears that an investigation was initiated into communication from within the network to potential malicious entities. The process involved opening an "Active Channel" in a system management tool (ESM) which displayed all interactions with external systems over the last two hours. ESM detected several internal systems communicating with malicious external systems using the Reputation Security Monitor, including threat intelligence lists and content. The Active Channel initially showed only IP addresses; however, by customizing it to include fields for "Attacker Host Name" and "Target Host Name," more detailed information became visible. Adding these fields enabled better understanding of what was happening during this activity. The investigation revealed that the targeted communication seemed to be aimed at Mac devices, with one instance targeting a host named "macmini." To further investigate specific activities related to this host or other similar incidents, a customized Active Channel could be created for particular systems like the "macmini" device by selecting it and using a different Field Set that includes Attacker Host Name and Target Host Name. This would allow for more focused monitoring of potential malicious activity involving internal systems and external entities. This text discusses a process for investigating potential security issues involving communication between Macs and an unidentified host. The steps include accessing information about the communication through an Active Channel, using Priority Stats to analyze danger levels, searching for details about the host in Google if internet access is available, and visually representing events related to suspicious activities such as malicious software like the Flashback Trojan. By examining event lists and selected fields within Visualize Events, one can gather more context on what communication has occurred with potentially dangerous domains like mystreamvideo.rr.nu and 0.40.2.selfimprovedlifestyle.com. The goal is to determine if there's any evidence of malware or other malicious activities that might require further action to protect the system from potential threats. The provided text describes a cybersecurity incident where an internal host became infected with malware after accessing a specific website (0.40.2.selfimprovedlifestyle.com). Once infected, the malware executed a SQL injection attack targeting the company's internal portal (arcnet.com), and subsequently attempted to exfiltrate data to another server (mystreamvideo.rr.nu). The malicious activities were detected by Micro Focus Fortify for SQL injection and Check Point firewall for outbound traffic to mystreamvideo.rr.nu, indicating a potential compromise of the internal network. The incident is further detailed in terms of forensic analysis conducted: 1. **Infected Internal Assets**: It was identified that an infected internal host communicated with the suspicious domain (mystreamvideo.rr.nu) during the attack. This activity was detected by Check Point firewall, showing outbound traffic to China where the mystreamvideo.rr.nu server is located. 2. **Outbound Traffic Detected**: The specific target of the malicious activities is identified as mystreamvideo.rr.nu, which is a domain registered for video streaming services. This indicates that the malware attempted to transfer data from the internal network to an external server possibly involved in hosting or delivering unauthorized content. 3. **Event Details and Analysis**: Detailed event logs were reviewed using Check Point firewall events, specifically focusing on the Target fields such as Country Name (China) and Country Code, providing geographical context to the malicious activity. 4. **Reputation Security Monitor Plus**: The incident was monitored through enterprise security management tools like ESM (Enterprise Security Manager) and Reputation Security Monitor Plus. These platforms confirmed the suspicious activities and provided a summary of conditions which led to further investigation and response actions. 5. **Case Management**: A case was created in the case management system for detailed tracking and analysis, with follow-up actions initiated after confirming the malicious activity. 6. **Conditions Summary**: The forensic process involved filtering through event data using a Common Conditions Editor (CEE) to define specific conditions that would highlight potential threats or suspicious activities within the network. 7. **Host Communication Analysis**: By selecting and analyzing hosts from the Attacker Host Name field, it was possible to trace communications between potentially compromised internal systems and external malicious domains. Overall, this case demonstrates a series of proactive steps taken by cybersecurity teams to detect, investigate, and respond to potential threats posed by malware infections within the network infrastructure. The detailed analysis provided in the text helps in understanding how various security tools can be leveraged together to combat cyber threats effectively. The document outlines a process for managing an incident involving a macmini system that was infected. Here's a summary of the steps involved: 1. **Initiate Case Creation**: Automatically create cases for each asset involved in the incident. 2. **Quarantine and Remediation**: Quarantine the affected host and either perform a full virus scan or re-image the operating system to remediate the issue. 3. **Documentation**: Document the investigation process, including what was done to quarantine and remediate the infection. 4. **Close the Case**: Once documentation is complete, close the case associated with the macmini system. 5. **Update Dashboard**: Observe changes on the RepSM Overview dashboard, where the status of the macmini system should change from "Infected" to "Fixed". 6. **Generate Reports**: Run two reports; one showing all currently infected assets and another detailing dangerous browsing activities detected by ESM and Reputation Security Monitor Plus. These reports can be attached to cases for record-keeping. 7. **Geographical View of Malicious Communications**: Use the geographical dashboard to view patterns of malicious and suspicious activity, accessing details through the Access to Malicious Entities tab. The document emphasizes the importance of documenting every step in detail, using ArcSight Solutions for effective management of cases and reports related to cyber incidents. The document outlines a demonstration of Reputation Security Monitor Plus, detailing how it uses threat feed data to detect suspicious and malicious activities within a network. Through investigations using the ArcNet dashboard, evidence was found of malicious activity originating from China. The demo provides step-by-step instructions for setting up and accessing specific dashboards and active channels in the ArcSight Command Center (ACC) as an admin or demo user: 1. **Setup and Access:**

  • As an admin, access the following Dashboards and Active Channels:

  • /All Active Channels/ArcNet Dashboards/ArcSight Activate/Threat Intelligence/Reputation Address Data Overview

  • /All Active Channels/ArcNet Dashboards/ArcSight Activate/Threat Intelligence/Reputation Entity Data Overview

  • /All Active Channels/ArcNet Dashboards/ArcSight Activate/Threat Intelligence/Suspicious Activities in Geo

  • /All Active Channels/ArcNet Dashboards/ArcSight Activate/Threat Intelligence/Threat Intelligence Overview

  • /All Active Channels/ArcNet Active Channels/ArcSight Activate/Main Channel

  • As a demo user, access the same channels but switch to the Dark theme and open the Personal Investigating Channel.

2. **Demo Replay Connector:**

  • Use the event files: activate_threat_intelligence_50epm.events for replay at 50 events per minute.

3. **Notes:**

  • The demonstration requires two web browsers, one logged in as admin and the other as demo, to showcase incident investigation with Event Annotation.

This document describes a demonstration scenario where users log into two different channels of a software system designed to simulate a Security Operations Center (SOC). The main channel, named "Activate Main Channel," is intended for a SOC manager who triages and assigns incident reports to SOC analysts. The second channel, "ACC with Dark theme," simulates a Level 1 SOC analyst role, where the user will investigate incidents reported by users in the first channel. The demo focuses on a specific use case: a system in the DMZ infected with malware that communicates with a command and control server. Detection methods include outbound communication through a firewall to known bad systems and the malware's activity of collecting file hashes using Sysmon, an application monitoring tool for Windows systems. Other use cases can be explored based on the rule names seen in the Main Channel. The demonstration highlights several key points: 1. It is product and vendor agnostic, capable of triggering on various events sent to ESM (Enterprise Security Manager). 2. It utilizes multiple methods, including STIX/TAXII, CIF, ransomware data feeds, and HIDDEN COBRA data feeds, to populate the Threat Model for enhanced analysis. 3. The collected information is used not only to enhance event details but also to categorize threats based on confidence levels and sources of threat intelligence. 4. Level 2 content provides contextual information that helps prioritize incidents and focus on critical assets identified through the Network and Asset Model. 5. File hashes play a crucial role in identifying malware, which is a significant part of this demonstration's use case. In this demo, Sysmon was used to collect process and file hash information which served as an indicator of compromise (IOC). This data collection was facilitated through Microsoft Sysmon, a tool designed to monitor and report on system activity. For enhanced effectiveness, ArcSight FlexConnector from the Marketplace was utilized alongside the Windows Native SmartConnector due to its inability to parse these specific logs. The demo focused on event replay capabilities within an 8-hour time period. To achieve this, entries in the Active List were cleared to avoid any interference with the replay of events. The ArcSight Activate Level 1 and Level 2 Threat Intelligence packages were discussed, detailing how they leverage a threat model populated by various intelligence feeds and sources. This model includes three active lists: Suspicious Addresses (IPv4), Suspicious IPv6, and Suspicious Entities, which track potential suspicious or malicious activities based on different types of indicators such as IP addresses, URLs, host names, file hashes, and user information. This summary discusses a threat intelligence framework that uses multiple data sources, including open source, proprietary, and internal information from STIX and TAXII, Collective Intelligence Framework (CIF), Ransomware data feeds, HIDDEN COBRA data feeds. The main tools for visualizing this threat model are two dashboards: the Address dashboard and the Entity dashboard. The Address dashboard breaks down suspicious activities by Indicator Type, Score Range, and Source. Indicator Types identify potential malicious activity such as communication to or from known bot or command and control servers. Scores range from 0 to 100, with open source intelligence having a lower score than proprietary intelligence, which has a lower score than internal intelligence. The dashboard also includes GeoIP information for visualizing where suspicious activities are occurring globally. The Entity dashboard provides the same breakdown as the Address dashboard but adds Counts by Signature Type. Suspicious Entities can include URLs, fully qualified domain names (FQDN), suspicious file hashes (md5/sha1/sha256), user names or email addresses. The SmartConnector normalization ensures that this threat intelligence package is agnostic of product and vendor. If devices being monitored have fields populated with these types of data, the Threat Intelligence package will alert users to potential indicators of compromise and malicious activity. The provided text describes a scenario where an SOC manager and a Level 1 SOC analyst are using different versions of a software application called Activate, likely for monitoring and managing security incidents. The user demonstrates how the SOC manager can triage incident reports by logging into two separate accounts with different themes (default for admin and dark for demo) to simulate these roles. The process starts when there are three correlated events involving a host named fwhq05.hq.arcnet.com, which has been identified through Activate Threat Intelligence as potentially involved in malicious activities such as dangerous browsing, outbound command and control communication, and suspicious filehash activity in a critical host. The SOC manager can view detailed information about these incidents by selecting 'View Details', revealing that the traffic originated from an IP address categorized as a botnet by spamhaus.org. As a Level 1 SOC analyst, the user switches to their personal investigating channel where they wait for assignments. Since there are no current assignments in their queue, the analyst can observe this activity and proceed with further investigation once assigned by the SOC manager. The text does not provide any direct interaction or actions taken by the SOC analyst; it only outlines how the workflow would be managed between roles within the software application. This document outlines an incident response process involving suspicious activity detected by a Level 1 SOC analyst using dark theme features in their security operation center (SOC). The analyst notices correlated events disappear from the Main Channel Active Channel and appear in the Personal Investigating Channel. They annotate these events for further investigation, focusing on suspicious filehash activities. The analysis involves: 1. **Investigation Change**: The investigator notes that correlated events move to a Personal Investigating Channel, indicating they are no longer to be triaged by others and have been assigned directly to the analyst. 2. **Event Annotation**: The analyst uses the dark theme interface to annotate the event details for further research. They focus on suspicious filehash activities detected from internal Windows systems using Sysmon for process monitoring. 3. **Threat Intelligence Integration**: Additional detail is pulled from cyber threat intelligence sources, enhancing understanding of dangerous browsing and outbound command and control (C&C) activity related to known malicious sites through firewall traffic. 4. **Device Custom Fields**: The analyst examines device-specific custom fields in the Event Details panel to gather more information about the suspicious filehash activity. This includes reviewing Sysmon configuration details, which record all process hashes run on internal Windows systems. 5. **Sysmon FlexConnect**: Since Windows SmartConnector does not parse Sysmon events natively, an alternative method (FlexConnect) is used to collect these events from a known malicious site. This detailed approach demonstrates the proactive measures taken by the SOC analyst to investigate and respond to potential security threats within their network environment. The text provided is about an event that occurred with a host being identified as potentially compromised, indicating its involvement in suspicious activities such as communicating with malicious external hosts. This issue was detected through various security checks, including the use of ArcSight Marketplace and threat intelligence sources from Activate Threat Intelligence package. As part of this process, critical information regarding device fields (like the Process Create base event) and attacker fields (such as network zone) were reviewed to determine if any suspicious activity is present. Upon identifying a potential issue, immediate steps were taken by contacting the remediation team for further investigation. In this case, measures included quarantine of the affected host and conducting a forensic examination to understand the extent of compromise. The process also involved reviewing correlated events related to Suspicious Filehash Activity and using specific tools like ArcSight Marketplace to aid in decision-making processes during the incident response phase. Overall, this text provides an overview of how security measures can be implemented to detect and respond to potential threats, leveraging advanced technologies such as threat intelligence packages and specialized software for event correlation. The importance of promptly isolating compromised hosts is emphasized, along with conducting thorough forensic analysis to mitigate further damage and ensure that the organization's overall cybersecurity posture remains strong. The text you've provided appears to be a summary of an ArcSight Activate Threat Intelligence demo, detailing the process and outcomes after malware was downloaded through Microsoft Office, resulting in the system being quarantined. As a SOC manager, it is recommended to review reports such as Threat Intelligence Alerts, Suspicious Activities by Attack Category, Inbound Activities by Attack, and Outbound Activities by Target provided within the default ArcSight Activate Threat Intelligence package. The demo highlighted several aspects of ArcSight Activate: its flexibility across different products and vendors, its ability to use various indicators like file hashes, email addresses, and URLs in addition to traditional ones (IP addresses and fully qualified domain names), and how it enriches events with details from threat intelligence feeds and provides context using the Network and Asset model. The SOC manager would typically triage incidents through the Main Channel, assigning them to analysts on the Personal Investigating Channel. The demo concluded by instructing how to set up ArcSight Activate in a Command Center environment for further analysis. The summary provided outlines several key points related to network monitoring and malware protection using specific software tools from Micro Focus (previously known as Hewlett Packard Enterprise). Here's the breakdown: 1. **Software Tools and Features:**

  • **Malware Monitoring:** This includes two levels, L1 and L2.

  • **L1-Malware Monitoring** involves the use of indicators and warnings to detect malware.

  • **L2-Network Monitoring** focuses on providing situational awareness about network activity that might indicate a threat.

  • **Product Package:** The specific software used in this context is McAfee ePO VirusScan, which helps monitor for viruses through its package system.

  • **Network Monitoring:** Also involves L1 and L2 levels, with L1 focusing on indicators and warnings related to network activity, while L2 correlates network events to identify potential malware threats. The relevant software here is Snort.

2. **Use Case Demonstration:**

  • A demo is presented where the content from Activate (a modular development methodology for deploying actionable use cases) is not directly used, but there are references to Snort events in an event file.

3. **Web Browser Usage:**

  • The user should open specific URLs in their web browser to access relevant information and sign up for accounts on ArcSight Marketplace and the Community site, although these are optional for the demo purposes.

4. **ArcSight Activate Information:**

  • Provides a link to various pages within the Activate wiki that explain its purpose, benefits, and how it can solve problems by offering reusable components and standardized deployment tactics.

5. **Summary of ArcSight Activate:**

  • ArcSight Activate is described as a modular content development methodology with a collection of reusable components designed for quick deployment and customization of use cases. It allows users to implement packaged use cases or develop their own using the library of reusable components, standardized tactics, and methodology.

This summary captures the main points about how specific software tools are used in network monitoring and malware protection within an organizational context, as well as some details about a broader development and deployment methodology for actionable use cases. "Activate" is a framework designed to help with new or existing implementations of ArcSight, enhancing its capabilities through best practices and various packages. These organized packages include the Base package (providing resources like filters and global variables), content for Levels 1 and 2 which consume indicators from multiple sources and normalize information, contextualize events using internal ArcSight models, and are specific to certain releases or versions with additional features like FlexConnectors or Parser overrides. All this is available on the ArcSight Marketplace where users can find resources such as best practices, guidelines, use cases guides, content, utilities, tools, and partner integrations, making it accessible for security professionals worldwide to share, download, and enhance their security management strategies. The text discusses ArcSight Activate, a platform for security monitoring that supports various technologies including malware monitoring, network monitoring, physical security, host monitoring, and more. It mentions that L1 packages provide "indicators and warnings" about potential malicious activity, while L2 packages offer situational awareness and context to the L1 findings. The text also details how to access content related to malware monitoring within the ArcSight Marketplace by entering a search for "malware." This search reveals L1-Malware Monitoring (L1) and L2-Malware Monitoring (L2) packages, with additional support for McAfee ePO - VirusScan. ArcSight Activate is described as providing not only content addressing use cases but also documentation and best practices to support this content. A link directs the reader to specific guidance within the Activate wiki about malware monitoring. The text discusses adding support for additional devices by editing a few filters in Activate, which involves modifying thresholds to customize the content according to specific environments. It highlights that the L2 Malware Monitoring package builds upon the L1 package by leveraging the Network and Asset Model to provide more context about what has been detected. It also mentions that this package is designed to help manage critical assets such as servers or those in a DMZ differently from workstations, due to their higher value to the organization. The text explains how the L2 package provides additional context for managing these high-value assets during a virus or worm outbreak. Furthermore, it states that Activate is modular and can be adapted across various security monitoring use cases, such as malware and entity monitoring. It includes test events in its test plan to ensure proper functioning of the content. Finally, the text mentions having installed both Level 1 and Level 2 Malware Monitoring packages along with the McAfee ePO VirusScan package, indicating their integration for comprehensive security monitoring. The summary provided outlines the functionality of the "Activate" system within a security operations center (SOC) environment. It details two primary channels available for monitoring and triaging incidents: the Main Channel and the Personal Investigating Channel. 1. **Activate Main Channel**: This channel is designed to display all correlated events triggered by the Activate use, presenting them in a structured format that allows SOC managers to triage incidents and assign them to analysts based on their subject matter expertise and availability. In the demonstration scenario, this channel simulates what the SOC manager would see, showing malware activity alongside other related events like IDS activity. 2. **Activate Personal Investigating Channel**: This is specifically for analysts who monitor assigned incidents. Each analyst's view in this channel is personalized according to their user login (ESM), enabling focused attention on their caseload without distraction. In the demo, if Steve, an analyst, is not actively working on any cases, his channel appears empty at first glance. 3. **Correlated Event Details**: The summary provides a specific example of a correlated event triggered by malware and IDS activities related to the IP address 172.17.1.1. This particular incident involves "W32/SQLSlammer.worm" detected across multiple DMZ hosts, indicating a potential threat across various network segments. The detection is facilitated through integration with the McAfee ePO VirusScan product package, showcasing the vendor-agnostic nature of Activate that can accommodate any antivirus solution for broader malware monitoring capabilities. Overall, this summary underscores the versatility and utility of the "Activate" system in a SOC setup, providing clear visualizations and actionable insights across different user roles, from managers to individual analysts. The Level 2 package provides additional context around identified critical assets affected by malware outbreaks. When using the ESM Network and Asset model, it is crucial to identify specific system names such as "arcnet-dmz" that are hosting the malware. In this instance, the malware is on a DMZ host named "arcnet-dmz." As a SOC manager, you have triaged an incident involving the W32/SQLSlammer.worm malware affecting multiple assets with IP address 172.17.1.1. To escalate this to a Level 1 analyst, Steve, you will use event annotation in ESM. Event annotations are a light-weight workflow tool that allows for tracking and escalation of events through the organization's workflow. Annotations serve as a flexible tool with various uses; they can be employed to track every event passing through the ESM correlation engine or used as a triage tool before escalating an event to a case. They are part of the ESM event schema, enabling you to flag or assign individual events or groups of related events for follow-up. In this particular scenario, after defining the structure and assigning it to Steve, the correlated event with IP address 172.17.1.1 will disappear from the main channel and be displayed in Steve's Personal Events (Pe). This process is crucial for maintaining a structured workflow that involves collaboration among security operations personnel who are responsible for investigating events. The text describes a process in which Steve investigates an event using ArcSight Activate, a software for managing security events. Here’s the summary: 1. **Switching Channels**: Steve switches to the "ArcSight Activate Personal Investigating Channel" where he can view correlated events that are not directly visible otherwise. 2. **Annotating Events**: He selects the correlated event and clicks 'Annotate' to track metrics like cases by status, monthly cases by severity, monthly cases by event category, etc. He enters comments about updating antivirus definitions, removing malware, running a full scan, and declaring the system clean. 3. **Visualizing Malware Activity**: Steve accesses a dashboard under "ArcNet Dashboards/ArcSight Activate" to visually monitor malware activity. The dashboard includes four Data Monitors showing the infection rate of malware within and outside the organization, leveraging the Network and Asset Model for data. 4. **Benefits of ArcSight Activate**: This software offers benefits such as easy deployment, extensible use cases that can be expanded or customized, and a growing library of pre-built use cases to address specific security management needs. The provided text is a summary of information related to ArcSight Marketplace and its setup process, as well as benefits and features of content development in ArcSight. Here's a breakdown of the key points: 1. **Content Development Benefits**: This section highlights several advantages of developing content for ArcSight, including reuse of content across different use cases, adherence to best practices, standardization of content creation, easier sharing between clients and professional services, faster learning curves for new developers, familiar onboarding for experienced developers due to the Activate methodology, and better separation in testing, QA, and production implementations. 2. **ArcSight Marketplace Setup**: The setup process involves:

  • Logging into the Command Center as an admin.

  • Starting a Demo Replay Connector with specific event files and replay settings.

  • Opening a new tab in the web browser to access ArcSight Marketplace at `https://marketplace.microfocus.com/arcsight`. It is recommended to create an account on ArcSight Marketplace for easier navigation and usage of its features.

3. **ArcSight Marketplace Features**:

  • It serves as a platform where security professionals can share, download, and utilize various resources like packages, use cases, best practices, and more to manage their security effectively.

  • The main categories include legacy packages, activate device packages, utilities and tools, product documentation, best practices guidelines, resource center, and partner integrations.

  • Users can search for specific content using keywords or categories such as "IDS IPS Monitoring" which leads them to the appropriate package for monitoring of IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) devices.

Overall, this text provides a concise overview of how ArcSight Marketplace supports security management by facilitating the sharing and downloading of content tailored for specific use cases in the cybersecurity field. The passage describes a user experience involving downloading and installing content from a Marketplace to monitor network IDS (Intrusion Detection Systems) and IPS (Intrusion Prevention Systems) devices. Once installed, the user has access to various resources such as dashboards, active channels, reports, filters, field sets, queries, and data monitors. The key steps outlined are: 1. The user finds specific content in Marketplace that matches their needs based on a description, screenshot, and details about SmartConnectors triggering the content. They download and install this content. 2. After installation, they find various resources like dashboards, active channels, and reports already present from the installed content. There are also supporting resources such as filters, field sets, queries, and data monitors available. 3. The Event Sources panel confirms that the content is triggered by network IDS/IPS devices. 4. The user navigates to the Command Center tab where they find an IDS – IPS Monitoring Dashboard displaying important information like top attackers, targets, alerts, and alert counts. 5. They can drill into event details using the Active Channel feature. 6. For reports, the default ones are available for viewing while archived reports can also be expanded upon in the Reports and Archives section. 7. The passage concludes by emphasizing the value of this Marketplace content for monitoring network IDS/IPS devices effectively. ArcSight Marketplace is a platform that offers a variety of ArcSight applications, documentation, community sharing for ArcSight security content and SIEM best practices. It allows users to explore and implement solutions to track regulatory compliance within their organizations efficiently and quickly. The use case demonstrates how ArcSight can help with regulatory compliance by tracking access revocation when employees leave the organization. This is a crucial IT governance best practice and is often required by compliance regulations. However, manually reviewing log activity for former employees is time-consuming and error-prone. ArcSight simplifies this process through automation and proactive alerts. It provides tools to automate log reviews and immediately highlight any issues or potential non-compliance points during the review of former employee activities. The system helps in demonstrating compliance when auditors arrive by providing a comprehensive report that cross-references necessary data, saving time and effort compared to manual processes. In summary, ArcSight Marketplace enhances regulatory compliance through automation, efficiency, and ease of use, ensuring that organizations can quickly and effectively demonstrate compliance with all relevant regulations and standards. This is the beginning of a workflow process for managing notifications and compliance within an organization using ArcSight software. The user starts by acknowledging a pending notification, which indicates a problem with an ISO best practice related to former employee account access attempts. When no acknowledgment is received within a specified time interval, the notification escalates to the next level. The user then clicks on the specific notification titled "Former Employee User Account Access Attempt: mhedberg". This notification provides details about a successful login attempt made using an old employee's account (mhedberg). The system prompts the user to select and acknowledge this notification, which is related to ISO 27002 compliance. Upon acknowledging the notification, the user is directed to navigate through various settings and options within ArcSight: 1. Under "Field Set", they need to select "Security" to address the issue of a former employee's account access. This involves selecting the option labeled "All Field Sets/ArcSight Foundation/ArcSight Express". 2. The user then proceeds to interact with correlated events by clicking on "Former Employee User Account Access Attempt: mhedberg", which leads them to the base event, "Successful Logon" associated with the account mhedberg. This interaction helps in understanding and resolving the issue further. 3. To monitor compliance status related to ISO 27002 standards, the user navigates to Dashboards, specifically clicking on "Navigator" under "Dashboards". They then display the dashboard named "ISO Sections Overview", which is part of the IT Governance section at "/All Dashboards/ArcNet Dashboards/IT Governance". 4. Within this ISO compliance dashboard, there's a specific Section 11 overview that shows the correlation event related to former employee account access attempts ("Former Employee Account Access Attempt"). This information is displayed on the "Section 11 Overview" dashboard at "/All Dashboards/ArcNet Dashboards/IT Governance". 5. ArcSight knows who are former employees based on a list populated dynamically or statically (importing text files) that includes user names from incoming events, which it checks against for correlation and compliance monitoring. Finally, the user can run reports to access information contained in earlier archived data by clicking "Reports" and selecting "Archives". This process allows them to review detailed information about former employee account access attempts efficiently, supplementing visual inspection of a 68-page archive previously required. This report is about a former employee attempting to access an account, which has been archived and saved as "Former Employee Account Access Attempt.pdf." The user should save this report to their local file system and attach it to a case for further investigation. The document mentions ArcSight, a technology that allows organizations to detect security incidents quickly and efficiently, even zero-day attacks, through advanced correlation rules and automated reporting solutions. It also introduces NetFlow Use Cases Setup, which involves replaying event files like IdentityView_v2.0.events and NetFlow_IdentityView_v2.0.events at a specified rate to analyze bandwidth usage by identity and country on the Command Center as an admin. The provided text describes a series of actions and observations related to network traffic monitoring using various tools and dashboards. Here's a summary of the main points: 1. **Dashboard Usage**:

  • **Top Source and Target Dashboard** is used to visualize traffic flow from and to different countries, providing insights into where traffic is originating and terminating based on country perspective. It also shows bandwidth usage by target country.

  • **Microsoft SQL Server Monitoring** (configured for port 1433 traffic) reveals that the monitored traffic is directed towards a desktop segment within the network, which might indicate unauthorized servers. This situation can be further managed with policy-based alerts and rule configurations.

2. **Archived Reports**:

  • **Bandwidth Usage by Port** provides an overview of top ports in terms of bandwidth usage across the environment.

  • **Top Bandwidth Hosts Report** highlights the most utilized host IP (in this case, 192.168.6.101) and suggests a detailed investigation into its traffic patterns.

  • **Detailed Traffic by Host** report provides more granular insights into the specific traffic of the targeted host (192.168.6.101).

3. **Command Center Setup**:

  • The user logs in to the Command Center as an administrator and initiates a demo replay connector setup. This involves selecting two event files for replaying: IdentityView_v2.0.events and NetFlow_IdentityView_v2.0.events. These events are used to demonstrate or test system functionalities within the network environment.

In summary, these actions and observations from multiple tools and dashboards help in understanding and managing network traffic, identifying potential security issues (like unauthorized servers), and performing detailed analysis of specific hosts' activities. The provided text discusses a demonstration of Cisco's IdentityView_v2.0 and its integration with ArcSight for network management and visualization. It highlights how users can leverage the Command Center within this system to investigate issues such as slow network performance. The user community had complaints about the slowness, and the demonstration shows how to use NetFlow events from Cisco routers and switches to analyze port 1433's high activity, which is typical for Microsoft SQL Server usage. The investigation involves using the Command Center interface to visualize top port and bandwidth usage through dashboards, followed by detailed event searches targeting unstructured free-form search terms related to NetFlow events. The demonstration showcases how analysts and managers can use this system to understand and resolve incidents within their environment effectively. To summarize the provided text, it describes an interface for searching and analyzing events using a histogram and advanced search options within a software or system designed to monitor network traffic. Here's a breakdown of the key points: 1. **Visual Representation of Search Results**: The user can visually inspect the results through a histogram where each bar represents scanned events, with matching queries displayed numerically at their respective bars. Clicking on these bars allows for drill-down into specific time periods or detailed event information. 2. **Advanced Search Functionality**: Users can perform more targeted searches by clicking on "Advanced Search." In this mode, users can input specific conditions to refine the search results. For example, a user wants to filter all Cisco NetFlow events down to those involving traffic on destination port 1433 (used for Microsoft SQL Server). 3. **Building Search Queries**: The advanced search interface allows for nested logical operators and conditions to be added. In this case, the user adds a condition to filter results based on the destination port number being equal to 1433. This is achieved by selecting appropriate fields (like "destinationPort") and setting up an equality operator (=). 4. **Drill-Down into Event Details**: After running the targeted search, users can expand individual events in the result set to view detailed information about each event. 5. **Customizing Fieldsets for Detailed Viewing**: The system provides a way to customize the display of results through fieldsets which allow specific fields (like destinationPort) to be included in the output visible to the user. This is done by selecting "Fields, Customize," then choosing or adding the desired field(s). 6. **Implementation and Observation**: After customizing the fieldset, users can see that their targeted search results for events on a specific port now include detailed destination port information in the displayed event summaries. This summary captures the primary functionalities of the interface as described: from broad scans to highly specific target searches, with interactive features for data exploration and customization of output presentation based on user needs. To summarize the provided text, it appears to be instructions or guidance on using network monitoring tools and creating visualizations such as pie charts for analyzing data related to port 1433 in a network environment. Here's a simplified version of what is described: 1. **Searching for Top Talkers**: Use the netflow command with destinationPort = 1433 | top sourceAddress to find the top talkers on port 1433. You can customize this by adding | top X sourceAddress, where X is the number of results you want to see (e.g., | top 5 sourceAddress for top 5). 2. **Visualizing Data**: Use chart settings to select a pie chart type and set the display limit to 20. This will show the top 20 events in a visual pie chart format. Highlighting a slice of the pie provides details like IP address, number of events, and percentage representation. Clicking on an IP address in the pie chart drills down into more detailed search results based on that criteria. 3. **Finding Bottom Talkers**: Use netflow AND destinationPort = 1433 | rare sourceAddress to find the bottom talkers by changing "top" to "rare". This will display the least frequent users or devices on port 1433. 4. **Generating a Report**: Go to reports, select the NetFlow report for bandwidth usage by port and run it with default parameters. The report can be viewed in Adobe Acrobat where you'll see the results showing how bandwidth is used by different ports in your environment. Overall, these steps are about setting up visualizations from network data related to a specific port using various tools and then generating reports for analysis or documentation purposes. The provided text describes a suite of visualization capabilities offered by an unspecified system or service (referred to as "ArcNet" and its associated components like Dashboards/Management Console and SmartConnectors). These features are designed to enhance understanding and analysis of event and log data from various devices, systems, and applications. 1. Geographic Event Graph: This dashboard provides a geographic visualization of events, logs, and activities. Users can mouse over nodes in the graph to view detailed geo-location and log information, including country, region, latitude, longitude, and network zone details (e.g., DMZ or internal networks). 2. Event Graph: Similar to the Geographic Event Graph but without geographic focus, this dashboard offers a visual representation of events, logs, and activities with nodes representing sources and destinations, along with indications of activity levels based on node size. 3. Hourly Counts: This dashboard displays the distribution of activities across different time slices, allowing users to see how many events have occurred during each slice based on their priority level (normalized). Users can filter out less relevant event priorities like "Very Low" and "Low." These features are part of a broader suite that aims to provide intuitive visualizations for understanding the flow and significance of data traffic within an organization's network, aiding in the detection and response to potential threats or significant activities. The provided text discusses the visualization capabilities of ESM (Enterprise Security Manager) and how it is used for monitoring privileged users, specifically during after-hours activity. It explains the setup needed to demonstrate IdentityView within ArcSight Command Center by replaying event files. Key points include setting up the environment as an admin, starting a demo replay connector with specific event files, and understanding user context information through enhanced events and identity-based correlation. The text also highlights that IdentityView provides dashboards for better understanding the directory and identity management system, including the Actor Overview dashboard. The Actor Overview dashboard in Solutions/IdentityView 2.0 provides an overview of the actor model, specifically focusing on actors and their associated accounts within a system or network. It highlights several key statistics and features: 1. **Actor Statistics**: There are a total of 36 Actors (identities) with around 130 different account IDs spread across them. On average, each Actor has between 3 to 4 accounts per user. This complexity poses challenges in understanding the full scope of activity and identity associated with an individual across multiple systems or applications. 2. **Actor Attributes**: The dashboard provides detailed summaries of various attributes captured for each Actor. These include status breakdowns (with 33 active and 3 disabled Actors), organizational unit (OU) distribution showing group memberships, and a count of users within specific departments like Information Technology and Marketing. 3. **Role-Based View**: The dashboard also offers a role perspective through the lens of Active Directory groups or roles, providing insights into group membership statistics. It reveals that there are 95 such groups or roles with the most users being in the Information Technology and Marketing departments. 4. **Use Cases**: This dashboard is particularly useful for compliance monitoring (e.g., tracking activity from terminated employees by identifying accounts associated with disabled Actors), strategic planning (based on user distribution across departments), and general management of identity and access controls within a large organization’s network infrastructure. In summary, the Actor Overview dashboard in Solutions/IdentityView 2.0 is a powerful tool that offers comprehensive insights into how users are represented and interact with various systems or applications within an enterprise environment, facilitating effective governance and compliance. The passage discusses the use of IdentityView for managing Active Directory groups and membership, which can be complex due to the numerous groups and users involved. It highlights that having too many groups complicates control and compliance efforts. For instance, a policy restricts access to data centers after hours to specific authorized users only, but if unauthorized individuals gain access, it leads to issues such as non-compliance with regulations, potential insider threats, and misconfigurations in badge reader authentication systems. The passage suggests using tools like ArcSight for real-time notifications when such incidents occur, allowing swift action and resolution by management. This text is about how to handle and investigate an alert related to Mario Rossi accessing a server room after hours through employee badging in a system called ArcSight. When you get a notification, it tells you if there's been any unauthorized access during non-business hours by someone like Mario Rossi who doesn't usually work with data center operations or have admin rights. The alert shows details about the event and asks you to take action by acknowledging it so that your manager isn't notified automatically. When you click on the notification, it gives more information including what triggered the alert (Mario accessing the server room after hours). This involves looking at three components of the alert: the badging event itself, Mario Rossi's role and his unauthorized access time outside business hours. The text describes a process in which an ArcSight system uses identity correlation to match cryptic user names with known identities from an Actor model. This allows the system to add detailed information such as full name and department to events, helping to understand why someone might be accessing data during non-business hours. When issues are identified, cases are automatically created by ArcSight, which can then be managed using various attributes like stages, impact, severity, assigned users, and tracking mechanisms. The case includes both correlated events and base events that triggered the alarm. To investigate further, one can use Active Channels to track all activities of a specific user, in this case, Mario Rossi. This text is about using a system called IdentityView to track user activities based on network data, such as Cisco NetFlow events. The process involves looking at different times of day and pausing the active channel. Then, complex queries are run to gather all information and activity related to specific users like Mario Rossi. The key method used here is session correlation, where each event's details are linked to confirm that they belong to the same user even if certain fields might be missing or incomplete. For instance, a Microsoft Windows login indicates that Mario Rossi logged into his desktop workstation (MACHINE3) using the account ARCNET.COM\MROSSI. Further network activities from this machine during his session are also attributed to him due to correlation. Even when using different accounts for other machines, like MARIOR on printserver01, the system can still confirm that these actions are performed by Mario Rossi through continuous tracking and linking of events. Throughout the process, some potentially suspicious activities such as blocked web browsing attempts towards personal email accounts are noted but not further detailed in this summary. The overall takeaway is how network data analysis tools like IdentityView can help monitor user activities, identify patterns, and detect potential security issues even when initial information might be incomplete or missing from logs. The text describes an incident where someone tried to hide their online activities while accessing unauthorized websites such as job hunting sites like careerbuilder.com, monster.com, and hotjobs.com. This behavior is considered suspicious because it may indicate dissatisfaction with the current job or preparation for leaving the company. The investigator used a Cisco NetFlow Event from printserver01 to identify unusual activity, including visits to anonymous foreign websites and a hacking website in China. These actions suggest that data might be being transferred out of the company, possibly containing intellectual property, which could justify further investigation. The person may have been downloading hacking tools with intentions to perform sabotage activities after leaving the organization. The investigator plans to escalate this matter by bringing it to human resources' attention using their case management system within ArcSight. They visually represent the selected fields and add the found events as evidence to a specific case related to an employee (Mario Rossi) accessing the server room after hours. The text also mentions using reporting tools, such as running an "All Activity for Specific" report, to summarize all observed activities associated with this case. The document outlines a process for summarizing user activity using the "Specific Actor" report feature in ArcSight, focusing on Mario Rossi's access logs during after-hours building accesses and server room entries. The report compiles all archived reports related to Mario's activities over time, including event details from various applications such as badge reader, Cisco NetFlow, Microsoft Windows, Blue Coat, and Unix systems. Through session correlation, it is determined that the traffic belongs to Mario Rossi despite some events lacking user name information. The report is saved locally and attached to a case for further escalation or analysis. ArcSight's capability allows quick compilation of relevant activity and evidence in an organized manner suitable for investigation purposes. This method also serves as a demonstration of using IdentityView within the system, which is still supported but nearing end-of-sale. The setup process involves logging into the Command Center as admin, acknowledging notifications, deleting existing cases, setting up a Demo Replay Connector to replay events from the IdentityView_v2.0.events file at 50 events per minute for about two to three minutes before adjusting the speed if necessary. In this scenario, a company's IT department is using ArcSight for network security monitoring. The policy states that shared accounts are not encouraged but not explicitly against corporate policy. However, there are strict rules against their use on specific servers (sj-arcnet-desktops) in the organization's segment. When an employee used a shared account on one of these restricted servers, triggering a violation of company policy, the system automatically sent an email notification to the IT manager. The manager then accessed this information through the ArcSight Command Center, where they could view and acknowledge the pending notification regarding the unauthorized use of a shared account by David West in the sj-arcnet-serverfarm segment. Upon examining the notification details within IdentityView v2.0, it was revealed that David West had logged into the server using a root account, which is also highlighted in the correlated event lightning bolt. This dashboard provided comprehensive information about shared account activity across the organization, including source and target addresses, applications, and detailed user identities involved. This summary outlines the process and tools used in an IdentityView investigation related to a shared account activity, specifically focusing on successful logins attributed back to David West. The steps include accessing specific dashboard (ArcNet Dashboards/IdentityView v2.0/Shared Accounts), viewing active channels within the IdentityView application, pausing the channel to analyze events such as successful logons and Cisco NetFlow events without usernames. During this analysis, the actor investigation is performed by selecting an Actor Field Set in the Field Sets menu, which allows for attributing events back to David West using both username and IP attribution methods. During normalization, SmartConnector collects data on event danger levels ranging from Very Low to Very High based on event-rating scales. Visualizing these events involves creating a report that showcases selected fields such as Name, Device Product, and Target Address through the Visualize Events feature in ArcSight. Finally, for reporting purposes, an archived report titled "Logins to Known Shared Accounts - Summary" is generated using default settings in ArcSight's reporting module. This document outlines a use case for an IdentityView 2.0 with ArcSight, which is focused on monitoring shared account activity within a network and asset model. The primary purpose of this setup is to create detailed reports that help in understanding the usage of accounts, applications, and locations where the activities are taking place. The first default report available through the system shows all archived reports including logins, accounts being used, applications they're associated with, and general activity location details. This information is presented in a human-readable format (e.g., sj-arcnet-desktops) for easier understanding compared to numerical IP subnets or complex network diagrams. The second default report specifically highlights the SU (Single User) and SUDO (Superuser Duper Override) activities, providing detailed information about these types of user interactions within the environment. This is crucial for monitoring system usage permissions that go beyond standard user access. In this legacy application use case, IdentityView 2.0 is used to create a human-readable subnet name, "sj-arcnet-desktops," which aids in understanding network activity quickly and efficiently without requiring detailed technical drawings or spreadsheets. This naming convention can be applied across various content types like notifications, reports, rules, and cases for broader usability and clarity. Lastly, the final default report displays a summary of all SU and SUDO activities within the environment, which is essential for auditing and compliance purposes to ensure that system access controls are not being bypassed or abused. The provided notes emphasize that this use case demonstrates IdentityView, which is still supported but nearing its end-of-sale stage. The setup process involves logging into the Command Center as an admin, acknowledging any existing notifications, and starting a Demo Replay Connector with specified event files for replay at a controlled pace before adjusting according to specific needs. This document outlines the use case for IdentityView v2.0 in tracking user activity using the shared SystemUser account across an application. The primary objective is to ensure compliance by being able to trace logins attributed to this shared account back to specific users. IdentityView provides a dashboard that displays any activities from the SystemUser account, and it can generate reports on archived login sessions for auditors. Without IdentityView, there would be no means to track these activities or attribute them to accountable individuals. The use case includes steps for setting up demo replay of events using the IdentityView_v2.0.events file at a rate of 50 events per minute initially, which can then be adjusted to approximately 25 events per second if necessary. This tool is designed to consider user attributes like department and role in its reporting, offering valuable insights into system and application usage patterns. This document provides instructions for accessing and reviewing specific dashboards and reports related to user login activity within an organizational environment. It outlines the steps to view two different dashboard options based on department or employee type, as well as where to find archived versions of these reports. The process involves navigating through a hierarchical system of folders under the "/All Dashboards/ArcNet Dashboards/IdentityView v2.0/Privileged User Monitoring/Modeling" path for both dashboards and reports. Additionally, it directs users to contact arst-gfs@microfocus.com with questions or comments about this process or any specific suggestions regarding user login monitoring.

Disclaimer:
The content in this post is for informational and educational purposes only. It may reference technologies, configurations, or products that are outdated or no longer supported. If there are any comments or feedback, kindly leave a message and will be responded.

Recent Posts

See All
Zeus Bot Use Case

Summary: "Zeus Bot Version 5.0" is a document detailing ArcSight's enhancements to its Zeus botnet detection capabilities within the...

 
 
 
Windows Unified Connector

Summary: The document "iServe_Demo_System_Usage_for_HP_ESP_Canada_Solution_Architects_v1.1" outlines specific deployment guidelines for...

 
 
 

Comments

@2021 Copyrights reserved.

bottom of page