ArcSight ESM Express 7.0 Command Center Demo Script
- Pavan Raja
- Apr 8, 2025
- 43 min read
Summary:
The document you've described appears to be an internal guide or manual for using the ArcSight enterprise security information and event management (SIEM) tool to analyze network activity and track user behavior, particularly related to privileged accounts and shared resources. Here’s a breakdown of its key points:
### Purpose and Scope - **Purpose**: The document outlines how to apply a human-readable name to an IP subnet for easier understanding within the network and demonstrates using ArcSight for various security and compliance tasks such as tracking user activity, generating reports, setting up connectors, and managing cases. - **IdentityView/UBA Transition**: It mentions that while IdentityView is still supported, it has reached its end of sale and suggests transitioning to User Behavior Analytics (UBA) for advanced behavioral analytics.
### Use Case: Legacy Application with Shared Account - **SystemUser Privileged Account**: The document details a use case where an application uses a shared account (SystemUser) that provides full administrative privileges, which is tracked using IdentityView to ensure compliance and provide evidence of user access for audits.
### Reporting and Dashboards - **Accessing Reports**: Instructions are provided on how to navigate to specific reports in ArcSight, such as "Login Activity by Employee Type" dashboard and various archived reports that detail activities categorized by department, employee type, and role. - **Enabling Detailed View**: For better readability, instructions are given on how to enable node labels within the dashboards.
### Reporting Types - **Archived Reports**: The document lists several PDF reports available under "ArcNet Archived Reports/IdentityView 2.0/Privileged User Monitoring/Modeling," including summaries like "All Activity for Department" and more detailed reports such as "Activity Based Modeling by Department." Additional optional reports include those categorized by employee type and role.
### Legal Notice - **Trademark Notice**: The document includes a trademark notice from Micro Focus International plc, indicating the provider of this service.
### Summary Workflow 1. **Dashboard Navigation**: Access the "Login Activity by Employee Type" dashboard under "Dashboards" > "Navigator." 2. **Enable Detailed View**: Adjust settings to show node labels for clearer data presentation. 3. **Access Reports**: Go to "Reports" > "Archives" to find and access detailed reports including those categorized by department, employee type, and role.
### Conclusion This manual is a practical guide for security analysts using ArcSight to monitor privileged user activities within an organization's IT environment. It focuses on transitioning from IdentityView to UBA where applicable and provides step-by-step instructions for accessing detailed reports and dashboards that provide actionable insights into network activity, specifically related to shared accounts and administrative privileges.
Details:
ArcSight ESM / ESM Express 7.0 Patch 1 is a software update that comes with various demonstrations and use cases, all contained within the Command Center. The main goal of this patch release appears to be centered around enhancing security through threat intelligence integration and demonstrating compliance with network flow analytics.
**Security Use Case:** This involves using ArcSight Activate Threat Intelligence to improve security by integrating real-time threat information into the system. It also includes a demonstration script version 4 dated October 30, 2018, which likely provides step-by-step instructions on how to implement this intelligence into the software for better protection against cyber threats.
**Reputation Security Monitor Plus:** This feature focuses on enhancing security by monitoring and analyzing an organization's reputation based on data collected from various sources within their network or cloud environments. It is part of a suite designed to prevent potential threats before they can cause significant damage.
**ArcSight Activate Threat Intelligence & Marketplace:** These functionalities are aimed at expanding the capabilities of ArcSight beyond basic security monitoring by integrating threat intelligence feeds directly into the system and providing additional modules for enhanced functionality, all accessible through the marketplace where third-party applications can be integrated seamlessly.
**Compliance Use Case:** This use case involves demonstrating how to ensure compliance with various regulatory standards using ArcSight's tools and features. It includes a script version that outlines practical steps in managing legal requirements by leveraging advanced analytics and reporting capabilities of the software.
**NetFlow Use Cases:** These are scenarios where NetFlow technology is used within the organization, helping in monitoring network traffic to ensure optimal performance and security. The patch provides specific use cases demonstrating how ArcSight's ESM/ESM Express 7.0 can be effectively applied to these aspects of IT management.
**Command Center:** This seems to serve as a central repository for all the functionalities mentioned above, acting like an operating system that integrates various features and applications for easier navigation and operation within the organization’s cyber defense framework.
**Privileged User Monitoring Use Case (Afterhours Activity):** This involves monitoring activities of privileged users during off-peak hours to ensure there is no misuse or abuse of administrative privileges after regular business hours, which can be a potential security risk if not properly managed.
**Shared Accounts Use Case (Policy Violation):** Finally, this use case focuses on detecting and managing policy violations related to the sharing of accounts across different users within an organization. The patch provides specific instructions and guidelines for implementing controls that prevent such breaches and enforce proper account management policies.
The document outlines the use case for using ESM/ESM Express within ArcSight Command Center, specifically designed to monitor suspicious or malicious activities efficiently. Here's a summary of key points from the text:
1. **Use Case Overview**: This section introduces how an analyst would interact with ESM/ESM Express during an investigation, showcasing its efficiency and user-friendly interface. The workflow involves notifications, a dashboard display, active channel information, generation of reports, and ultimately opening a case for further action.
2. **Setup Instructions**: Detailed steps to begin the demonstration include logging into the Command Center as admin, clearing previous notifications and cases, switching to a dark theme, and setting up the demo replay connector with specified event files and replay speed.
3. **Demo Synopsis**: The purpose of this use case is to demonstrate how ESM/ESM Express detects suspicious or malicious activity through its correlation and analytics features, providing real-time and historical insights. The sequence includes initial notification, display on dashboard, exploration via active channel, generation of reports, and finally opening a case for detailed investigation.
4. **Action Talking Points**: Key points during the demonstration include reacting to notifications received from ESM/ESM Express, accessing My Notifications through the interface, understanding that ESM/ESM Express provides real-time and historical analysis capabilities, and exploring details through the dashboard before finalizing in a case for further action.
Overall, this use case showcases how ArcSight's ESM/ESM Express can be effectively used to monitor and respond to suspicious activities by providing an intuitive interface and detailed analytics for efficient investigation processes.
The provided text describes a process for handling notifications in a system where multiple login attempts to a locked Windows account are detected through a Command Center interface. Here's a summarized version of the workflow and key points:
1. **Notification Display**: When a notification is triggered, it appears on the screen with details about pending events associated with the notification.
2. **Correlated Event**: A red lightning bolt indicates a correlated event that initiated the notification. The base events are also shown which indicate multiple login attempts to a locked Windows account.
3. **SmartConnector and Field Set Selection**: The system uses SmartConnectors for correlation, allowing users to select relevant field sets like ArcSight Foundation/ArcSight Express to focus investigations on specific areas of interest. This helps in managing the large number of fields available in the schema.
4. **Automatic Normalization**: The SmartConnector automatically normalizes events by structuring them for use with applications like ESM/ESM Express, making it easier to analyze and interpret data.
5. **Categorization**: Events are categorized into Behavior (Authentication/Verify) and Device Group (/Operating System), which aids in understanding the nature of the events and streamlining investigation processes.
6. **Workflow Process**: The process involves acknowledging notifications within a specified time interval, with escalation to higher levels if not acknowledged. This forms part of an automated workflow designed for handling security incidents efficiently.
This text discusses a method for categorizing events related to authentication and security, which makes content more portable and less dependent on specific event IDs or device vendors. By using categorization instead of relying solely on unique event IDs, updates to devices do not necessitate rewriting content. Categories such as "Operating System" can encompass various types of operating systems (e.g., Windows, Unix, Linux), ensuring that the content remains applicable regardless of the underlying system.
The text also describes a tool for visualizing user activity and related events, where nodes on a topology map represent different elements like devices or users. This allows for exploration of relationships between these nodes to understand how data flows and interacts within an organization's network. For instance, selecting a source node (like mhedberg) reveals connected events and targets, while a target node (like Cisco VPN) shows related sources and events.
Additionally, the text introduces a feature that displays geographical information about where events are originating or terminating, providing insights into the global communication patterns within an organization's network. This is particularly relevant when considering business operations solely within the United States, as it highlights unexpected international activity.
Finally, the text mentions the use of dynamic and interactive dashboards to visualize event data, which update automatically with new events and allow for further analysis by drilling down into specific details. The process described aligns with a structured approach used at companies starting their investigation from the main dashboard page, highlighting the utility and adaptability of these tools in security and network monitoring environments.
The passage describes an interactive process where one can investigate cases by accessing dashboards and drilling down into details related to specific users such as "swright." When dealing with a case, like the Lock case mentioned, there's a structured workflow that involves creating stages for investigation. Initially, the stage is set to "Queued," which is then changed to "Initial" upon starting an investigation.
Throughout this process of investigation, interactions are encouraged through various clicks and selections on a dashboard interface. For instance, when looking into the user "swright," one drills down from User Activity by right-clicking and selecting specific criteria like creating a channel based on target username. Once the Active Channel is loaded with visual representations of events and fields selected, further analysis can be conducted directly through the interface.
As part of this investigation for swright, it's noted that he uses a remote VPN which has assigned him an IP address of 10.0.110.34. This information is useful in tracing his activities from outside the network to within the VPN and eventually to his internal address through authentication failures. The passage also highlights how easy it is to expand the investigation to include all activity from this internally assigned IP address, using simple commands like ping or nslookup as demonstrated with the Integration column in the Active Channel.
This summary outlines a cybersecurity procedure involving an IP address and malware analysis using ArcSight Investigate Search (ESM). The process involves creating an event for a specific IP address (10.0.110.34), investigating the related events to understand the nature of the incident, and utilizing ESM/ESM Express features such as normalization through SmartConnector to assess danger levels.
The user swright accessed the network via VPN and encountered multiple failed login attempts, indicating possible breach or malware activity. The user was downloading files from malicious sites using FTP from a firewall and IDS perspective, suggesting an infected device.
Further analysis of events showed that during normalization, SmartConnector collected data on event danger levels, which were then translated into scales like Very Low, Low, Medium, High, and Very High by ESM/ESM Express. An investigation focused on specific DNS domain (dslzn11.badguy.net) was initiated to refine search criteria in the Active Channel for further analysis.
Additional customization options within the Active Channel allowed for refining event selection based on custom conditions, enabling a more targeted and detailed review of suspicious activities related to the identified IP address and malware behavior.
The text describes a process for investigating an incident involving failed login attempts, utilizing a software tool with features such as adding events to a case, saving searches, generating reports, and attaching documentation. Here's a summary of the steps mentioned:
1. FTP_User and FTP_Pass are related to the incident; these details will be added to the case for further investigation.
2. Multiple Login Attempts to Locked Windows Account: swright is noted, and actions include clicking "Add to Case" and saving/sharing searches within an Active Channel if needed.
3. If investigations need to be revisited or shared with others, users can easily save their search criteria as a template for future reference.
4. The user can revisit previous steps in the investigation without starting from scratch by using breadcrumbs provided by the software.
5. To validate findings and prepare documentation, reports such as "Failed Logins by Destination Address" are generated:
Parameters include setting StartTime to one day before now and EndTime to now, with a PDF format for presentation.
6. The report is downloaded and attached to the case as evidence, along with notes about follow-up actions. This ensures continuity of the investigation between analysts handling different stages or shifts.
The text provided appears to be a technical document or report related to an incident response and network security, specifically detailing the steps taken and recommendations for handling a compromised VPN account and subsequent malicious activity on an infected host using ArcSight's ESM/ESM Express.
Key points from the summary include:
1. A compromised VPN account was identified as the entry point for unauthorized access to the network, followed by FTP activities directed towards a malicious external host/domain.
2. Actions taken in response to this incident were disabling the affected VPN account and taking the infected host offline.
3. Recommendations included isolating the infected host on a quarantine network for forensic investigation and potentially integrating the solution with existing case management and ticketing systems.
4. The document outlines how ArcSight's ESM/ESM Express can be used in incident response, with built-in case management and workflow features that can be tailored to specific organizational needs.
5. An example scenario is provided for setting up a demonstration of the Reputation Security Monitor Plus using pre-defined event files and starting a demo replay connector to analyze past interactions detected during the last two hours.
6. The setup involves clearing previous cases, replaying events at a set rate, and viewing specific active channels and dashboards related to reputation security monitoring for further analysis and action points.
This summary provides an overview of a dashboard used for monitoring and analyzing reputation-based threat intelligence, specifically focused on domains and IP addresses. The dashboard is part of a system called Reputation Security Monitor Plus (RepSM), which uses threat intelligence to detect malware infections, zero-day attacks, and dangerous browsing within a network.
Key features of the dashboard include:
1. **Monitoring Domain Entries**: Displays the number of domain entries being monitored by the system, with data potentially scaled down for demonstration purposes but representing much larger numbers in production settings.
2. **Exploit Types and Reputation Scores**: Indicates the type of exploit (e.g., malware, botnet) associated with a malicious host or domain, along with a reputation score from 0 to 100 that assesses potential security risk. A higher score signifies greater risk.
3. **Use Cases for Entities**: Explains how entities are handled based on their score: scores below 40 indicate undesirable but not necessarily malicious activity; scores below 20 suggest no significant threat; and an outright score of 0 means no threat is present, although they remain in the database as potential candidates for malicious activity.
4. **Malicious Entities Detection**: Enables viewing all communication from the network to malicious entities detected during the last two days.
5. **Dashboard Breakdown by IP Addresses**: Provides a similar dashboard view but specifically for IP addresses.
6. **Activity Overview and Investigation**: Offers an overview of activities such as internal infections, dangerous browsing, and interactions with malicious entities, facilitating investigation into network security issues.
This summary highlights the functionalities and purpose of the Reputation Security Monitor Plus (RepSM) dashboard in assessing and managing potential threats from domain entries and IP addresses within a network environment.
The text discusses using ESM (Extended Spectrum Monitoring) with ArcSight Solutions for detecting malicious activities. It mentions that within the Reputation Security Monitor Plus feature, there are internal systems detected communicating with external malicious systems through IP addresses. To better understand these communications, one can customize the Active Channel by adding fields such as Attacker Host Name and Target Host Name to display hostnames instead of just IP addresses.
The text then explains how to add these fields to the Active Channel for a more detailed view. It notes that after adding these fields, it becomes apparent that the activity is targeting Mac devices. One specific hostname "mystreamvideo.rr.nu" appears unfamiliar but suggests possible involvement in audio or video streaming services. The default Active Channel did not include these fields, so users can either modify an existing Field Set or create their own to include these additional fields for investigation.
Finally, the text explains how to select a specific internal system and create a targeted Active Channel for deeper investigation, which provides more context about all communication involving this host.
The text discusses how SmartConnector uses data sources to rate the danger of various events. It converts these ratings into a standard scale (Very Low, Low, Medium, High, Very High). If there's no internet access, one can perform actions like searching for information about unfamiliar hosts on Google or saving images for later analysis. The text also explains how ESM/ESM Express visualizes events by selecting fields to better understand the situation, highlighting that mystreamvideo.rr.nu is among the top target host names and there's suspicious outbound traffic to a fqdn. It details specific detected malicious activities such as Trojan Flashback, SQL injection via Micro Focus Fortify solution, and Check Point firewall events, which are indicative of potential security threats.
This summary describes an incident where a malicious attack occurred within an internal network via an infected host accessing a suspicious website (0.40.2.selfimprovedlifestyle.com). Once accessed, the malware within the host executed a SQL injection attack on the internal portal server (arcnet.com) and attempted to transfer data to another server (mystreamvideo.rr.nu), which was located in China.
To investigate this incident, Check Point firewall logs were reviewed to identify outbound traffic to suspicious domains, specifically mystreamvideo.rr.nu, indicating a connection from internal hosts to the malicious server in China. The Target Geo Country field within these events confirmed that the server is based in China.
Using the Check Point management console, details of the infected host and network activity were examined. By creating a target host for mystreamvideo.rr.nu, it was verified through the Active Channel feature on the Reputation Security Monitor Plus (RepSM) dashboard that internal hosts had communicated with this malicious server. Further investigation involved examining all events related to specific assets by filtering conditions in the Common Conditions Editor or CEE and reviewing case details, including Follow Up actions taken for quarantine and remediation of infected systems like the macmini system.
The provided text outlines a process for investigating and resolving an infection on a macMini system using the ArcSight solution. Here's a summarized version of the steps involved:
1. **Documentation**: Start by documenting the initial investigation findings and actions taken.
2. **Closing the Case**: Once the documentation is complete, close the case related to the infected macMini.
3. **Dashboard Update**: Upon closing the case, go back to the RepSM Overview dashboard where you will observe that the status of the macMini changes from "Infected" to "Fixed."
4. **Generating Reports**: Navigate to the Reputation Security module in ArcSight and generate two reports:
The first report lists all currently infected assets, noting that the macMini is not included as it was remediated.
The second report details Recorded Interactions with Malicious Entities detected by ESM and the Reputation Security Monitor Plus tool. It also includes a graphical representation of incidents.
5. **Tracking Incidents**: These reports can be attached to cases for easy tracking and reference of incident details.
6. **Geographical Analysis**: Use the Geographical View of Malicious Communications dashboard to visualize where malicious activity has been detected, confirming findings from previous steps.
The demonstration concludes by emphasizing how the Reputation Security Monitor Plus uses threat feed data to detect suspicious and malicious behavior in a network, with the investigation process serving as an example.
This document outlines the steps to set up and demonstrate ArcSight Activate Threat Intelligence using ArcSight Command Center (ACC). Here's a summary of the setup process:
1. **Admin Login:**
Log in as admin with the default password "password" to the ArcSight Command Center.
Open specific dashboards related to threat intelligence, such as Reputation Address Data Overview, Reputation Entity Data Overview, Suspicious Activities in Geo, and Threat Intelligence Overview.
Access the main channel of ArcSight Activate by opening "/All Active Channels/ArcNet Dashboards/ArcSight Activate/Main Channel."
2. **Demo Login:**
Log in as demo with the password "arcsight" into another web browser to access the ACC.
Switch to the Dark theme and open the Personal Investigating Channel located at "/All Active Channels/ArcNet Active Channels/ArcSight Activate/Personal Investigating Channel."
3. **Setup Replay Connector:**
Start the Demo Replay Connector.
Select the event files "activate_threat_intelligence_50epm.events" for replaying at 50 events per minute.
4. **Use Case Notes:**
The demonstration involves two web browsers, each logged into ACC with different accounts. This setup allows showing the Event Annotation feature to assign an Activate incident to a Level 1 SOC analyst:
In one browser, as admin, you will be watching the main channel simulating a SOC manager triaging incidents and assigning them to analysts.
In another browser, as demo, you will be watching the personal investigating channel simulating a Level 1 SOC analyst investigating an incident.
The use case focuses on a system in the DMZ that has become infected.
The document describes a method for detecting and analyzing potential threats by communicating with a command and control server using malware on systems without antivirus software but with Sysmon (System Monitor) enabled on Windows machines. Key points include:
1. Detection methods involve communication outbound via Check Point firewall to known bad IP addresses, presence of malware not detected by antivirus software but utilizing Sysmon for file hash collection of running programs.
2. The demo covers multiple use cases identified through rule names in the Main Channel.
3. Highlighted points include:
a. The Activate package is versatile and can be applied to various products and vendors without specific requirements, triggering on any events sent to ESM (Extended Security Management).
b. It employs STIX/TAXII, CIF, Ransomware data feeds, and HIDDEN COBRA data feeds to populate the Threat Model.
c. The Threat Model provides enhanced information by identifying botnets, malware sites, source of threats, confidence levels in threat intelligence, and types (commercial or open source).
d. Level 2 content contextualizes incidents based on both the Threat Model and Network & Asset Model, aiding prioritization of critical assets.
e. The content uses file hashes as an indicator of compromise (IOC) alongside traditional IOCs like IP addresses and FQDNs, employing Sysmon for data collection but noting that other host monitoring products or Microsoft AppLocker could also be used.
The text discusses ArcSight Activate Level 1 and Level 2 Threat Intelligence packages, specifically focusing on the Reputation Address Data Overview and Reputation Entity Data Overview dashboards. These dashboards display information from the Threat Model, which is populated by various intelligence feeds and sources such as STIX and TAXII, Collective Intelligence Framework (CIF), Ransomware data feeds, and HIDDEN COBRA data feeds.
The primary use case for these packages involves populating three Active Lists: Suspicious Addresses (IPv4 addresses), Suspicious IPv6 (IPv6 addresses), and Suspicious Entity (urls, host names, suspicious file hashes, user names, or email addresses). These lists are keyed by specific types of indicators and serve to detect potential suspicious and malicious activities.
The Active Lists have a TTL (Time To Live) of 8 hours, which means that if events need to be replayed within this time period, they might not appear in the Main Channel Active Channel. To address this issue, entries can be cleared from the Active List.
The document provides an overview of various features and functionalities within a Threat Intelligence package, specifically designed for use in security operations centers (SOC). Here's a summary of the key points discussed regarding the dashboard visualization and its capabilities:
1. **Indicator Type**: This categorizes potential malicious activities such as inbound or outbound communication to known bot or command & control servers. It helps identify suspicious behavior indicative of malware, like reconnaissance, dangerous browsing, or ransomware.
2. **Score Range**: Indicators are assigned a score between 0 and 100 based on their reliability and accuracy. This ranges from open-source intelligence (OSINT) with lower scores compared to proprietary or internal data sources.
3. **Source**: The origin of the threat intelligence data, which can range from publicly available information to internally sourced data.
4. **Entity Dashboard**: Similar in structure to the Address dashboard but includes additional information about counts by signature type. This helps identify suspicious entities such as URLs, fully qualified domain names (FQDNs), file hashes (MD5/SHA1/SHA256), user names, or email addresses. The normalization across various devices ensures that indicators of compromise are flagged regardless of the device type.
5. **Threat Intelligence Overview Dashboard**: Offers a comprehensive view of current malicious activities detected by the system. It includes categories like reconnaissance, dangerous browsing, and ransomware, along with details such as top alerts by score and internal target addresses.
6. **Activate Threat Intelligence Package**: This feature allows users to stay informed about indicators of compromise across various devices and systems, including file hashes and email addresses, providing a proactive approach to security management.
7. **Visualization and GeoIP Information**: The dashboard provides geographical information that helps visualize where suspicious activities or malicious activity is occurring globally.
8. **Main Channel and Active Threat Intelligence Package Activation**: These functionalities are described in the context of user roles (SOC manager) and how to access specific ACCs with different themes, including default and custom configurations for effective threat intelligence monitoring.
In this demonstration, I am simulating the role of a Level 1 SOC analyst. The scenario involves investigating incidents related to the host named fwhq05.hq.arcnet.com, which is linked to suspicious activities such as dangerous browsing and potential outbound command and control communication. Activate Threat Intelligence provides additional details about these events:
1. **Dangerous Browsing**: This indicates traffic to an IP address categorized as a botnet by spamhaus.org.
2. **Outbound Command and Control Communication**: This is evident from the suspicious filehash activity in a critical host, further elaborated through Activate Threat Intelligence which reveals that this traffic corresponds to an IP linked to a botnet.
As part of my investigation:
I use the Dark theme interface provided by the demo ACC (Advanced Cyber Defense) and observe three correlated events sourced from fwhq05.hq.arcnet.com.
To enhance visibility and understanding, I click on "View Details" which provides more information about the event in question, including details from Threat Model and cyber threat intelligence sources that reveal this traffic is part of a botnet activity.
I then switch back to the default theme and navigate through the interface:
I activate the Personal Investigating Channel to monitor any assigned incidents. At this point, there are no incidents in my queue.
In the Main Channel Active Channel, I select the three correlated events from fwhq05.hq.arcnet.com.
To proceed with investigation, I annotate the stage of the investigation as "Level 1 Investigating" and assign this case to analyst demo. This action hides these events from the main channel since they are now being handled by an analyst.
Finally, I leave a comment in the system mentioning that further research is needed regarding suspicious filehash activity.
This demonstration showcases basic incident handling procedures within a SOC environment, emphasizing the role of threat intelligence and efficient information management through advanced interfaces like those in ACC with Dark theme options.
The text describes how a Level 1 SOC analyst uses a personal investigating channel to analyze suspicious activities in firewall traffic, particularly focusing on malicious sites accessed via dangerous browsing and outbound connections. The process involves correlating events through the Event Details panel, using threat intelligence from cyber sources to enhance event visibility and improve security measures.
The analyst utilizes Sysmon for Windows systems to monitor file activity, recording hashes of all processes run on these systems. They use a Sysmon FlexConnector available in the ArcSight Marketplace to parse Sysmon events, which helps in identifying suspicious file hash activities. This approach allows them to track and investigate potential threats more effectively by leveraging Activate's threat intelligence package, which treats file hashes as indicators of compromise similar to IP addresses or hostnames.
This text describes a cybersecurity incident response process using the "Activate" threat intelligence package. The scenario involves detecting a suspicious activity on a Windows device, which appears to be related to malware delivery through email. The Activate Threat Intelligence package, being vendor and device agnostic, triggers alerts for events that might indicate threats.
The event details include:
1. A process create base event originating from the Microsoft Outlook temporary directory, suggesting file delivery via email.
2. The host is identified as part of the "hq-arcnet-dmz" zone, indicating it's in a potentially exposed DMZ network segment.
3. This identification leads to two correlated events: Suspicious Filehash Activity and further investigation into the criticality of assets within the network context provided by Activate Threat Intelligence Level 2 content.
4. The user is suspected of downloading malware through Microsoft Office, leading to quarantine of the host for forensic examination.
5. As a SOC manager, it's recommended to run periodic reports on these incidents using the Activate Threat Intelligence features to monitor and report suspicious activities.
6. Sample reports provided include "Threat Intelligence Alerts" and "Suspicious Activities by Attack Category."
The ArcSight Activate Threat Intelligence demo showcased how the product is vendor and technology agnostic, capable of integrating with various systems. It introduced a comprehensive threat intelligence package that utilizes indicators such as file hashes, email addresses, URLs in addition to traditional ones like IP addresses and domain names. The system enhances event details by drawing from its threat model and feeds, providing context through its network and asset models.
During the demo, ArcSight Activate was demonstrated in use within a security operations center (SOC). A SOC manager triages incidents via the Main Channel, assigning them to analysts who investigate using the Personal Investigating Channel. The demo also detailed setup instructions for ArcSight Activate Command Center, including event loading and channel activation. Additional information provided included details on installed packages like Malware Monitoring and Network Monitoring, which utilize specific indicators and situational awareness capabilities, with additional context from the system's models.
Lastly, the demo concluded with a mention of the ArcSight Activate Marketplace setup process, which includes logging in to the Command Center as an admin, setting up the Demo Replay Connector for event loading, activating main and personal investigating channels, and exploring the marketplace website for further integration options.
ArcSight Activate is a system designed to help users quickly deploy and develop actionable use cases, leveraging reusable components and standardized deployment tactics. It offers several benefits, including the ability to implement and customize packaged use cases without reinventing the wheel, as well as empowering users to create their own use cases using a library of reusable components.
ArcSight Activate includes various packages that are organized by type:
The Activate Base package provides resources such as filters, global variables or active lists, which are used by all other packages.
Level 1 (L1) and Level 2 (L2) Activate packages consume indicators from multiple event sources and normalize them to provide a unified view of data across different systems. This helps in malware monitoring and related security activities.
In addition, ArcSight Activate is integrated with other products like P-McAfee ePO Virus Scan for enhanced virus scanning capabilities. It also provides information on why activating ArcSight is beneficial through various wiki pages on the Micro Focus website.
The ArcSight Activate content is available on the ArcSight Marketplace, which serves as a platform for security professionals to share and download security packages, use cases, best practices, and more. This marketplace offers cutting-edge security information comparable to what large companies have in managing their security.
Within the ArcSight Activate framework, L1 packages are indicators and warnings that detect and report potential malicious activities by providing contextual information enriched with device specifics. These indicators help understand if there's any indication of harmful activity. The more comprehensive L2 packages, known as situational awareness, add further context to events using data from internal ArcSight models such as the network model, asset model, actor model, and threat intelligence model.
ArcSight Activate product packages are tailored to specific release or version ranges and contain both L1 content and may include FlexConnectors or Parser overrides for various technologies like perimeter and network monitoring, application monitoring, physical security, host monitoring, malware monitoring, data security monitoring, and threat intelligence monitoring.
The article discusses ArcSight Activate, a modular platform for monitoring malware and adding support for various products and vendors through modifications to filters. It mentions that Activate supports log sources from ArcSight SmartConnectors, FlexConnectors for in-house applications, and companies within the Security Technology Alliances Partner Program. On the Marketplace, one can find L1 and L2 content related to malware monitoring, including a package for McAfee ePO - VirusScan which is the antivirus vendor and product deployed by the user. ArcSight Activate provides documentation and best practices for this content in the form of a wiki page under guidance on malware monitoring. The article also highlights how the platform is extensible and customizable through modifying thresholds to better fit specific environments, providing more use cases than just L1 Malware Monitoring package.
The text discusses the use of a Network and Asset Model in conjunction with L1 (Level 1) and L2 (Level 2) Malware Monitoring packages, specifically focusing on how these tools can provide additional context for security monitoring. When dealing with virus or worm outbreaks, prioritizing response based on asset criticality is crucial; assets such as critical servers or those in the DMZ are considered more valuable and should be given higher priority due to their potential cost impact if compromised.
The L2 package and content offer this additional context by helping users manage threats effectively. For example, a McAfee product package not only supports malware monitoring but also extends its functionality to entity monitoring across different use cases. This flexibility allows the tool to be adapted for various security needs within an organization. The text also mentions that while discussing vendor-specific products in a web browser interface, one should switch to the "Activate L1 packages" tab and explore how these can be integrated into overall threat management strategies by viewing test plans and implementing them with test events for quality assurance.
Finally, the text describes navigating through the system to view the Active Channel within the ArcSight Activate tool. This channel displays all correlated events triggered by the use case content, facilitating incident triage and assignment of tasks to analysts for further investigation.
The text describes a scenario where an analyst named Steve uses a specific channel within a software tool to monitor and investigate active incidents related to malware activity on a network. This channel is part of the ArcSight Activate platform, which allows analysts to focus on tasks assigned to them based on their expertise and availability.
In this demonstration, Steve's personal monitoring interface is shown as empty since there are no current incidents for him to work on. However, the analyst can switch back to the main channel where various alerts related to malware and intrusion detection system (IDS) activity are displayed. Among these alerts, an incident involving a specific IP address 172.17.1.1 is highlighted, which has been triggered by both Level 1 Malware Monitoring packages and McAfee ePO VirusScan due to the presence of W32/SQLSlammer.worm malware across multiple DMZ hosts.
The software tool's content can be applied universally regardless of the antivirus vendor being used, as it is product and vendor agnostic. The Level 2 package provides deeper insights into the affected assets within the network through the ESM (Enterprise Security Manager) Network and Asset model, helping to identify more critical systems that are part of the DMZ, specifically named arcnet-dmz in this case.
As a SOC manager, you would typically triage such incidents by selecting one of the correlated events for further investigation and assign it to Steve, who is a Level 1 analyst. This assignment can be facilitated through event annotation within the ESM tool, ensuring that the appropriate handling and follow-up are carried out according to established incident response procedures.
5Click Annotate is a lightweight workflow tool designed to help users track and escalate events through their workflow. It allows you to flag or assign specific events or groups of related events for follow-up, making it flexible and customizable according to your workflow environment. Annotations can be used in various ways; as a tracking tool for all events passing through the ESM correlation engine, as a triage tool before escalating an event, or simply bypassing its use with ESM's case management system.
In this context, Level 1 Investigating Stages represent the steps within a collaborative workflow for annotating events. These stages can be customized to fit your organization's workflow and are designed for security operations personnel who investigate events. Once defined, individual events can be assigned to these stages by analysts such as Steve. After assigning an event to Steve, it will disappear from the Main Channel and appear in Steve’s Personal Investigating Channel within ArcSight ESM.
To view details of a correlated event, select it and click 'View Details'. The annotations field is present in the ESM event schema, which can be utilized across various content types like Filters, Dashboards, and Reports. A common application for event annotations involves using them as a triage tool within security operations workflows.
The provided text appears to be a summary or report on an incident response involving malware (specifically W32/SQLSlammer.worm) detected in a DMZ host with IP address 172.17.1.1. The steps taken include updating antivirus definitions, removing the malware, running a full system scan, and marking the event as closed after confirming the system was clean.
Additionally, there is information about transitioning to ArcSight Activate for monitoring malware activity within the organization, which includes a dashboard with data monitors showing metrics such as cases by status (stage), monthly cases by severity, monthly cases by event category, monthly closure reasons, and monthly time to resolution (TTR) by severity. This transition leverages the Network and Asset Model to provide insights into malware infection rates both within and outside the organization.
The text also highlights benefits of using ArcSight Activate such as ease of deployment, extensibility, reuse of content between use cases, adherence to best practices, and efficient sharing of content among clients and professional services. The setup process for ArcSight Marketplace involves logging into the Command Center as an admin and starting a demo replay connection.
Overall, this text appears to be part of documentation or report related to information security management, specifically focused on incident response and malware monitoring using ArcSight Activate tools.
The text outlines a process for using ArcSight Marketplace to find and install relevant security content related to Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). Here's a summarized version of the steps involved:
1. **Select Event Files**: Identify and select event files such as `demo.events`.
2. **Replay Events**: Start replaying these events at a rate of 50 events per minute.
3. **Open Browser Tab**: Open a new tab in your web browser and navigate to the ArcSight Marketplace URL: https://marketplace.microfocus.com/arcsight.
4. **Sign Up for Account**: Register for an account on ArcSight Marketplace if you don't already have one, and ensure you have an account on Protect724 as recommended.
5. **Navigate to ArcSight Marketplace**: Switch to the ArcSight Marketplace tab in your web browser.
6. **Browse Marketplace**: Explore the various sections including Legacy Packages, In Marketplace, Activate Device Packages, Utilities and Tools, Resource Center, and Partner Integrations.
7. **Search for Content**: Under 'Search', enter "ids" to find relevant content.
8. **Select IDS IPS Monitoring Package**: Click on the search result labeled "IDS IPS Monitoring Package." This will display detailed information about SmartConnectors that trigger this content.
9. **Review and Download Content**: Confirm the relevance of the provided content, review its description, screenshot, and details, then download and install it as it is already installed.
10. **Utilize Installed Content**: Upon installation, you can access a dashboard, Active Channel, reports, and supporting resources such as Filters, Field Sets, Queries, and Data Monitors from the Event Sources panel.
This process facilitates the discovery and integration of specialized security content directly into an ArcSight environment to enhance monitoring capabilities for IDS and IPS devices.
The provided text describes a process for using network IDS/IPS devices in a monitoring setup, specifically with ArcSight software. Here's a summarized version of the steps and actions described:
1. **Login to Command Center**: As an admin, log into the system where you will be managing the network security configurations including your deployed IDS/IPS devices.
2. **Acknowledge Notifications and Delete Cases**: Check for any existing notifications or cases that need attention and either acknowledge them or delete them as per your needs. This ensures a clean slate for your monitoring session.
3. **Start Demo Replay Connector**:
Select the specific event files you want to replay, in this case, "demoexpress-SP1.events".
Start replaying these events at a rate of 50 events per minute to simulate real-time conditions. This helps in testing and understanding how your IDS/IPS devices would react under normal network traffic scenarios.
4. **Explore Resources**:
From the available resources, open specific files such as "ISO 11.2.1_revoke_access.jpg" and "Former Employee Activity Manual Review.pdf". These could be related to policies or procedures for handling employee access after their departure from the company, which is crucial for cybersecurity practices.
5. **Use ArcSight Marketplace**: The text concludes by mentioning that this setup demonstrates the value of ArcSight Marketplace, which is a repository for additional ArcSight apps, documentation, community sharing, and SIEM best practices. This marketplace allows users to explore and potentially enhance their security infrastructure with additional tools and knowledge specific to cybersecurity needs.
This summary outlines a systematic approach to setting up an IDS/IPS monitoring system using ArcSight software, including the handling of demo data for training purposes and access to valuable resources from the ArcSight Marketplace.
ArcSight is a tool designed to help organizations track regulatory compliance, specifically focusing on revoking access when employees leave the company. The problem highlighted in the provided text is that manual log reviews are tedious, time-consuming, and prone to error. These processes involve cross-referencing lists of former employees with extensive login activity reports, which can be both cumbersome and inefficient.
To address this issue, ArcSight offers a Command Center where automated log review and proactive alerting systems are implemented. This allows for the efficient management of notifications related to compliance issues, such as access attempts from terminated employee accounts. The system automatically assigns notifications to relevant individuals, escalates them if no acknowledgment is received within a specified time frame, and provides detailed information in each notification regarding specific ISO best practices that have been violated.
In summary, ArcSight simplifies the process of tracking regulatory compliance by automating log reviews through its Command Center. This not only saves time but also ensures accuracy and efficiency in monitoring compliance with ISO standards and other relevant regulations.
This is a guide about how to use ArcSight software to monitor former employee user account access attempts in an IT governance dashboard. It explains that the software checks incoming events for specific patterns and uses a list of user names, which can be dynamically updated based on environment activity or directly imported from text files. To visualize this information, you need to go through several menus: Navigator > Show the Dashboard: ISO Sections Overview, then click on IT Governance > Show the Dashboard: Section 11 Overview to see the former employee account access attempt correlation event. This is where ArcSight displays information about a user named mhedberg attempting to log in. The software allows you to run and save reports as archived PDFs for further investigation or attachment to cases, ensuring all relevant data is centrally managed during the investigative process.
ArcSight, a company focused on IT and network security, has developed a solution that allows organizations to detect and address security incidents quickly. This includes the ability to spot even zero day attacks with greater speed and efficiency than before. Additionally, ArcSight offers comprehensive automated reporting solutions to provide visibility into both security and compliance status within an organization.
For NetFlow use cases, there are specific steps and actions to follow in the ArcSight Command Center. These include logging in as an admin, selecting demo replay connector events, replaying them at a set rate (50 events per minute), and navigating through various dashboards such as Top Bandwidth by Actor, Top Port and Bandwidth Usage, Top Source and Target Countries, and Microsoft SQL Server Monitoring. Each dashboard provides specific insights into network traffic based on predefined configurations or user-defined parameters.
The provided text outlines a series of activities related to network monitoring, specifically focusing on a dashboard named "Target Zone Name Dashboards/NetFlow sj-arcnet-dmz." From this dashboard, it is observed that there is traffic being directed towards another segment labeled as "sj-arcnet-desktops," which might suggest the presence of an unauthorized Microsoft SQL Server in that specific network segment. The analyst identifies potential risks and outlines a plan to configure a correlation rule and notification system for detecting out-of-policy activities in the environment.
The text also references reports available within an archived section, including:
1. "Bandwidth Usage by Port" showing the bandwidth usage across various ports in the environment.
2. "Top Bandwidth Hosts" highlighting the top host with the highest bandwidth usage, in this case, 192.168.6.101.
3. "Detailed Traffic by Host," which aims to provide more detailed information about the traffic of the host identified as 192.168.6.101.
Additionally, there is a section discussing the setup and operation of a Command Center for network monitoring:
The process begins with logging into the Command Center as an administrator.
A demo replay connector is set up to re-enact events from two specified files - "IdentityView_v2.0.events" and "NetFlow_IdentityView_v2.0.events," at a rate of 50 events per minute.
While the demonstration does not focus on Notifications or Cases, it is noted that these features can be integrated if desired, as replaying "IdentityView_v2.0.events" will inherently generate notifications and cases within the incident lifecycle management framework.
This text serves to detail a structured approach for monitoring network traffic, identifying potential security threats, and using automated tools for further investigation in an organization's IT infrastructure.
To investigate the slow network performance reported by your users, you will use Cisco routers and switches that feed NetFlow events into your ArcSight deployment. Follow these steps to visualize top port and bandwidth usage on a dashboard:
1. **Bring up the Dashboard**: Access the "Show Dashboard: Top Port and Bandwidth Usage" from the Navigator or Command Center menu in your management console. This will display a visual representation of network activity, highlighting the most active ports and their respective bandwidth consumption.
2. **Examine the Registered and Dynamic Ports (Events) Pane**: In this pane, you should observe a significant number of events occurring on port 1433, which is used by Microsoft SQL Server. This indicates potential congestion or high usage related to database traffic.
3. **Advanced Search for NetFlow Events**: From the Command Center interface, perform an advanced search using the term "netflow". This will retrieve all events containing references to NetFlow data.
4. **Analyze Histogram Data**: In the middle section of the Command Center, you will see a histogram displaying various event details. Hovering over or clicking on bars in this histogram provides detailed information about scanned events, matched events, and time taken for the search operation.
5. **Drill-down with Clickable Bars**: To focus on specific aspects of the network traffic during particular times, click on the histogram bars that represent different time periods. This allows you to narrow down the analysis to more closely examine any issues in high-traffic or peak usage moments.
6. **Advanced Search for Specific Traffic (Port 1433)**: Utilize the advanced search feature to specifically target traffic to and from destination port 1433, which is related to Microsoft SQL Server. This will help isolate network traffic concerns that directly impact database operations.
7. **Building Visual Searches with Nested Queries**: You can further refine your searches by adding nested queries within the advanced search interface to build a visual representation of how different segments of your network are performing.
By following these steps, you aim to identify and address the root cause(s) of slow network performance observed on port 1433, potentially improving overall system efficiency and user satisfaction.
In this task, you learned how to use logical operators and conditions in an advanced search dialog box. To do this, first select the field under "Name" that matches your criteria (e.g., destinationPort). Start typing your condition ("destinationp") when it appears as a search option. Select the "=" operator and enter "1433" as the condition. Click "Go!" to run your search and see results in my investigation.
You can click on any of the events to expand and view their details. To customize which fields are displayed in the search results, go to "Customize fieldset," select desired fields (e.g., destination and destinationPort), and arrange them as needed. Click "OK" to save your changes.
For a more specific investigation, such as identifying top talkers on port 1433, you can use the netflow AND destinationPort = 1433 | top search operators. By default, this will show the top 10 results, but you can adjust it to display any number of entries (e.g., | top 5 sourceAddress for top 5).
Finally, learn how to visually represent your data with chart settings by changing the chart type according to your preferences and needs.
The provided text describes a process for visualizing data using pie charts and other graphical representations within a network monitoring system. Here's a summary of the steps involved:
1. **Selecting Chart Type**: The user selects "Pie" as the chart type to display top 20 events, with an option limit set at 20.
2. **Visualizing Data**: Upon clicking 'Apply', the results are visually represented in a pie chart where each slice represents one of the top 20 events.
3. **Highlighting Slices**: The user can hover over specific slices of the pie chart to view detailed information, including IP address, number of events, and percentage contribution.
4. **Drilling Down**: Clicking on any IP address in the pie chart allows for a drill-down feature that adds this selection to the search criteria and returns related results.
5. **Adjusting Search Query**: To find "bottom talkers" on port 1433, the user modifies their search query from 'top' to 'rare' (using netflow AND destinationPort = 1433 | rare), which adjusts the search to focus on less frequent occurrences.
6. **Generating Reports**: The system allows users to generate reports such as "Bandwidth Usage by Port". These can be run using default parameters and viewed in Adobe Acrobat after generation.
7. **Exploring Dashboards**: Another visualization capability involves exploring dashboards, where geographic event graphs provide insights into the geographical distribution of network events and logs.
Overall, this process provides a user-friendly interface for visualizing complex data through various chart types and includes options to drill down and adjust search criteria based on specific requirements.
The provided text discusses various features and functionalities within an environment management system (ESM), specifically focusing on visualization tools that aid in understanding network activity, user behavior, and event data.
From a physical perspective, information such as country, region, latitude, and longitude can be visualized, providing geographical context to the network activities. From a logical perspective, details about whether a zone is part of a DMZ or internal network are displayed, offering a clearer understanding of the network's structure and security zones.
The Event Graph dashboard offers a visual representation of events, logs, and activity within the environment. It allows users to see the sources, destinations, and direction of activity through node labels and sizes that represent the amount of activity. The Hourly Counts dashboard provides an overview of activity levels across different slices of time, with the option to filter out less significant event priorities like Very Low and Low events. Users can customize this dashboard by switching between graphs (like line graphs or pie charts) as needed.
Lastly, the Privileged User Monitoring Use Case section briefly mentions that IdentityView is still supported but nearing its end of sale; instead, User Behavior Analytics should be considered as a separate product for analysis and monitoring. Overall, these tools are designed to assist analysts and managers in understanding and managing their network environments more effectively through detailed visualizations and analytics.
In this summary, we are given instructions to follow as an admin for setting up and demonstrating ArcSight ESM (Extended Security Manager) with IdentityView. The steps include acknowledging and deleting any existing cases from the admin's Cases, starting the Demo Replay Connector, selecting specific event files, replaying events at a rate of 50 events per minute, adjusting the speed if necessary, and checking for specific events related to Mario in the Actor Investigation section.
The text then explains how ArcSight ESM and IdentityView can bring user context information to enhance and enrich events, using an Actor model created through integration with Active Directory or a similar system. The Actor Overview dashboard in the Actor Management solutions/IdentityView 2.0 provides general statistics about the actor model, showing that there are 36 actors or identities in total, with around 3-4 accounts per user on average across all users. This illustrates the challenge of determining what someone is doing on a network due to various ways people might identify themselves across different systems or applications.
This passage describes a dashboard called "Actor Roles Overview With IdentityView," which is used to view information about roles and group membership within Active Directory. The dashboard allows users to summarize different attributes for each actor, such as their status (active or disabled) and organizational unit (OU). It provides a breakdown of the number of active and disabled accounts, showing that 33 are active and 3 are disabled. This data can be used in correlation rules to track activity from terminated employees' accounts.
The dashboard also shows group membership for each actor, with information about how many users exist in each group or role. For example, the Information Technology department has the largest number of users, followed by the Marketing department. The panel reveals that there are 95 groups or roles in Active Directory, and it highlights which groups contain the most users and top actors with group/role membership.
The passage notes that this dashboard provides valuable insights into an organization's Active Directory, allowing for a reassessment of group structures to control access more effectively from a least-privileged perspective, especially when considering compliance requirements.
The scenario involves managing access to a data center in an organization using Active Directory. There is a policy that restricts entry to authorized users only, which includes data center operations and tier 3 administrators during off-hours. This setup aims to prevent compliance violations, insider threats, and misconfigurations in the badge reader authentication system.
When unauthorized personnel access the data center after hours, an incident notification is triggered within the ArcSight system. The user should receive a notification immediately, which can be sent via email, text message, or pager. When acknowledging this notification, it prevents escalation to higher levels of concern. Failing to acknowledge promptly could lead to notifications being passed up through different levels of management, potentially causing unnecessary complications and stress for the immediate supervisor.
The process involves going into the ArcSight system, opening the relevant notification about an unauthorized employee (e.g., Mario Rossi) who has accessed the server room after hours. The user then marks this as acknowledged to halt any further escalation in the system. This ensures that immediate action can be taken on the matter and helps maintain compliance with security policies while avoiding potential issues related to misconfigurations or insider threats.
This summary explains a process involving an employee (Mario Rossi) using a badge to enter a server room after business hours. The notification indicates that there was a correlated event, which is indicated by a red lightning bolt icon. To understand more about this event, you can click on it and then go through Field Set options to find the Actor Field Set. This field set provides information related to the specific user (Mario Rossi) who triggered the event.
The notification also mentions that there was an ArcSight alert generated due to a badge-in event from the system. The alert is based on correlation of three components: the badge event, the role of the user (Mario Rossi), and the time of day when the event occurred. This method helps determine if it's appropriate for the employee to be in the server room during non-business hours, as there would typically not be any business reason for such entry.
When examining details of this badge-in event within the ArcSight system, you might see a cryptic user name (Target User Name) instead of the actual employee's name. This is because the user's identity in the system isn't directly linked to their real name but rather mapped back through the Actor model for correlation purposes. The ArcSight system uses this method to associate specific usernames with actors, providing additional information and context that wasn’t immediately visible from the username alone.
In this scenario, an employee named Mario Rossi from the Marketing department accessed a data center during non-business hours. To investigate this issue, ArcSight automatically created a case and assigned it to you. Within this case, you can find various attributes such as stages, impact, severity, which help in managing the case efficiently. You have access to correlated events and base events that triggered the alarm from the notification.
To review all of Mario Rossi's network activity, you use an Active Channel. Manually tracking down different user accounts would be time-consuming, but with IdentityView, you can filter everything related to Mario Rossi and it will provide a comprehensive report on his activities across various systems. Once the Active Channel loads, pause it to analyze the data effectively.
The text discusses how user identification can be determined through session correlation, even when there is no username field present. It starts by explaining that upon scrolling down to the bottom of a channel, one sees that the first event logged is a Microsoft Windows login on Mario Rossi's desktop workstation, indicating his logon under the account ARCNET.COM\MROSSI. This demonstrates how session correlation allows us to attribute activities to specific users based on initial events like logins.
The text then moves on to describe how after logging into the Unix machine printserver01 using a different account (MARIOR), further traffic patterns are observed, which can be linked back to Mario Rossi through identify correlation. This link is made by noting changes in activity from normal behavior and connecting these activities to his known user profile.
Further down, it discusses how attempts to access personal email accounts via the Blue Coat proxy reveal suspicious behavior indicative of potential dissatisfaction or job search activities. The text concludes with a mention that detailed analysis using NetFlow can provide further insights into network traffic patterns associated with this user's actions.
A detailed investigation was conducted by IT regarding suspicious network activity from printserver01 involving an employee named Mario Rossi. The analysis revealed that the server had communicated with numerous anonymous foreign websites and even accessed a hacking website in China. This behavior suggested that data might be being transferred out of the company using anonymous proxies, potentially including intellectual property or other sensitive information. Additionally, there was evidence of downloading hacking tools which could indicate potential sabotage activities before Rossi's departure from the company.
To further investigate this issue within Cisco NetFlow Event logs, key details such as the Name, Target Host Name, and Target Address were selected for visualization. This visual representation allowed for a clearer understanding of the pattern and nature of the data transfer. To manage and document this case effectively, ArcSight's case management system was leveraged to create a dedicated case titled "Employee Badged Into Server Room After Hours – Mario Rossi."
Within this case in the ArcSight platform, relevant evidence including event logs from the Cisco NetFlow were added for further analysis. Specific events captured during the investigation were attached to the case file as part of the digital evidence trail. To provide a comprehensive summary and historical context of all activities associated with Mario Rossi, an "All Activity for Specific Actor" report was generated using ArcNet's reporting tools. This report not only provided a graphical overview of accessed applications but also aggregated data across time periods related to this specific user, enhancing the understanding of any anomalous behavior or unauthorized access.
The final step in documenting this incident involved saving the detailed investigation summary within Adobe Acrobat for future reference and compliance purposes. The comprehensive case file contained all relevant evidence, event logs, and generated reports that were crucial in understanding the nature of the suspicious activity observed on printserver01 by Cisco NetFlow Event logs.
The provided text discusses the use of Microsoft Windows, Blue Coat, and Unix systems for monitoring employee activity using ArcSight software. It explains how user behavior analytics can detect when employees access a server outside regular working hours (after-hours) and identify specific individuals by name through session correlation. The process involves saving a report with detailed information about these activities and attaching it to the appropriate case within the company's incident management system for further action.
Additionally, the text introduces an example of investigating shared account usage on servers in a restricted network segment (sj-arcnet-desktops), which is considered against corporate policy. The scenario outlines steps taken by an administrator using ArcSight to set up a demo replay connector to re-enact events and detect any violations of the company's policy regarding shared accounts on specific servers.
The text also mentions that while this use case focuses on IdentityView, which is still supported but nearing end of sale, User Behavior Analytics (UBA) should be considered as an alternative product for future sales due to its distinctiveness from IdentityView.
In summary, the text highlights how ArcSight can assist in quickly compiling evidence and activity related to investigations and package them into a case format for further action within the organization's incident management system. The example provided is focused on detecting unauthorized access using shared accounts on restricted servers within the company network.
The provided text describes a process of receiving and acknowledging a notification about a policy breach, specifically regarding unauthorized use of a shared account on a server within an organization's network. Here is a summarized version of the steps outlined in the text:
1. **Receiving Notification**: An email from ArcSight informs the user (David West) that there has been a violation of company policy. The notification directs the user to go to their "My Notifications" section, where they can view and acknowledge the pending notification.
2. **Viewing Notification Details**: In the "Pending" section of the Command Center, the user finds the specific notification related to "Logins to Known Shared Accounts in the sj-arcnet-serverfarm segment – David West". The user then selects this notification for further details.
3. **Acknowledging the Notification**: Within the notification itself, there are detailed logs of the activity, including a login event using a shared account on a server within the network by an employee (David West). The user acknowledges this notification after reviewing the events and correlating them back to David West from the IT department.
4. **Using IdentityView**: The process involves accessing specific dashboards and channels provided through the software, such as "IdentityView v2.0", where shared account activities are tracked and linked back to responsible individuals (in this case, David West). This helps in understanding who generated the breach or unauthorized use of a shared resource.
5. **Dashboard and Channel Visualization**: The system provides visual aids like dashboards and active channels that show how the activity is correlated with specific users, allowing for better investigation and management of such policy breaches.
Overall, this process illustrates how an organization can monitor and manage potential security and compliance issues by promptly acknowledging notifications related to possible policy breaches through automated systems like ArcSight and IdentityView.
This text provides a summary of an investigation involving a logon event attributed to David West, using the software ArcSight with IdentityView v2.0 for analysis. The process involves several steps:
1. **Attribute Events**: Using IdentityView from the Field Set, two out of three events identified no username but were successfully attributed back to David West based on IP attribution.
2. **Normalization Process**: During this phase, SmartConnector collects data about event danger levels normalized into scales like Very Low, Low, Medium, High, and Very High. This is visualized in a priority stats chart showing the count of events and top 10 rows for selected fields such as Name, Device Product, and Target Address.
3. **Reporting**: The final step involves generating reports about shared accounts using ArcSight. Two default reports are provided: one summarizing all shared account activity (Shared Accounts - Summary.pdf) and the other detailing specific instances of shared use (Shared Accounts - Details.pdf).
This document outlines a method for analyzing network activity using ArcSight, an enterprise security information and event management (SIEM) tool. The purpose of this activity is to apply a human-readable name (sj-arcnet-desktops) to a specific IP subnet within the network for easier understanding. Additionally, it explains how the network and asset model can be utilized in various ways across different use cases, such as notifications, reports, rules, and cases. The document also introduces the concept of using a human-readable name for better readability and ease of access when dealing with IP subnets without prior knowledge about networks or assets.
Furthermore, it highlights that while IdentityView is still supported, it has reached its end of sale and should be replaced by User Behavior Analytics (UBA), another distinct product used for analyzing user behavior in the environment. The setup instructions provided focus on accessing Command Center as an admin to acknowledge and delete existing notifications or cases, then setting up a Demo Replay Connector with specified event files to start replaying events at 50 per minute initially, which can be adjusted later if necessary.
Finally, this document addresses a use case involving a legacy application in the environment without user access control capabilities that uses a shared account (SystemUser) for login, providing full administrative privileges to all users. The goal is to track and monitor who logs into this application using the shared account for compliance purposes.
The provided text describes how IdentityView addresses a business challenge related to tracking user activity in an application using a privileged account (SystemUser). It highlights the importance of reporting for compliance purposes and emphasizes that without IdentityView, there would be no way to track activity from the SystemUser back to an accountable user.
The use case focuses on demonstrating how IdentityView can provide detailed reports about who has accessed the application through the SystemUser account, whether ad-hoc or scheduled. This is crucial for compliance with regulations and for providing evidence to auditors. It also mentions that this feature was part of a product called IdentityView, which is still supported but nearing its end of sale; it suggests selling an alternative product known as User Behavior Analytics instead.
The setup instructions involve logging into the Command Center as an admin, acknowledging any existing notifications, and starting a demo replay connector to test IdentityView's functionality by replaying pre-defined events at a specified rate until you can adjust the speed if necessary.
Finally, it explains that IdentityView considers user attributes such as department, employee type, and role when displaying dashboards showing who is accessing systems and applications, grouped by these criteria. This information helps in understanding system and application usage and determining appropriate access rights within an organization's environment.
This document outlines a procedure for accessing specific reports and dashboards related to employee activities using the software "ArcNet" under the module named "IdentityView v2.0/Privileged User Monitoring/Modeling." To view these resources, follow these steps:
1. Navigate to the dashboard by hovering over the main menu item labeled "Dashboards," then clicking on "Navigator." Here, you will find a dashboard categorized by employee type titled "Login Activity by Employee Type."
2. Click on this dashboard to access it. On this page, you can view detailed information about login activities categorized by different types of employees. To enhance clarity and readability, enable the display of node labels by clicking "Show Node Labels."
3. For accessing additional reports based on similar contextual data, go to the "Reports" section under the main menu, then click on "Archives." Here, you will find several archived reports including:
"All Activity for Department.pdf," which provides a detailed view of activities categorized by department.
"Activity Based Modeling by Department.pdf," detailing modeling based on departments.
Optional reports include:
"All Activity for Employee Type.pdf" and "All Activity for Role.pdf" showing activities categorized by employee type and role, respectively.
"Activity Based Modeling by Employee Type.pdf" and "Activity Based Modeling by Role.pdf," which provide detailed information on modeling based on these criteria.
4. All the reports mentioned above can be accessed from the "/All Archived Reports/ArcNet Archived Reports/IdentityView 2.0/Privileged User Monitoring/Modeling" directory.
The document also includes a trademark notice and company details, indicating that this service is provided by Micro Focus International plc, registered in England and Wales with registration number 5134647.