top of page
Search

ArcSight ESM Console Demo Script

  • Writer: Pavan Raja
    Pavan Raja
  • Apr 8, 2025
  • 41 min read

Summary:

This text appears to be a guide for accessing and interpreting reports related to employee activities within an organization using Micro Focus products, specifically ArcSight software. Here's a summary of the steps outlined in the document: 1. **Accessing Reports**: - Navigate to specific paths within the ArcSight Console to access various dashboards and reports. - Open the Dashboards under /ArcNet Dashboards/IdentityView v2.0/Privileged User Monitoring/Modeling/. - Within these dashboards, look for reports such as "Login Activity by Department" and "Login Activity by Employee Type." 2. **Interpreting Reports**: - The document mentions specific reports that can be found in the Reports Navigator pane, including PDFs titled with various activity-related titles (e.g., "All Activity for Department," "Activity Based Modeling by Department"). - These reports provide insights into system and application usage, which can guide decisions regarding access rights within the organization. 3. **Understanding Columns**: - The document discusses two different columns in the report: "Actor by Name" and "Actor by IP." This distinction shows how IdentityView can attribute activity based on either name or IP address. 4. **Reviewing SU and SUDO Activity**: - Review the "Archived Report: SU and SUDO Activity.pdf" to see all SU and SUDO activity within your environment, which is useful for understanding administrative actions taken by users. 5. **Using IdentityView**: - The text emphasizes the use of IdentityView to track shared account usage back to specific identities, providing detailed correlation options and insights into privileged user activities. 6. **Contacting Support**: - If you have any questions or need further assistance, contact Micro Focus International plc at arst-gfs@microfocus.com. To summarize, this document is a guide on how to access and interpret reports within the ArcSight software related to employee activities in an organization using Micro Focus products. The key steps involve navigating through the software's menus and tabs to find specific dashboards and reports, which then provide insights into user activity and system usage.

Details:

The document provides a detailed overview of various use cases and functionalities within ArcSight ESM / ESM Express 7.0 Patch 1, including demonstrations scripts executed on the console. Here's a summary of each section mentioned in the content:

  • **Overview**: Provides an introduction to what ArcSight is and its purpose.

  • **Security Use Case**: Demonstrates how ArcSight can be used for threat intelligence analysis, highlighting features like Reputation Security Monitor Plus and ArcSight Activate Threat Intelligence.

  • **Reputation Security Monitor Plus**: Explains the specific use case of monitoring reputation security within ArcSight.

  • **ArcSight Activate and Marketplace**: Discusses the integration of threat intelligence with ArcSight Activate and its marketplace for expanded capabilities.

  • **Compliance Use Case**: Demonstrates how to comply with various standards using ArcSight, including compliance with NetFlow data and privileged user monitoring.

  • **NetFlow Use Cases**: Shows specific use cases involving NetFlow analysis, such as worm outbreaks and other network anomalies detection.

  • **Worm Outbreak Use Case**: Illustrates the application of ArcSight in detecting and managing worm outbreaks within a network.

  • **Privileged User Monitoring Use Case (Afterhours Activity)**: Focuses on monitoring user activity during off-peak hours to ensure security protocols are followed.

  • **Shared Accounts Use Case (Policy Violation)**: Demonstrates how to monitor shared accounts for policy violations using ArcSight, highlighting the importance of enforcing security policies through automated systems.

The document provides demonstration scripts for using the ArcSight Console with ESM/ESM Express, focusing on three security use cases: Shared Accounts (Legacy Application), Privileged User Monitoring (Activity Monitoring and Modeling). It also includes information about Micro Focus trademark and company details. Additionally, it mentions that passwords in Blueshift will differ from those specified in the document. The setup for this demonstration involves logging into the ArcSight Console as an admin, deleting any existing notifications and cases, starting a demo replay connector with specific event files at 50 events per minute, and hiding certain panels like Navigator, Viewer, and Inspect/Edit. The synopsis outlines how the analyst will use ESM/ESM Express for investigation purposes, highlighting the efficiency of ArcSight in handling complex situations. The workflow involves starting from notifications about suspicious or malicious activity, moving through a dashboard to an active channel, generating reports, and finally creating cases for further action. Action talking points include acknowledging received notifications and marking them as pending, which triggers the ESM/ESM Express system to alert on suspicious or malicious activities detected by the platform. This summary is about using a system called ArcSight to monitor and analyze login attempts to locked Windows accounts. It explains how to log in to the ArcSight Console, find notifications about attempted logins, and see details of events related to these notifications. The system automatically correlates base events and shows them together with correlated events. It also mentions using field sets to focus on specific fields of interest and categorizing events for easier analysis. This helps in understanding when someone is trying to access a locked account and provides structured data from unstructured event information, which is made easy through the SmartConnector feature. Categorization simplifies understanding by providing a structured way to categorize events, making content more portable across different devices or vendors without needing to rewrite specific event IDs for each change in version. This abstraction layer allows rules and reports to be written using categories like device groups, which can trigger on various operating systems beyond just Windows, Unix, Linux, etc. The system provides a dynamic, interactive dashboard that gives an overview of all operating system login activities, including detailed investigations by clicking parts of the dashboard. It also offers workflow features such as case management, where events from notifications are correlated and presented in a structured view for further investigation and action. The text describes a process for investigating an incident involving a user named swright who is using a remote VPN connection with IP address 10.0.110.34. Here’s a step-by-step summary of what to do and observe during this investigation: 1. **Trigger Event**: The initial trigger event for the case creation involves an unidentified user (swright) accessing the network via VPN with IP address 10.0.110.34. 2. **Case Management**: Click "Lock Case" to secure and manage the incident, then click "Stage" and select "Initial." You can also view a history of actions taken related to this case. 3. **Apply Changes**: After making changes, click "Apply" followed by "OK." 4. **Active Channel Investigation**: In the Navigator Panel, click on "Active Channels" and bring up the Active Channel for further investigation. This channel shows only operating system events initially. 5. **Load Active Channel**: Once loaded, pause it to focus on specific activities. Close the Navigator panel. 6. **Investigate with SmartConnector**: Right-click on swright in the "Target User Name" column and select options to analyze this user's activity. The system will automatically identify that swright is a remote VPN user connected through 10.0.110.34 and has experienced multiple failed login attempts. 7. **Malicious Activity Detection**: Further investigation reveals that swright, despite being a mobile user connecting through the VPN, is infected with malware actively contacting malicious sites via FTP from the corporate network firewall and IDS logs. 8. **Priority Information**: SmartConnector collects data on the danger level associated with each event during normalization. This data helps in prioritizing and understanding the severity of the incident involving swright's compromised device. This process involves using a combination of user interface actions, automated analysis tools (SmartConnector), and interpretation of logs to identify potential security threats and prioritize responses accordingly. This process involves setting up an active channel in a security system to investigate DNS domain "dslzn11.badguy.net" and related events such as FTP user and password attempts, login failures on locked Windows accounts, and operating system events. The investigator continues their investigation by adding these target domains, users, and events to the case file for further analysis. They can save searches or share them with other analysts, review previous steps using breadcrumbs in the navigator panel, and generate reports to validate findings. This document outlines a procedure for generating and attaching a report in PDF format to an incident case using ArcSight ESM (Extended Security Management) Express. The steps are as follows: 1. **Generate a Report**: Right-click on the specified report, select "Report, Run..." and specify parameters such as the report name ("Failed Logins by Destination Address"), start time set to one day before now, end time set to now, and report format set to PDF. Save the generated PDF and open it. 2. **Attach Report to Case**: In the Navigator Panel, click on "Cases" and then attach the generated report PDF file to the case by following these steps:

  • Click "Multiple Login Attempts to Locked Out Account: swright".

  • Click "Attachments", followed by "+".

  • Browse and select both of the attached report PDFs. Ensure that you choose files with a type of "Documents" (pdf, doc, xls, etc.).

3. **Add Initial Notes**: Click on "Initial" to add notes and follow-up actions for future reference. Set the following details:

  • Actions Taken: swright VPN account, disable or take offline any infected host.

  • Recommended Actions: Connect the infected host to an isolated quarantine network for forensic investigation.

4. **Update Case Attributes**: Modify some attributes of the case based on your findings and confirm them by clicking "OK". 5. **Follow-Up**: In the case management interface, select "Stage" then "Follow-Up", and set the "Operational Impact" to "High Priority". Scroll down and adjust other settings like "Owner" and "Security Classification" as needed. 6. **Final Notes**: The document concludes by highlighting how this process demonstrates the efficiency and ease of using ArcSight ESM/ESM Express for incident handling, along with its integration capabilities into existing systems. --- **Note**: This summary is based on the provided text and may not include all details or context from the original document. The document provides a comprehensive overview of several key components within the Reputation Security Monitor Plus (RepSM) suite, designed to enhance network security by leveraging threat intelligence databases. Here's a summary breakdown of each section discussed in the text: 1. **Reputation Domain Database Overview**: This dashboard displays the current number of domains being monitored through the company’s threat intelligence feed. For demonstration purposes, these domain entries have been simplified; however, in a production environment, such as this database would contain hundreds of thousands to millions of entries, all aimed at providing an up-to-date view of potential malicious activities and threats. 2. **Reputation IP Database Overview**: Similar to the domain dashboard, this section presents an overview of IP addresses that are under surveillance through the company’s threat intelligence network. This feature is crucial in identifying and managing risks associated with potentially harmful internet protocol (IP) addresses linked to security breaches or malicious activities. 3. **RepSM Overview**: This part of the document focuses on the functionality of Reputation Security Monitor Plus itself, detailing how it uses advanced threat intelligence to identify and respond to malware infections, zero-day attacks, and risky online behaviors within an organization's network. The dashboard provides insights into internal infections, dangerous browsing patterns, and interactions with known malicious entities, aiding in proactive security measures and investigations. Each section is designed to provide actionable information for cybersecurity professionals, helping them visualize the potential risks associated with various domains and IP addresses, thereby facilitating more informed decisions on how to protect their networks from emerging threats. The exploit type and reputation score outlined in the document help users quickly assess the level of threat posed by each entry, guiding security strategies based on risk levels identified. A technician finds that several internal assets are communicating with a botnet server, mystreamvideo.rr.nu. This behavior is flagged as malicious due to its high reputation score for risk, which suggests it could be associated with malware like the Flashback Trojan. The technician accesses detailed information on these assets through a dashboard and identifies an infected Mac user by the name of "Macmini" with IP address 10.0.20.21. In order to investigate further, the technician right-clicks on the mystreamvideo.rr.nu entry in the Infected Assets panel, bringing up the Malicious Entity column where they find that this Trojan is affecting internal Mac users. They then contact the Contacted Malicious Entries panel and proceed to search for more information using Google. If internet access isn't available, they can save an image of the infected asset. Upon double-clicking on the 10.0.20.21 entry in the Summary of Infected Assets Dashboard, the technician gets a detailed drilldown view which shows communication to and from this infected asset over the past 24 hours. This includes attempts at SQL injections and internal logins. They can further analyze specific events by right-clicking on them and selecting options like Analyze in Channel, Show Event Details, and geo-locating sources and destinations based on IP addresses. Closing these displays, the technician concludes their investigation of currently infected assets and interactions within the last 24 hours with a final look at the detailed record of events related to the infected asset. The provided text describes the use of Integration Commands within ArcSight for managing and remediating infected assets such as IP address 10.0.20.21|macmini, which has been identified as potentially malicious. This process involves using a dashboard called RepSM Overview to visualize actions that can be taken against infected systems. The text also highlights the use of case management within ArcSight for tracking and managing incidents related to the infection. Here's a summary: 1. Utilize the Integration Commands feature in ArcSight to interact with infected assets like IP 10.0.20.21|macmini, which can be assessed by running simple network commands (e.g., ping or nslookup) and potentially more advanced actions such as taking a forensic snapshot and remediating the system. 2. The text mentions that Integration Commands are very useful for containment and remediation of malicious entities on infected systems. 3. Case management is automatically initiated in ArcSight when an infection is detected, opening an internal case to manage the incident with automated workflow capabilities. 4. Users can work through predefined stages within the case management system, assign cases to other users, track progress, add notes for future reference, and record events related to each case. The flexibility of this system allows granular tracking of case progression. This summary discusses an investigation into internal infections using ArcSight Reputation Security Monitor Plus (RSM). The process involves adding findings and reports to the case for analysis, which includes checking the status in the RepSM Overview dashboard and reviewing reports such as "Currently Infected Assets" and "Dangerous Browsing Activities During the Last 24 Hours - Long Form." The system automatically updates the status of assets like macmini after closing the related case. Additionally, it is noted that RSM offers a variety of out-of-the-box reports which can be customized or attached to cases for incident tracking. In this demonstration, we explored how Reputation Security Monitor Plus (RSMP) leverages threat feed data to detect suspicious and malicious behavior within a network. We observed that RSMP identifies malicious communications by accessing the Malicious Entities tab on the lower left side of the dashboard. This process confirms our investigation findings as demonstrated through various ArcNet dashboards, including Geographical View of Malicious Communications and Threat Intelligence Overview. To set up Reputation Security Monitor Plus for threat intelligence in the ArcSight Console: 1. As an admin, open specific dashboards and active channels related to threat intelligence, such as Reputation Address Data Overview, Reputation Entity Data Overview, Suspicious Activities in Geo, and Threat Intelligence Overview. 2. For demo purposes, switch to a dark theme and access the Personal Investigating Channel within the ArcSight Activate Active Channel. 3. Begin the Demo Replay Connector by selecting event files for activation and starting replaying at 50 events per minute. This setup allows for demonstration of incident assignment using Event Annotation through two running consoles with different accounts. In this scenario, you are given two different consoles to interact with as either a SOC manager (Level 1) or a SOC analyst (Level 1). The main objective of the exercise is to simulate incident handling in a cybersecurity environment. Here's an overview of the setup and tasks for each role: **Console Setup:**

  • **Default Theme (SOC Manager):** You will log in as 'admin'. This console simulates a SOC manager who monitors the 'Activate Main Channel', where incidents are triaged and assigned to analysts.

  • **Dark Theme (Analyst):** You will log in as 'demo'. In this console, you interact with the 'Personal Investigating Channel' where you act as a Level 1 SOC analyst investigating an incident.

**Use Cases:** The primary use case involves a system on the DMZ that has been infected and is communicating with a command and control server. This detection occurs through two methods:

  • **Outbound Communication via Firewall:** Detection of communication to known bad IP addresses from the Check Point firewall.

  • **Malware Analysis:** The infection is identified by malware using Sysmon (a tool for monitoring Windows system activity) which collects file hashes of running programs, indicating suspicious behavior.

Other use cases can be explored based on rule names displayed in the Main Channel:

  • These rules are triggered when specific events occur related to network communications or malware activities that align with predefined threat models using STIX/TAXII, CIF, Ransomware data feeds, and HIDDEN COBRA data feeds for enrichment.

**Key Highlights:** 1. **Product Agnosticism:** The Activate package is designed to work with any product or vendor without requiring specific software packages. It reacts to events sent into the Enhanced SIEM (ESM) system. 2. **Threat Model Population:** Uses multiple sources like STIX/TAXII, CIF, Ransomware data feeds, and HIDDEN COBRA for threat intelligence population in the model. 3. **Information Enhancement and Contextualization:** Utilizes threat intelligence to enrich event details, such as identifying an IP address as a botnet or malware site, tracing the source of the threat, and assessing the credibility (commercial vs. open-source) of the threat information. 4. **Level 2 Content:** Provides additional context not only from the Threat Model but also from the Network and Asset Model to enhance understanding and response strategies for incidents. Overall, this simulation is designed to familiarize users with incident handling in a SOC environment using various intelligence sources and tools effectively. This content provides guidance on using file hashes as indicators of compromise (IOCs), alongside traditional IOCs like IP addresses and fully qualified domain names (FQDNs). The demo utilized Microsoft Sysmon to collect process and file hash information, which is an efficient method for gathering this data. Alternatively, tools such as Microsoft AppLocker or any host monitoring product can be used in conjunction with Sysmon. For the demonstration, a Sysmon FlexConnector from the ArcSight Marketplace was employed, paired with the Windows Native SmartConnector due to its inability to parse these logs. The content also covers Event Replay within the ArcSight Activate platform:

  • It mentions an Active List that tracks IP addresses and entities triggering rules; this list has a TTL of 8 hours. If events need to be replayed within this period, they can be viewed in the Main Channel by clearing entries from the Active List.

  • The specific path for accessing this feature is /All Active Lists/ArcSight Activate/Solutions/Threat Intelligence/Situational Awareness/Suspicious Activity/Threat Intelligence Suspicious Activity Alerts.

Finally, it discusses the ArcSight Activate Level 1 and Level 2 Threat Intelligence packages:

  • The L1 package populates a Threat Model with data from various intelligence feeds and sources, focusing on suspicious or malicious activities. This model comprises three Active Lists - Suspicious Addresses, Suspicious IPv6, and Suspicious Entity. These lists are keyed to specific types of indicators (IPv4 addresses for Suspicious Addresses and IPv6 addresses for Suspicious IPv6) and entities.

This document describes a software package used for threat intelligence collection and analysis. It primarily populates lists with items such as URLs, host names, suspicious file hashes, user names or emails. Threat intelligence feeds are sourced from various open source, proprietary, and internal platforms including STIX and TAXII, Collective Intelligence Framework (CIF), Ransomware data feeds, and HIDDEN COBRA data feeds. The package includes two dashboards that provide visual summaries of threat intelligence active lists: the Address dashboard and the Entity dashboard. The Address dashboard breaks down information by Indicator Type, Score Range, and Source to identify potential malicious activities such as inbound or outbound communications to known bot or command and control servers. The score ranges from 0 to 100, with open source intelligence having a lower score than proprietary or internal intelligence depending on the reliability and accuracy of the data. The Entity dashboard displays similar information but also includes counts by Signature Type, which can include URLs, fully qualified domain names (FQDNs), suspicious file hashes (md5/sha1/sha256), user names, or emails as potential malicious entities. The SmartConnector in the package normalizes these fields for product and vendor agnostic analysis, alerting users to indicators of compromise and related activities when data from any device being monitored is present. Additionally, visualizations within the dashboards include GeoIP information, allowing for a geographical view of where suspicious or malicious activity may be occurring across the globe. The Intelligence Overview dashboard provides a comprehensive view of malicious activities detected by the Activate Threat Intelligence package, categorizing them as reconnaissance, dangerous browsing, and ransomware. It allows users to see detailed information about top alerts, internal target addresses, and more contextual details such as source of threat intelligence, attack category, and score indicating reliability. As a SOC manager in the default theme Console, you can simulate managing incidents by triaging them and assigning them to Level 1 analysts. For instance, you find three correlated events from a host named fwhq05.hq.arcnet.com, which have been identified by Activate Threat Intelligence as Dangerous Browsing, Outbound Command and Control Communication, and Suspicious Filehash Activity in Critical Hosts. Clicking on these specific categories provides additional insights into the threats detected. The report describes a suspicious IP correlated event in an ArcSight console where the IP address was categorized as a botnet by spamhaus.org. As a Level 1 SOC analyst, you are tasked with investigating this activity through various channels and consoles. Initially, no events appear in your queue in the Personal Investigating Channel; however, the manager assigns the investigation to you, making it available in that channel. You then annotate the event in the Main Channel Active Channel and assign it to a Level 1 SOC analyst named demo. The correlated events disappear from the Main Channel but reappear in your Personal Investigating Channel as they are now assigned to an analyst and do not require further triage. Upon switching back to the demo ArcSight Console, you notice that these events have appeared in your Personal Investigating Channel. You inspect and edit the panel for the correlated events, which show dangerous browsing towards known malicious sites based on threat model data from cyber threat intelligence sources. The article discusses an incident of suspicious filehash activity detected in an internal Windows system using Sysmon for process monitoring. The sysmon event was correlated with Host Correlated events, and it involved a Windows host. To investigate further, navigate to the Inspect/Edit panel where you can access the Device Custom fields by scrolling down. Here, you will find that the hash of the file in question is on a watchlist identified by Activate and threat intelligence sources, indicating potential compromise. The Activate Threat Intelligence package helps detect and notify about indicators of compromise like IP addresses or host names across various products and devices. In this case, although the event originated from Windows using the Sysmon toolset, it demonstrates how such threats can be detected and managed through a device-agnostic threat intelligence solution available in the ArcSight Marketplace. In this scenario, a suspicious filehash activity is detected in the "hq-arcnet-dmz" zone, indicating that an Activate Threat Intelligence package has been activated to correlate events. This activation takes into account both the threat model and the criticality of assets within the network. As a result, two correlated events are observed: Suspicious Filehash Activity and Critical Host Correlated Event. To further investigate, one can inspect or edit the panel and search for instances of the same file hash across other hosts in the network. In this case, it is found that "printserver01" has the malicious file on it. Although not identified as a critical asset, its location (DMZ) suggests that Activate Threat Intelligence prioritizes actions based on the risk level and criticality of assets within the network. In the Inspect/Edit panel, one can analyze the device by right-clicking on the value in the "Custom.String1.Signature" field, selecting "Analyze in Channel," and creating a channel. This allows for more detailed investigation and enables contact with the remediation team to quarantine the host and perform forensic analysis. Finally, all three correlated events are annotated using Event Annotation, changing the stage to Closed, and providing relevant comments about the incident. The admin ArcSight Console is then switched back to display the reports under "Reports -> Archives." As a SOC (Security Operations Center) manager, it is crucial to regularly run reports to keep management informed about the activities and threats being monitored by your system, such as those provided with the ArcSight Activate Threat Intelligence package. This demo showcases various default reports included in the package, which can be used to provide insights into: 1. **Threat Intelligence Alerts**: These alerts highlight potential security incidents or suspicious activities detected by the system. 2. **Suspicious Activities by Attack Category**: Reports that categorize and analyze suspicious activities based on their nature of attack. 3. **Inbound Activities by Attack Category**: Details about inbound threats categorized according to the type of attacks they represent. 4. **Outbound Activities by Target**: Information pertaining to outgoing threats targeting specific entities or systems. The demo demonstrates that ArcSight Activate is versatile, capable of integrating with various products and vendors without bias, making it a valuable tool for threat intelligence analysis. It can use a wide range of indicators, including file hashes, email addresses, URLs in addition to traditional identifiers like IP addresses and fully qualified domain names. The system enriches events with details from the Threat Model and threat intelligence feeds, providing contextual information that helps in understanding the severity and scope of an incident. In practical usage within a SOC environment:

  • A SOC Manager uses the Main Channel to triage incidents and assign them to analysts for further investigation.

  • Analysts are responsible for monitoring the Personal Investigating Channel where they can view and investigate any active incidents.

To set up ArcSight Activate for use, follow these steps in the ArcSight Console: 1. Log in as an admin. 2. Replay demo events at a rate of 50 events per minute using specific event files. 3. Open the required Active Channels (Main Channel and Personal Investigating Channel). 4. Access the Malware Outbreak Statistics Dashboard, noting that it may take around 5 minutes for data monitors to populate. 5. The provided Activate packages include Malware M, which is installed as part of this setup process. The provided text outlines a series of steps and information related to network monitoring, malware monitoring, and the use of specific products for these purposes. Here's a summary of the key points: 1. **L1-Malware Monitoring**: This involves monitoring indicators and warnings related to malware threats. The associated product is PMcAfeeEpoVirusScan. 2. **L2-Network Monitoring**: Focuses on providing situational awareness regarding network activities, with a specific tool mentioned as PSnort for this purpose. 3. **ArcSight Activate Content**: This involves using the ArcSight platform to enhance security measures through modules like L1 and L2 Malware Monitoring. The product package used here is PMcAfeeEpoVirusScan for malware monitoring (L1) and PSnort for network monitoring (L2). 4. **Use Case Demo Preparation**: The text suggests setting up different tabs in a web browser to view specific sites related to ArcSight Activate, including marketplaces, product details, and activate information pages. These are:

5. **ArcSight Activate Information**: This includes details about the platform's modular development, reusable components, and its benefits for customizing use cases without reinventing the wheel. 6. **Action Talking Points**: Highlighting key points from ArcSight Activate presentations related to its methodology and capabilities in developing actionable use cases. In summary, this text is a guide or reference material detailing how to utilize specific tools and platforms (ArcSight Activate) for malware and network monitoring tasks, with recommended steps involving web browsing and signup processes for additional services. The provided text discusses the ArcSight Activate framework, which is designed to help new implementations deliver value quickly while providing more mature sites with a methodology for continuous adaptation and improvement. The framework organizes its packages by type, with specific roles in the detection process. The main components of the framework include: 1. **Activate Base Package**: This package provides essential resources such as filters, global variables, or active lists that are used across all other packages within the Activate Framework. 2. **Level 1 (L1) and Level 2 (L2) Packages**: These packages consume indicators from multiple event sources, normalize information to maintain consistency, and can enrich events with device-specific data. L1 packages focus on basic detection methods while L2 packages add contextual awareness using internal ArcSight models like the network model, asset model, actor model, and threat intelligence model. 3. **Product Packages**: These are specific to certain releases or versions, generally containing L1 content plus FlexConnectors or Parser overrides. They can be found on the ArcSight Marketplace, which serves as a platform for security professionals to share and download security packages, use cases, best practices, etc., enabling access to cutting-edge security information comparable to large companies' resources. The ArcSight Activate content is available through the ArcSight Marketplace, where users can explore various categories like Classic Packages, FlexConnectors, Utilities and Tools, Resource Center, and Partner Integrations. The text discusses ArcSight Activate, a platform for security monitoring that supports various technologies and vendors through SmartConnectors, FlexConnectors, and partners in the Security Technology Alliances Partner Program. It mentions that Activate provides content addressing use cases, documentation, and best practices to support this content. For malware monitoring, there are L1 (indicators and warnings) and L2 (situational awareness and context) packages available on the Marketplace. The text also highlights specific products supported by ArcSight, such as McAfee ePO VirusScan under the Activate Product Package for antivirus vendors. The document discusses supporting additional devices by editing Activate filters in a web browser, where thresholds can be modified for tuning content specific to an environment. When navigating to Extensibility, one finds options like thresholds which allow customization of the L2 Malware Monitoring package. This package builds on the L1 package by leveraging the Network and Asset Model to provide additional context about what L1 has detected. For instance, in case of a virus or worm outbreak, criticality of affected assets plays a role; servers in DMZ or critical for business operations are prioritized over workstations. The L2 package contributes this context to manage security issues effectively. Additionally, the document mentions that Activate is modular and can be adapted across different use cases like malware monitoring (supported by McAfee ePO VirusScan) and entity monitoring. It provides a test plan for implementing these use cases with included test events to ensure proper functioning of the content. The discussion also highlights the presence of both Level 1 and Level 2 Malware Monitoring packages, as well as the McAfee ePO VirusScan product package installed in ArcSight Console, demonstrating its applicability across various security monitoring needs. This document provides an overview of how to use the Activate feature within ArcSight, specifically focusing on two main channels: the Main Channel and the Personal Investigating Channel. The Main Channel is designed for SOC managers to triage and assign incidents based on their subject matter expertise and availability. It displays all correlated events triggered by the Activate use, such as malware activity and IDS alerts. In contrast, the Personal Investigating Channel is tailored for analysts, automatically personalized with their ESM login credentials, allowing them to focus on assigned incidents without any initial content when they are idle. In the demonstration scenario, the SOC manager sees a simulation of all active channels where incidents can be triaged and assigned based on expertise and capacity. The analyst Steve's view is shown through the Personal Investigating Channel, which initially appears empty as he is not working on any specific incident at that time. The Main Channel displays various correlated events including malware activity and IDS alerts. For example, there are multiple instances of a malware event (W32/SQLSlammer.worm) detected on the IP address 172.17.1.1, which was triggered by the Level 1 Malware Monitoring package from McAfee ePO. This content is vendor-agnostic and can be applied to any antivirus solution, not just McAfee, highlighting its versatility in dealing with infected hosts within a DMZ environment. The detailed view of this event allows for further inspection or action through the Inspect/Edit Panel, which provides more context about the malware infection across multiple products and vendors. In the context of an ongoing malware outbreak affecting multiple assets in the DMZ, including a PCI system named arcnet-dmz, the SOC manager has initiated a workflow using ESM (Event Stream Manager) Network and Asset model. The primary goal is to identify more critical assets affected by the malware and track the incident with annotations for escalation. The process involves: 1. Identifying multiple events related to the same malware on an asset with IP address 172.17.1.1, which is in the DMZ and includes other assets. 2. Using ESM's annotation feature to track and assign these events for follow-up. Annotations are used as a light-weight workflow tool that can be customized according to the organization’s needs, serving various purposes such as tracking all events through the correlation engine, triaging before escalation, or using it directly in case management. 3. Defining stages of investigation (SOC Stages) for assigning individual events to security operations personnel like Steve, a Level 1 analyst, who will be responsible for further investigating the malware outbreak. These stages can be customized based on the organization's workflow setup. 4. Changing the stage of the correlated event to "Level 1 Investigating" and assigning it to Steve after entering relevant comments in the annotation feature. The summary states that after identifying a correlated event during an investigation, it will be moved from the Main Channel to Steve's Personal Investigating Channel. In this new channel, the correlated event can be annotated with additional information such as comments and metrics like cases by status, monthly cases by severity, events per analyst hour, etc. This process helps in tracking specific details of the malware infection on a DMZ host (172.17.1.1) which was infected multiple times with the same malware (W32/SQLSlammer.worm). To annotate the event, one can select Annotate Events... and add relevant comments like "Antivirus definitions updated; malware removed; full scan run; system clean." Additionally, a specific dashboard called The Level 2 Malware Monitoring package includes a Dashboard with four Data Monitors to visually represent malware activity. These data monitors show the infection rate of malware within the organization as well as in the DMZ, utilizing the Network and Asset Model for visualization. This setup provides multiple benefits including easily deployable use cases, extensible features, and effective monitoring capabilities of malware activities across the network. The text discusses several aspects related to use cases, content development benefits, and setup procedures within ArcSight Marketplace. Key points include: 1. **Reusability of Content**: There are multiple benefits associated with the reuse of content between different use cases (e.g., "Reuse of content between different use cases"), which includes enforced best practices, standardization in content development, and easier sharing among clients and ArcSight Professional Services. This leads to a quicker learning curve for new developers and streamlined onboarding for experienced ones due to the Activate methodology familiarity. 2. **Marketplace Functionality**: The text provides an overview of how ArcSight Marketplace serves as a platform where security professionals can share, download, and utilize various resources such as use cases, best practices, and more. This is presented as a benefit that allows for access to cutting-edge security information similar to what large companies have at their disposal. 3. **Content Categories**: The marketplace offers several categories including Legacy Packages, Activate Device Packages, Utilities and Tools, Resource Center, and Partner Integrations, providing a wide range of resources including use cases related to IDS (Intrusion Detection System) and IPS (Intrusion Prevention System). 4. **Setup Procedures**: A step-by-step guide is provided for accessing the ArcSight Marketplace through the ArcSight Console. This includes selecting event files for demo replay, starting a use case, and then navigating to the specific use case in question. The guide also advises on setting up an account on both ArcSight Marketplace and Protect724 for seamless access and utilization of resources. Overall, the text provides insights into how content is developed, managed, and accessed through ArcSight's platform, emphasizing its role as a tool to enhance efficiency and effectiveness in security operations by promoting reuse, standardization, and accessibility of best practices and use cases related to network monitoring tools like IDS and IPS. The process involves entering IDs into an ArcSight environment for monitoring purposes. After searching in the console, you access the IDS (Intrusion Detection System) - IPS (Intrusion Prevention System) Monitoring Use Case within the ArcSight Console. This provides a dashboard and various resources like filters, field sets, queries, and data monitors specific to network IDS/IPS devices. The Event Sources panel confirms trigger events from these devices. The process includes: 1. Navigating to the IDS - IPS Overview Dashboard which visually represents real-time or summarized alerts from deployed IDS/IPS devices showing top attackers, targets, alert counts, etc. 2. Drilling down into specific details of interest by double-clicking on parts of the dashboard like "IDS – IPS Alert Counts" panel to inspect detailed information about events. 3. Using the Inspect/Edit Panel to view all event details including normalized fields and categorized ones. 4. Exploring reports such as default reports that can be generated based on archived data or directly related to recent events, accessible via the Navigator Panel under Reports and Archives section. 5. Reviewing specific content from Marketplace if installed for more detailed analysis and action. In this demonstration, we showcased ArcSight Marketplace's value to customers by demonstrating how it can help track regulatory compliance using ISO 27002 standards specifically section 11 which covers access control best practices. We started by logging into the ArcSight Console as an admin and navigating through the dashboard to IT Governance 3.0, then proceeding to All ISO Sections Overview where we acknowledged any existing notifications and deleted cases from Admins' Cases. We proceeded to review archived reports including a manual review of a login report for former employees in the "Former Employee Activity" section. We also examined an image file named "ISO 11.2.1 Revoke Access.jpg," which is related to access control best practices as per ISO 27002, emphasizing that access should be revoked when individuals leave the organization. We discussed compliance best practices and demonstrated how ArcSight can automate processes through its SIEM capabilities by showing a violation in the dashboard and drilling down into event details. We highlighted how even after an Active Directory account was disabled, someone could still log into SAP due to persistent session issues which were easily tracked using ArcSight. This feature showed the capability of maintaining lists automatically updated when AD accounts are deleted. Finally, we reviewed a reporting section that discussed former employees' active list and concluded by emphasizing how ArcSight can assist in tracking regulatory compliance within an organization efficiently and effectively. The provided text discusses the importance of IT Governance best practices, specifically focusing on compliance with ISO 27002 standards. It highlights the challenges of manually reviewing logs to ensure adherence to these best practices, which can be time-consuming and error-prone. To overcome these issues, the text recommends using ArcSight, a security information and event management (SIEM) tool, to automate log reviews and provide proactive alerts for compliance issues. The process involves: 1. Identifying former employees in a report of login activities. 2. Using ArcSight to automatically review logs and detect non-compliant behavior. 3. Acknowledging and investigating alerts within the ArcSight Console, which provides a dashboard view of overall compliance status across multiple sections. 4. Utilizing lists maintained by ArcSight for tracking purposes and reference information on former employees. This approach aims to streamline the process of ensuring IT governance best practices are followed efficiently and effectively, without relying solely on manual review processes that can be prone to errors and inefficiencies. ArcSight is a tool that helps organizations monitor user activity, particularly focusing on former employees' account access attempts to ensure security compliance and prevent unauthorized access. Here’s how it works:

  • **Setup**: To start using ArcSight for monitoring former employee accounts, one must log in as an admin to the ArcSight Console. Ensure all pending notifications are acknowledged and any associated cases are deleted under the admin's account.

  • **Configuration**: The tool checks every incoming event against a list of user names loaded in memory, which is extremely fast. This list can be dynamically populated by adding or removing accounts from Active Directory automatically or through direct import of text files.

  • **Correlation Rules**: ArcSight has rules that detect when an account is deleted from Active Directory (e.g., former employee). These events trigger the rule to move these user names from the privilege list to a "deleted employees" list, ensuring they are no longer allowed access.

  • **Reporting**: Users can generate reports quickly through the ArcSight interface without manually searching through extensive documents. For example, double-clicking on an event related to deleted accounts provides detailed information in a structured report format that was previously unavailable at a glance.

  • **Automated Reporting and Compliance**: In addition to security monitoring, ArcSight offers comprehensive automated reporting solutions for both internal audit and compliance needs. This functionality enhances visibility into the organization's overall status regarding security and compliance.

  • **Use Cases**: Specific use cases include NetFlow monitoring where top port usage, bandwidth, source/target countries, and Microsoft SQL Server performance are analyzed to ensure network efficiency and server health.

By implementing these features and functionalities, ArcSight helps organizations not only identify but also quickly respond to potential security incidents, including zero-day attacks, thereby improving overall operational efficiency and compliance with regulatory standards. The provided text outlines a series of steps for accessing and reviewing reports, configuring a demo replay connector, and demonstrating specific dashboards related to network performance and security. Here's a summary of the key points: 1. **Accessing Reports:**

  • Navigate to the "Reports" resource in a system interface.

  • Open the "Reports, Archives" tab and expand the tree under "/ArcNet Archived Reports".

  • The reports are stored in PDF format within the "Report Archives."

  • Within NetFlow, locate the NetFlow Reports under "/NetFlow".

2. **Configuration for Demo Replay Connector:**

  • Select event files: "NetFlow_IdentityView_v2.0.events" for replay.

  • Start replaying at 50 events per minute and adjust to approximately 25 events per second after initial playback.

3. **Dashboard Demonstration:**

  • **Top Bandwidth by Actor:** This dashboard provides a high-level view of bandwidth usage categorized by identity and country, specific to NetFlow activity. It can be adapted for broader vendor and device analysis.

  • **Top Port and Bandwidth Usage:** Displays which ports are active in the environment, distinguishing between well-known ports (0-1023) and registered/dynamic ports (1024-65535). It also shows bandwidth usage per top registered/dynamic ports.

  • **Top Source and Target Countries:** Helps identify where traffic is coming from and going to by country, showing bandwidth usage by target country.

  • **Microsoft SQL Server Monitoring:** Monitors Microsoft SQL Server traffic on port 1433, suggesting that such servers should be deployed in a DMZ segment (Target Zone Name: sj-arcnet-dmz) but are currently being used in a desktop segment (Target Zone Name: sj-arcnet-desktops).

These steps and dashboard descriptions support network performance monitoring and security analysis within an IT environment, highlighting the importance of visibility into both well-known and specialized traffic types. The provided text discusses a demonstration of using the ArcSight Console Interface to investigate a 36Worm Outbreak in an environment. Here's a summary of the key points and actions: 1. **Unauthorized Microsoft SQL Server**: There was an unauthorized installation of Microsoft SQL Server discovered, which is considered out-of-policy activity. Steps can be taken to configure a correlation rule and notification system to alert when such activities occur in future. 2. **Investigating Events**: The text suggests double-clicking on the sj-arcnet-desktops Target Zone Name for more detailed investigation of events. It also mentions opening the Reports Navigator pane, where various reports can be accessed:

  • **Bandwidth Usage by Port**: This report shows the bandwidth usage per port in the environment. For example, it highlights that 192.168.6.101 is the top bandwidth host.

  • **Top Bandwidth Hosts**: Further investigation into the most bandwidth-consuming host (192.168.6.101) can be done by viewing the **Detailed Traffic by Host** report, which provides more detailed information about this host's traffic.

3. **Replaying Worm Outbreak Events**: To simulate and understand the worm outbreak:

  • Start the Replay Agent and replay the worm events at 200 EPM to observe its spread and impact.

  • In the ArcSight Console, close all dashboards except the Worm Outbreak dashboard to focus on this specific event.

  • Highlight the Worm Propagation by Host data monitor: This shows how more hosts are getting infected as the worm spreads. The value of this data is discussed in terms of its usefulness compared to other views that provide better information.

  • Switch to the Worm propagation by Zone data monitor: Here, you can see the origin (Internet) and direction of spread (other zones) of the worm, suggesting that a network engineer could control traffic by denying access on port 22 through routers with ACLs.

  • Finally, switch to the Worm Infected Systems data monitor: This report identifies infected hosts requiring cleanup, showcasing the effectiveness of ArcSight in detecting such outbreaks.

Overall, this demonstration uses the ArcSight Console Interface to analyze and respond to a simulated worm outbreak, providing insights into how different tools and reports can be used to manage network security incidents. This text appears to be a tutorial or guide on how to use ArcSight ESM/Express for monitoring and managing notifications, escalations based on criticality, and more advanced correlation rules. Here's a summary of the key points mentioned in the provided information: 1. **Notification Sign**: At the top of the interface, there is a notification sign which can be clicked to view alerts or events related to certain hosts. This replaces the need for constant monitoring at the ArcSight Console. 2. **Notifications and Escalations**: The system allows users to configure notifications based on criticality levels. Critical incidents will trigger more immediate attention through double-clicking on a notification, which leads to the event inspector where one can review rule chains, content of events, and details for deeper analysis. 3. **Correlation Rules**: Notifications often stem from correlation rules that link data from different sources or types (e.g., an event generated by a rule and statistical data monitor). These rules help in identifying patterns and anomalies not visible through individual data points. 4. **Event Inspector**: This feature allows users to inspect events closely, including viewing the specific rule chain involved in the correlation, details about the event content, and additional metadata. 5. **Advanced Features**: The system supports advanced features like privileged user monitoring for after-hours activities, which is demonstrated using IdentityView. However, it's noted that this feature (IdentityView) is now end of sale support. 6. **Use Case: Privileged User Monitoring** involves logging in as an admin to the ArcSight Console, managing notifications and cases, and reviewing dashboards related to identity management solutions. 7. **Conclusion**: The system enables organizations to quickly spot security incidents including zero-day attacks through advanced correlation rules and associated actions like notification and case management. It also provides comprehensive reporting capabilities for both security and compliance visibility. 8. **End of Sale Note**: A disclaimer informs that IdentityView, used in the demonstration, is no longer supported but remains functional for existing users. The text seems to be part of a larger documentation or training material aimed at teaching how to effectively use ArcSight ESM/Express for advanced event management and analysis within an organization's cybersecurity framework. The text provided outlines a series of steps related to using a system called "ArcNet Dashboards," specifically version 2.0 for "Privileged User Monitoring." The tasks involve setting up visualizations, investigating actors (referred to as 'Actors' in the context), configuring event graphs, and starting a demo replay connector to observe specific events associated with an individual named Mario Rossi. The process begins by navigating through the system interfaces: 1. Accessing the "ArcNet Dashboards" interface where modules are listed under headings like "IdentityView v2.0." 2. From here, various sub-sections such as "Privileged User Monitoring," "Modeling," and specific investigations (like Actor Investigation for Mario Rossi) can be explored. 3. The top bandwidth by actor is reviewed within the IdentityView module. 4. Login activity by department is modeled in a separate section of the same interface, likely under the Privileged User Monitoring umbrella. 5. An active channel named "Actor Investigation – Mario Rossi" is opened for further detailed examination. 6. The Navigator and Reports resources are accessed to review archived reports and generate new ones respectively. 7. In configuring ArcSight Console Event Graph options, specific identifiers such as source node (Attacker Host Name), event node (Name), and target node (Target Host Name) are set up for better visualization of the events related to Mario Rossi. 8. A graph layout is adjusted to an organic structure to enhance readability and comprehension of the network diagram. 9. The Navigator Panel is hidden, allowing focus on the main interface elements while still retaining access through side panels if needed. 10. Starting a demo replay connector involves selecting pre-defined event files (IdentityView_v2.0.events), initiating playback at 50 events per minute to ensure the sequence of first three events related to Mario is maintained, and then adjusting speed as necessary for better observation. The action talking points emphasize integrating user context into the ArcSight system to enrich events and facilitate identity correlation, which can be demonstrated by showing the Viewer Panel initially, followed by a detailed review of specific events associated with Mario Rossi in his investigation session. The dashboard provides a detailed overview of the Actor model, which represents all users within a system after integration with Active Directory or similar directory services like ARCNET.COM. This model organizes users into groups based on their Organizational Unit (OU) in Active Directory, creating subgroups for Admin Accounts, Contractors, Employees, Vendors, and Service Accounts. Each user's information is displayed through the Inspect/Edit Panel where all relevant attributes from Active Directory are pulled in, such as full name, employee type, status, department, etc. The Actor model helps identify specific users based on their account identifiers used for accessing various network systems and applications. In summary, after setting up the Actor model, you open the Viewer Panel to view the Actor Overview dashboard. This dashboard provides general statistics about the Actor model and its integration with Active Directory. With 36 Actors in the system, there are around 130 different account IDs distributed across them, indicating an average of 3-4 accounts per user. The dashboard also shows a breakdown of statuses for these Actors: 33 are active and 3 are disabled. This information can be used to establish correlation rules that track activity from disabled accounts, providing insights into what was done by former employees even after their Active Directory account has been disabled. The text provided outlines a scenario where an actor model is used to analyze and manage network activities within an organization's Active Directory. It details how one can flag terminated employees by their associated accounts on the network, providing a breakdown based on organizational units (OU). The dashboard includes various features such as Actor Roles Overview showing group membership statistics and Actors by department highlighting the number of users in each department. Additionally, the text describes another feature within this system: Top Bandwidth by Actor, which allows for viewing events from the user's perspective after considering their context information. This helps to understand bandwidth usage patterns more comprehensively. The dashboard also provides insights into group and user management challenges faced by organizations due to high numbers of groups or users belonging to multiple groups, emphasizing potential compliance issues and opportunities for reassessment in managing least-privileged access within Active Directory. The provided text discusses a dashboard designed to analyze bandwidth utilization by focusing on user context information rather than just IP addresses. This allows for a more comprehensive view of traffic and activity from the perspective of the users generating it. By integrating this user context, better correlations can be established, shifting focus from specific IP addresses to broader policy-driven decisions about access based on departmental roles and responsibilities. The text then provides an example scenario where an organization has a policy restricting access to data centers during off hours to only authorized personnel, specifically data center operations and tier 3 administrators. This situation raises compliance concerns (as it may violate policies), poses as a potential insider threat due to the lack of business justification for accessing the data centers, and indicates issues with badge reader authentication that need resolution. When specific events occur, such as an employee badging into a server room after hours, I want to receive immediate notifications so I can respond quickly. The ArcSight system has the capability to send me emails, text messages, or pagers when notifications are triggered. Upon receiving these alerts, my first step is to access the ArcSight system and open the notifications dashboard. The notification dashboard displays all pending notifications that require my acknowledgment. For instance, there might be a notification indicating an employee named Mario Rossi has badged into the server room after hours. To prevent escalation to higher levels (like level 2 where my manager would be notified), I acknowledge the notification by pressing a specific button. This action moves the notification from the pending queue to the acknowledged queue and allows me to begin my investigation without further escalation. When I double-click on the notification, details are revealed through the ArcSight system's inspection tool. The interface shows detailed information about the event, including a correlated event icon indicating that it is based on observed employee activity in the server room after hours. This event triggered from a badge entry serves as the basis for this alert. The text is explaining a process used in security monitoring where an alert was triggered due to three correlated components. These are the badge event itself, which involves a user (Mario Rossi) accessing a data center; this action being outside their usual role and time frame. The system identified Mario as part of the marketing department but not an IT administrator or involved with data center operations during non-business hours. The ArcSight system uses identity correlation to link the cryptic username back to the Actor model, which provides details about the user's full name and department (in this case, Marketing). This helps in understanding why a marketing employee is accessing sensitive areas like the data center late at night when it’s not related to their job functions. The process involves inspecting and editing event details for the badge entry, using identity correlation to enrich information about the user. The user's past activities on the network are then investigated through an Active Channel, which allows viewing of all actions taken by Mario Rossi over a short period without manually searching through various logs and systems. This comprehensive view helps in understanding the full context behind such unauthorized access events. The text describes using a system, likely an advanced security or monitoring tool like ArcSight, to track and correlate activities of a user named Mario Rossi based on session correlation. When you filter for "everything that Mario Rossi did" with the command "Show me everything that Mario Rossi did," the system automatically gathers all related events and activity logs. The process starts by highlighting specific types of events such as Blue Coat and Cisco NetFlow, which are usually associated with network traffic. The focus is on events without a user name field populated because these require session correlation to identify users based on logged-in devices or IPs (e.g., Microsoft login on Mario's desktop IP 192.168.6.103). Through this method, the system can deduce that the activity belongs to Mario Rossi due to his unique login details and patterns established during sessions on different machines with specific accounts (like mrossi for Windows and marior for Unix). The session correlation helps in linking all related network activities back to the user. As more events are observed, such as switching between a Microsoft environment and a Unix machine, it confirms that these actions are indeed performed by Mario Rossi. Additional evidence includes traffic from different countries which might indicate suspicious activity. However, without additional context or corroborating factors (like detailed logs of what activities were conducted during the sessions), deducing specific outcomes is challenging, especially in cases where no direct user information is provided but only IP addresses and login details are available. The text provides a visual representation of an activity log through an Event Graph, which helps in understanding what's happening during the session. Initially, there's a successful login to Mario's desktop establishing a session. This is followed by blocked web browsing traffic from the Blue Coat proxy, indicating attempts at accessing personal email accounts and likely being denied access. To evade monitoring, Mario uses SSH to connect to another machine (U machine), revealing more nefarious activities. From this U machine, it becomes evident that he's visiting job hunting websites like careerbuilder.com, monster.com, and hotjobs.com, which are red flags indicating possible dissatisfaction with the current position and preparation for a new job. Further analysis through Cisco NetFlow Events reveals alarming activity, including visits to anonymous sites in foreign countries and a known hacking website in China. This suggests that Mario might be using anonymous proxies to transfer data out of the company, possibly intellectual property or other sensitive information he could use in his future role. The text also mentions potential implications, such as downloading hacking tools which may suggest future sabotage activities once Mario leaves the company. The author emphasizes the need for escalation and brings this issue to the attention of human resources. Within ArcSight, case management strategies are suggested to address these concerns effectively. When you bring up your navigator and view your cases, select the Cases resource and open the specific case named "Employee Badged Into Server Room After Hours – Mario Rossi." In this case, you'll find a number of attributes where you can set things like stages, impact, severity, and assign it to different users. The initial tab includes all tracking mechanisms. Go to the Events tab in the Inspect/Edit Panel to see events related to the case, including both correlated alerts and original base events that triggered this alarm. Close the Navigator Panel and open the Viewer Panel to show the Actor Investigation – Mario Rossi Active Channel. Right-click on selected events in the Active Channel and select "Add to Case." This adds all found evidence to the case. To save the added evidence, lock the case for editing from the Active Channel view, expand the Other selected Event(s) under the Events tab in the case editor, and click Apply. Now you can add this Event Graph view as part of the case; it clearly shows a situation. The attachment has been added to the case, allowing for a visual representation of event data in the form of an Event Graph. By right-clicking and selecting "add graph view" within the case, a JPEG image can be rendered and attached to the case file. This feature enables anyone else reviewing the case to quickly understand the activity that took place by accessing the same visual representation without needing to recreate it themselves. To further facilitate understanding of the evidence, close the Inspect/Edit Panel and open the Navigator Panel. Then, select the Reports resource, navigate to the Archives tab, and open the "Archived Report Activity for Specific Actor – Mario Rossi.pdf". Optionally, you can run a more comprehensive report that includes all activity for the specified actor (Mario Rossi) within the last hour or generate an overview of specific events related to this user. This reporting tool not only helps in summarizing all gathered evidence but also aids in demonstrating due process when transitioning the case to human resources or legal departments, as it provides a detailed justification for initiating the formal investigation. For further analysis and visualization of the activity associated with Mario Rossi over a specified time period, consider running reports such as "49Hours Building Accesses and Physical Access" and "System Events". These reports will aggregate all related events using session correlation techniques to confirm that they are indeed linked to Mario Rossi's activities. The reporting tool provides a summarized graph view of the applications accessed (badge reader, Cisco NetFlow, Windows, Blue Coat, Unix) along with detailed tables showing traffic origins and destinations, even when user information is unavailable. Lastly, you can save a copy of these reports for future reference or to present in legal proceedings. This document outlines how to set up and utilize IdentityView within the ArcSight Console, specifically for investigating shared account login activities as part of a use case demonstrating policy violations. The setup involves logging into the console as an administrator, acknowledging any pending notifications, deleting associated cases under admin's Cases, opening specific dashboard views, accessing reports via the Navigator, and starting demo replay connectors with specified event files to retrace user actions. This process helps in quickly compiling evidence for investigations, packaging it into a case that can be handed over to appropriate authorities. Note that IdentityView is still supported but nearing its end of sale. The workflow process for incident notification starts with viewing and acknowledging notifications related to incidents, such as when an employee uses a shared account on a server within a specific segment of the network. In this scenario, the use of shared accounts is not strictly prohibited but is against corporate policy for servers in that particular segment. The notification provides details about the incident including the identity name and 'session opened' events with a target user name of 'root'. The Network Model is demonstrated through the Attacker and Target Zone fields which highlight how this rule monitors specific behavior only seen within that network segment. To diagnose the issue, double-click on the notification to view detailed information in the Inspect/Edit panel, where you can change the Field Set to /ArcNet/IdentityView v2.0/Actor Field Set. The incident and notification display the identity name, with 'session opened' events showing a target user of 'root'. The system includes a custom Dashboard named "Shared Account Logins" which visualizes all shared account activities in the environment from source to target addresses, applications, and used shared accounts. This dashboard is dynamic and supports drill-down capabilities through data monitors that update information as needed. However, it does not support double-click drill-down because of a filter with an active list condition. To investigate a specific actor, such as David West, in an ArcSight dashboard, follow these steps: 1. **Right-click on David West** in the "Top Actors Using" section of the dashboard and select "Investigate." This will open a pane where you can drill down to see event details. 2. **Select Investigate** to create an Active Channel. If you have additional event files (like demoexpress-SP1.events or arcxprdessdemo.events), this channel will show events not tied back to identities. 3. **Show the Fields in the Active Channel Field Set**. Here, you can see the value of "IdentityView," which allows you to tie shared account activity back to an identity. 4. **Open the Reports Navigator pane** and view the "Archived Report: Logins to Known Shared Accounts – Summary.pdf." This report provides a summary of all shared account activity in your environment. 5. To see detailed information, review the "Archived Report: Logins to Known Shared Accounts – Details.pdf." Highlight key details such as attacker and target zone information and discuss the benefits of the Network Model. 6. **Inquire about the two different columns** in the report ("Actor by Name" and "Actor by IP"), which demonstrate how IdentityView can attribute activity by either name, IP, or both. 7. Lastly, review the "Archived Report: SU and SUDO Activity.pdf," which will show all SU and SUDO activity within your environment. This summary outlines a series of steps for analyzing shared account usage in a proprietary application without user access control capabilities, specifically using the SystemUser account which has full administrative privileges. The process involves acknowledging pending notifications, deleting associated cases under admin's cases, opening specific dashboards and reports, starting a demo replay connector to analyze event files related to login sessions, and showing how ArcSight ESM/Express and IdentityView can help track this activity by providing detailed correlation options and tying the shared account usage back to an identity. The provided document outlines a procedure for generating reports on user login activities within an application using ArcSight software. To accomplish this, one must log into the ArcSight Console as an admin and navigate through several menus and tabs to access specific features. Firstly, in the Notifications tab, pending notifications should be acknowledged and any associated cases under the admin's account should be deleted for compliance reasons. Next, open the Dashboards by navigating to a specific path within the software where reports are stored. In this case, one needs to access: 1. /ArcNet Dashboards/IdentityView v2.0/Privileged User Monitoring/Modeling/

  • Login Activity by Department

  • Login Activity by Employee Type

Then, the user should open the Navigator and expand the Reports resource under the relevant section. All reports generated and saved in PDF format are available within this section. The document emphasizes that IdentityView, which is still supported but nearing end-of-sale, provides features for monitoring privileged users. The process involves setting up a demo replay connector to reprocess previously captured events at a specified rate (initially 50 events per minute and adjustable based on need). Lastly, the document highlights the importance of reviewing dashboards such as "Login Activity by Department" and "Login Activity by Employee Type," which provide insights into system and application usage, guiding decisions regarding access rights within the organization. This text is about accessing archived reports related to employees within a company using Micro Focus products. To view these reports, one needs to open the Reports Navigator pane and show specific PDFs titled "All Activity for Department," "Activity Based Modeling by Department," "All Activity for Employee Type," "All Activity for Role," "Activity Based Modeling by Employee Type," and "Activity Based Modeling by Role." If you have any questions or comments, you can email arst-gfs@microfocus.com. The company is Micro Focus International plc, registered in England and Wales with registration number 5134647, located at The Lawn, 22-30 Old Bath Road, Berkshire, RG14 1Q.

Disclaimer:
The content in this post is for informational and educational purposes only. It may reference technologies, configurations, or products that are outdated or no longer supported. If there are any comments or feedback, kindly leave a message and will be responded.

Recent Posts

See All
Zeus Bot Use Case

Summary: "Zeus Bot Version 5.0" is a document detailing ArcSight's enhancements to its Zeus botnet detection capabilities within the...

 
 
 
Windows Unified Connector

Summary: The document "iServe_Demo_System_Usage_for_HP_ESP_Canada_Solution_Architects_v1.1" outlines specific deployment guidelines for...

 
 
 

Comments

@2021 Copyrights reserved.

bottom of page