ArcSight ESM Express 7.0 Console Demo Script
- Pavan Raja
- Apr 8, 2025
- 41 min read
Summary:
The provided text outlines a detailed procedure for using ArcSight's IdentityView to track shared account activity back to specific users within an organizational network. Here’s a summary of the key points and steps involved in this process:
1. **Logging into the ArcSight Console**: As an administrator, log into the ArcSight Console and acknowledge any pending notifications or cases that may be related to user activities involving shared accounts. This sets the stage for investigating potential incidents.
2. **Accessing Specific Dashboards**: Navigate to the IdentityView module within the ArcSight Console, where you can find sub-sections such as "Login Activity by Department" and "Login Activity by Employee Type". These sections help categorize login activities according to different criteria like department or employee type.
3. **Reviewing Archived Reports**: Access archived reports that are specifically related to privileged user login sessions using the shared account named SystemUser. This report helps in understanding the usage patterns of this specific account across various applications and sessions within MyLegacyApp.
4. **Correlation Options for Detailed Tracking**: To track the activities of the SystemUser back to a responsible user, right-click on correlated events and select "Correlation Options > Detailed Chain". This feature allows you to trace the login attempts made by SystemUser to an identifiable user (in this case, Chan Siu Ming).
5. **Generating Compliance Reports**: Create a report titled "MyLegacyApp Login Sessions.pdf" which documents the access granted to the SystemUser account over time. This report is crucial for maintaining compliance with regulations and providing necessary information to auditors.
6. **Demo Replay Connector**: Set up a demo replay connector by loading pre-recorded event files and initiating replay at an appropriate speed (up to ~25 events per second). This step helps in inspecting the login activities in real-time during the demonstration, allowing for immediate assessment and adjustment of access controls if needed.
7. **Micro Focus International Plc**: The organization behind ArcSight is Micro Focus International Plc, with its registered address in England and Wales. Understanding this context can be helpful when discussing the features and capabilities of the platform with stakeholders or during audits.
8. **Alternative Product Consideration**: The text mentions that IdentityView support ends soon, suggesting users consider using User Behavior Analytics as a potential alternative for monitoring user behavior more effectively.
Overall, this process is instrumental in understanding how shared accounts are used within specific applications and across the organization, providing insights into compliance with access management policies and demonstrating accountability for any unauthorized activities related to these accounts.
Details:
"ArcSight ESM / ESM Express 7.0 Patch 1 Demonstration Script v4 - 10/30/2018" is a comprehensive guide that provides an overview and detailed demonstrations of various security use cases, compliance use cases, and network monitoring scenarios using the ArcSight platform. The document includes:
A demonstration script for the Console, showcasing its capabilities in reputation security monitoring, threat intelligence activation, marketplace integration, compliance with regulations, netflow analysis, worm outbreaks prevention, privileged user behavior tracking, and policy violations related to shared accounts.
Specific use cases such as Reputation Security Monitor Plus, ArcSight Activate Threat Intelligence, ArcSight Activate and Marketplace, ArcSight Marketplace, Worm Outbreak Use Case, Privileged User Monitoring Use Case (Afterhours Activity), and Shared Accounts Use Case (Policy Violation).
The script is designed to illustrate how the ArcSight platform can be effectively used for enhancing security measures and operational efficiency in various organizational contexts.
The provided text outlines a demonstration script for using ESM/ESM Express with the ArcSight Console, focusing on two specific security use cases: Shared Accounts and Privileged User Monitoring. It includes steps for setup and an overview of the workflow for each use case.
**Shared Accounts Use Case (Legacy Application):**
**Setup:** The user logs into the ArcSight Console as admin, deletes existing notifications and cases, then starts a Demo Replay Connector to replay event files at 50 events per minute.
**Synopsis:** This use case demonstrates how analysts can interact with ESM/ESM Express for investigating suspicious or malicious activities by following a specific workflow: notification -> dashboard -> active channel -> report -> case. The text mentions the initial detection of suspicious activity via email and SMS notifications, followed by using the interface to navigate through the investigation process from start to finish.
**Privileged User Monitoring Use Case (Activity Monitoring and Modeling):**
**Setup:** Similar setup steps as above, including logging in, deleting existing cases, and starting the Demo Replay Connector with specified event files.
**Synopsis:** This use case follows a similar workflow but focuses on monitoring privileged users through their activities. The text describes how notifications lead to investigations where analysts interact with ESM/ESM Express features for understanding and acting upon the monitored activities.
The document also mentions that the PowerPoint slides accompanying this script contain screenshots showing the demonstrations' flows, providing visual aids for the described process.
The provided text describes an incident response workflow within the ArcSight platform, focusing on the handling of multiple login attempts to a locked Windows account belonging to 'swright'. Here's a summarized breakdown of the key points and processes involved in this scenario:
1. **Initial Notification**: Upon logging into the ArcSight Console, a notification about pending acknowledgments is displayed. This marks the beginning of the workflow for handling security-related events.
2. **Workflow Process**: The process includes acknowledging notifications within a specified time interval. If no acknowledgment is received, the notification escalates to the next level automatically.
3. **Event Details and Correlation**: Within the ArcSight Console, details about the associated events are displayed. A correlated event (indicated by a red lightning bolt) and normalized base events that triggered it can be observed. The correlation helps in understanding the sequence of actions leading up to the incident.
4. **Field Set Configuration**: To focus on relevant information during investigation, users configure field sets in the ArcSight Console, selecting only the necessary fields for their specific interest, which may include authentication failures or logon attempts related to disabled accounts.
5. **SmartConnector and Normalization**: The SmartConnector is used to normalize events by structuring them for applications like ESM/ESM Express. This process simplifies data handling and interpretation from various sources into a structured format that can be utilized for further analysis.
6. **Event Categorization**: Events are categorized according to behavior (specifically authentication verification) and device group (operating system). This categorization aids in understanding the nature of the events, making it easier to identify patterns or specific types of incidents.
7. **Benefits of Categorization**: The categorization provides clear distinctions between different event types, which can be particularly useful for improving security operations by facilitating faster and more effective response strategies.
The provided text appears to be a documentation or technical summary related to some form of IT management or security software. Here's a simplified breakdown and interpretation of the content:
1. **Categorization in Authentication/Security:** The text discusses how categorization simplifies authentication processes and makes them more secure by providing an abstraction layer, which means that instead of relying on specific event IDs tied to particular devices or versions, you can use categories like Operating System for a variety of systems (Windows, Unix, Linux, etc.). This way, changes in device software do not require rewriting content.
2. **Dashboard and Navigator Panel:** The text then explains the usage of dashboards and navigator panels within this system to monitor real-time statuses such as operating system login activities. A dashboard is mentioned as a dynamic and interactive tool that can be used for further investigation by clicking on its parts, offering detailed insights into various aspects like failed login attempts or locked accounts.
3. **Case Management:** Specific to the case being discussed, it mentions how cases are created automatically in response to certain notifications (e.g., multiple failed login attempts). These cases can be inspected and edited within a panel where stages of investigation can be managed (e.g., from queued to initial when starting an investigation).
4. **Navigation and Investigation:** The navigation is facilitated through the use of panels, such as clicking on dashboards or cases in the Navigator Panel to open detailed views for further analysis in the Inspect/Edit Panel.
In summary, this text outlines how a system uses categorization for security purposes, employs dashboards for real-time monitoring, and provides mechanisms (through case management) for investigating specific incidents triggered by notifications, all of which are accessible through intuitive panel interfaces within the software.
To summarize the provided text, here's a concise version of what is described:
The user starts by examining the history of events related to a particular case, focusing on swright’s activity. They access an Active Channel similar to their dashboard that displays only operating system events. In the Navigator Panel, they bring up an Active Channel and pause it, then close the panel. The focus shifts to investigate swright's activities using his account name "swright."
Upon selecting Analyze in the Active Channel, a channel is created targeting swright’s activity where he used VPN with IP address 10.0.110.34. There are multiple failed login attempts and other suspicious activities including FTP to malicious sites from the firewall and IDS logs. The behavior indicates that swright might be using a mobile device infected with malware, which is connecting to malicious sites while within the corporate network.
During this investigation, SmartConnector (a feature mentioned but not detailed further) normalizes event ratings into scales of Very Low, Low, Medium, High, and Very High based on their danger level interpretation by various data sources. Finally, a specific piece of information "dslzn11.badg" is pointed out in the right portion of the Active Channel SmartConnector during normalization.
To summarize the steps outlined in your text, you are conducting an investigation involving a DNS domain (dslzn11.badguy.net) and tracking events related to it within a software tool for security analysis. Here's a simplified breakdown of what you did:
1. **Identify Relevant Domain**: You noticed that the target DNS domain dslzn11.badguy.net was of interest, so you continued your investigation by adding this domain to your active search criteria in a channel setup within the software tool.
2. **Setup and Load Active Channel**: You selected 'Analyze' in the channel menu, added the target DNS domain as specified, and then loaded the active channel. At this point, you paused the channel for further analysis or changes if necessary.
3. **Customize Channel**: Within the active channel, you had the option to change field sets being used or add/remove/change fields displayed in columns. You navigated through various events including:
FTP_User and FTP_Pass related to failed login attempts that led to a locked Windows account (swright).
Operating System Events such as multiple login attempts resulting in the lock of a Windows account.
4. **Adding Events to Case**: You selected specific events from the channel, right-clicked on them, and chose 'Add to Case' under the 'Other...' option, specifying the case related to this investigation where FTP_Pass was mentioned as central.
5. **Generating Reports**: After completing part of your investigation, you wanted to validate findings with reports. You generated a report showing failed login attempts (FTP_User and FTP_Pass) by running a predefined report in the software tool. Parameters for the timeframe were set to the last day and format was PDF.
6. **Navigator Panel**: For further validation and to review steps, you used the Navigator Panel to expand reports or go back through breadcrumbs of your investigation without starting from scratch.
7. **Saving and Sharing**: If needed, you could save this search for future use or share it with another analyst by saving it as a new search in the tool's functionality.
This summary captures the main actions taken during the process of investigating through DNS domain details using software tools to track relevant events and generate reports based on findings.
This process involves generating a report on failed login attempts to an account (swright) and specifying certain parameters, such as the time frame from the last 24 hours until now, with a desired format of PDF. After creating the report, you save it in PDF format and open it. In the ArcSight console, navigate to the case related to multiple login attempts that locked out the account swright. You then attach both generated PDF reports to this case by browsing and selecting them from your device, ensuring they are categorized under documents (pdf, doc, xls, etc.).
Next, you add notes and follow-up actions to the case, updating its attributes such as owner, security classification, and operational impact priority. Finally, you stage the case for follow-up and complete the process by marking it as initial, reflecting the completion of your investigation. This comprehensive overview demonstrates how ArcSight ESM/ESM Express facilitates efficient incident handling and forensic investigations within a company’s network.
The provided text is a summary of features and functionalities within a system or software related to cybersecurity, specifically focused on detecting and managing malicious communications. Here's a breakdown of what the text describes:
**RepSM Overview (iii.)**: This section refers to a dashboard named "Reputation Security Monitor Plus" which displays data about domain and IP addresses being monitored for potential security threats using threat intelligence feeds. The production lists include millions of entries, but for demonstration purposes, these are simplified with fewer numbers.
**Geographical View of Malicious Communications (iv.)**: This part of the text does not provide a clear description or overview of how malicious communications are geographically viewed within this system. It only mentions that similar data is presented in different dashboards showing domain and IP address entries.
**Action Talking Points**: The talking points include:
**Dashboard Visibility**: There are three main dashboards displayed, each with its specific focus: "Reputation Domain," "Reputation IP Database," and "RepSM Overview." These provide an overview of the malicious activities detected by the system, such as malware infections, zero-day attacks, and dangerous browsing habits.
**Dashboard Content**: Each dashboard shows entries like domain names and IP addresses with associated threat intelligence data including exploit types, reputation scores, and potential security risks based on current threats. Scores below 40 are considered undesirable but not malicious, while those below 20 pose no significant threat. Entities with a score of 0 are still monitored as they could be candidates for malicious activities.
**Investigation Tools**: The text suggests the use of right-clicking on specific assets (e.g., IP address) to initiate investigations, which implies that the system provides tools for detailed analysis and incident response.
**General Summary**: This summary outlines a cybersecurity toolset designed to monitor and manage network threats effectively. It includes dashboards tailored to display information about domains, IPs, and potential malicious activities detected by threat intelligence feeds. The interface allows users to initiate investigations into suspicious assets using basic interaction methods like right-clicking on specific entries in the dashboard for more detailed analysis.
The provided text describes a process for investigating an internal asset infection, specifically related to the Flashback Trojan affecting Mac users through mystreamvideo.rr.nu. The steps involve using various tools and features within a system or software platform (likely ArcSight) to identify, analyze, and understand the nature of the infection. Here's a summarized version of the process:
1. **Identify Infection**: The user discovers that there is an internal asset contacting mystreamvideo.rr.nu, which has a high reputation score indicating potential risk associated with being part of a botnet. Upon further investigation, they identify this as malicious activity likely caused by the Flashback Trojan.
2. **Investigation Tools**:
**Malicious Entity Panel**: The user right-clicks on the mystreamvideo.rr.nu entry in the Malicious Entity column of the Summary of Infected Assets panel to access detailed information about internal infections among Mac users.
**Drilldown Feature**: Right-clicking on specific entries like 10.0.20.21 leads to a drilldown with more details, allowing for easier investigation into all activity related to infected assets over the last 24 hours.
**Geo-location and Event Analysis**: Through detailed analysis of events involving the infected asset, ArcSight automatically geo-locates sources and destinations based on IP addresses, providing insights into where these attacks are originating from or targeting.
3. **Command Execution**: The user can right-click on specific events to analyze them in more detail, such as viewing domain event details which might indicate the destination of the attack (e.g., China for mystreamvideo.rr.nu).
4. **Reporting and Closure**: Finally, the user can review the findings on the RepSM Overview Dashboard and close down tables related to currently infected assets and recorded interactions with malicious entities.
This process is designed to help users understand and manage security risks associated with internal infections, particularly when they involve botnets or other known malware like the Flashback Trojan.
The text discusses how to take action on an infected asset identified in the Viewer panel using Integration Commands from the Internal Infected Assets panel. It suggests performing actions like running a ping or nslookup on the IP address and hostname of the infected asset, or more advanced options such as taking a forensic snapshot and remediating the systems. The text highlights the usefulness of Integration Commands for containment and remediation, mentioning that they can be used in conjunction with external case management systems.
The text also briefly touches on ArcSight's internal case management system, emphasizing its flexibility and granularity through predefined stages and actions like assigning cases to other users, tracking progress, reporting, and notifying. It explains how to add notes to the case for future reference and includes events involved in the case under an "Events" tab.
This document discusses an incident involving a macmini device being marked as "Internal Infected" in the ArcSight Reputation Security Monitor Plus (RSM). The process involves closing the case related to the infection and observing changes in status within the RSM dashboard. It also highlights the use of pre-built reports, such as "Currently Infected Assets" and "Dangerous Browsing Activities," which can be customized for specific needs. The document concludes with a mention of geographical views provided by the RSM to visualize malicious communications.
The provided text outlines a demonstration of how Reputation Security Monitor Plus within ArcSight detects and investigates suspicious and malicious activities in a network. Key steps include:
1. Accessing specific dashboards and active channels in the ArcSight Console.
2. Using threat feed data to identify malicious communications and entities, visualized through geographical views and reports.
3. Setting up the Reputation Security Monitor Plus by logging into the ArcSight Console as an admin or demo user with appropriate credentials.
4. Navigating through dashboards like Threat Intelligence Overview, Address Data Overview, Entity Data Overview, and Suspicious Activities in Geo to monitor malicious communications.
5. Using a demo replay connector to analyze events from specific event files at a rate of 50 events per minute.
6. Assigning Activate incidents to Level 1 SOC analysts using the Event Annotation feature across two running ArcSight Consoles with different user accounts.
In this scenario, two different user interfaces are presented: one with a default theme (used by an admin) and another with a dark theme (used by a demo user). The main use case involves a system in the DMZ that has been infected and is communicating with a command and control server. Detection occurs through outbound communication via a firewall to known bad systems and Sysmon, which collects file hashes on Windows systems without antivirus software. Other use cases can be identified by rule names within the Main Channel of this demo. Key highlights include:
1. The Activate package is versatile and does not require specific product or vendor details; it triggers based on events sent to ESM (Extended Security Management).
2. It leverages multiple methods, such as STIX/TAXII, Collective Intelligence Framework (CIF), Ransomware data feeds, and HIDDEN COBRA data feeds, to populate the Threat Model.
3. This intelligence is used to enhance and enrich event details, including identifying botnets or malware sites by IP address, tracing source of threat intelligence, and assessing confidence levels in threat information from commercial or open-source sources.
4. Level 2 content not only uses the Threat Model for context but also considers Network and Asset Models to prioritize incidents more effectively.
This content discusses the use of Sysmon for collecting process and filehash information to detect potential threats, using indicators of compromise (IOCs) like IP addresses and FQDNs. The demonstration involved ArcSight FlexConnector from the Microsoft Marketplace with Windows Native SmartConnector due to its inability to parse specific logs.
Key points:
1. Filehashes are used as an indicator of potential compromise along with traditional IOCs such as IP addresses and FQDNs.
2. Sysmon is employed for collecting relevant log data, making it easier to collect this information. Alternative tools like Microsoft AppLocker or any host monitoring product can also be utilized.
3. The Active List tracks triggers from IP addresses and entities; its time-to-live (TTL) is set at 8 hours. For event replay within this period, clear the entries in the Active List to avoid interference with data collection.
4. ArcSight Activate Level 1 and Level 2 Threat Intelligence packages are discussed, focusing on how they use a threat model populated by various intelligence feeds and sources to detect suspicious or malicious activities. These models include three active lists: Suspicious Addresses, Suspicious IPv6, and Suspicious Entity.
5. The L1 Threat Intelligence package populates the threat model from diverse intelligence feeds, while the L2 package uses this contextualized information for detection purposes.
This document discusses a threat intelligence package that utilizes various sources such as STIX, TAXII, CIF, Ransomware data feeds, and HIDDEN COBRA data feeds for gathering information. The primary use case involves populating lists with user names, email addresses, or hashes to detect potential malicious activities.
The package includes two dashboards: the Threat Model Dashboard and the Threat Intelligence Active Lists dashboard. These visual summaries break down suspicious addresses and entities based on indicator type, score range, source, and counts by signature type. For example, in the Address dashboard, you can see breakdowns by Indicator Type (identifying potential malicious activity), Score Range (indicating reliability), and Source (of threat intelligence data).
The Entity dashboard provides similar information to the Address dashboard but also includes Counts by Signature Type, which allows for identification of Suspicious Entities such as URLs, fully qualified domain names (FQDNs), suspicious file hashes (md5/sha1/sha256), user names, or email addresses.
The package is designed to be vendor and product agnostic, making it useful regardless of the type of device collecting data that includes fields like file hash or email address. It alerts users to indicators of compromise and malicious activities when these fields are populated in the collected data.
The document describes a system for detecting malicious activity using an Activate Threat Intelligence package, which is visualized through a dashboard displaying various panes. These include an overview of detected malicious categories such as reconnaissance, dangerous browsing, and ransomware; top alerts by score; and top internal target addresses. Double-clicking on specific entries provides more detailed information including the source of threat intelligence, attack category, and reliability scores.
The document also outlines a workflow for SOC managers to triage Activate incidents and assign them to Level 1 analysts based on correlated events from suspicious hosts. The example provided involves an incident involving the host fwhq05.hq.arcnet.com with detected activities of Dangerous Browsing, Outbound Command and Control Communication, and Suspicious Filehash Activity in a Critical Host.
In summary, this system uses a dashboard interface to visualize threat intelligence data, which is then used by SOC managers to triage and assign incidents for further analysis by Level 1 analysts.
The scenario involves a Level 1 SOC analyst monitoring suspicious activity in an ArcSight console, specifically focusing on events categorized as botnet by spamhaus.org. Initially, the main channel active is used to view three correlated events related to traffic to an IP address identified as part of a botnet. After annotating these events and assigning them to a Level 1 SOC analyst named demo, they disappear from the main channel but reappear in the personal investigating channel specifically assigned to this analyst. The correlation provides additional details about outbound command and control, dangerous browsing towards known malicious sites, and cyber threat intelligence enhancements through detailed analysis of suspicious file hash activities.
The description provided involves monitoring suspicious file hash activities on a Windows system using Sysmon for process monitoring and recording hashes of all processes run on these systems. The event is observed in the ArcSight Viewer panel within an Inspect/Edit mode where details about hosts and device fields are accessed through specific actions like clicking on hosts or Process Create base events.
The Sysmon FlexConnector, found on the ArcSight Marketplace, supports parsing Sysmon events, which helps in identifying if any processes running on Windows systems have been delivered via email from a Microsoft Outlook temporary directory. The file hash recorded is watched for by Activate Threat Intelligence, which uses an AI package to alert and notify about potential threats identified as indicators of compromise, similar to IP addresses or host names. This tool does not specifically mention supporting Sysmon events directly but instead offers parsing capabilities that can be used with various devices and products including Windows systems.
The document outlines an incident response process in which a host belonging to the HQ-ArcNet-DMZ zone was identified as having suspicious filehash activity. This led to the activation of Threat Intelligence package level 2 content, which considers both threat models and criticality of network assets. As a result, two correlated events were triggered: Suspicious Filehash Activity and Activate Threat Intelligence.
To further investigate, the user accesses the Inspect/Edit panel and searches for instances of the malicious file on other hosts in the network. The specific host in question is printserver01, which carries the executable with hash a2bc3059283d7cc7bc574ce32cb6b8bfd27e02ac3810a21bd3a9b84c17f18a72. Although printserver01 is not considered critical, the Activate Threat Intelligence content prioritizes investigations on more significant assets in the network.
The user then proceeds to contact the remediation team to quarantine the host and perform a forensic investigation. All three correlated events are selected for annotation, and the incident stage is changed to "Closed" with comments indicating the discovery of malware downloaded via Microsoft Office and the need for cleaning and remediation of the infected system. Finally, the SOC manager switches back to the ArcSight Console to review reports, emphasizing the importance of such proactive measures in network security management.
The document provides a summary of ArcSight Activate Threat Intelligence, highlighting its features and demonstrating its functionality through predefined reports such as Threat Intelligence Alerts, Suspicious Activities by Attack Category, Inbound Activities by Attack, and Outbound Activities by Target. It explains that the product is vendor-agnostic and can integrate with any system, utilizing indicators like file hashes, email addresses, and URLs alongside traditional ones like IP addresses and fully qualified domain names.
The demo showcases how Activate enriches events with details from threat models and intelligence feeds and provides context using the Network and Asset model. It discusses the roles of a SOC Manager in triaging incidents through the Main Channel and assigning them to analysts via event annotation, while analysts use the Personal Investigating Channel for direct incident monitoring.
The setup guide outlines how to set up ArcSight Activate and Marketplace by logging into the ArcSight Console as an admin, replaying demo events at a specified rate, activating necessary channels such as Main Channel and Personal Investigating Channel, and accessing relevant dashboards like Malware Outbreak Statistics. The document concludes with information about installed packages including L1-Malware Monitoring - Ind.
This document outlines a series of steps related to network monitoring using specific tools such as PMcAfeeEpoVirusScan (Antivirus) and PSnort (Network Monitoring). The instructions involve opening various URLs in web browsers for information on ArcSight Activate, which is a platform for developing modular content.
Firstly, the document mentions two levels of network monitoring: L1-L2 indicators and warnings, with specific products related to each level. For instance, L1 involves basic network monitoring with Indicators and Warnings using PSnort, while L2 focuses on Malware Monitoring and Situational Awareness with PMcAfeeEpoVirusScan.
The document also provides a series of URLs for accessing information directly from the Micro Focus website:
For ArcSight Marketplace (https://marketplace.microfocus.com/arcsight)
L1 Malware Monitoring page (https://sec.microfocus.com/foswiki/bin/view/ArcSightActivate/L1MalwareMonitoring)
L2 Malware Monitoring page (https://sec.microfocus.com/foswiki/bin/view/ArcSightActivate/L2MalwareMonitoring)
Product description for PMcAfeeEpoVirusScan (https://sec.microfocus.com/foswiki/bin/view/ArcSightActivate/PMcAfeeEpoVirusScan)
Additionally, the document provides a list of pages in the Activate wiki that discuss various aspects of ArcSight Activate:
Main page (https://sec.microfocus.com/foswiki/bin/view/ArcSightActivate/WebHome)
Reasons for using Activate (https://sec.microfocus.com/foswiki/bin/view/ArcSightActivate/WhyActivate)
Problem solving with Activate (https://sec.microfocus.com/foswiki/bin/view/ArcSightActivate/WhyProblemsActivatesolves)
Information on packages and their use (https://sec.microfocus.com/foswiki/bin/view/ArcSightActivate/Packages)
This information is intended to help users understand the capabilities of ArcSight Activate, its development methodology, and how it can be used for developing custom network monitoring solutions efficiently.
The document discusses ArcSight Activate, a framework designed to help implement new ArcSight solutions quickly and efficiently while providing more established implementations with methods for continuous adaptation and improvement. It outlines the organization of packages by type within the framework:
1. **Activate Base Package**: Supplies resources like filters, global variables, or active lists that are used across all other packages.
2. **Level 1 (L1) Activate Packages**: Utilize indicators from multiple event sources to normalize information and may enrich events with device-specific data.
3. **Level 2 (L2) Situational Awareness Packages**: Contextualize events using various internal ArcSight models including the network model, asset model, actor model, and threat intelligence model.
4. **Product Packages**: Specific to certain releases or versions, generally containing L1 content; may include FlexConnectors or Parser overrides.
ArcSight Activate content is available on the ArcSight Marketplace, which serves as a platform for sharing and downloading security packages, use cases, best practices, and more. The marketplace enables users to access cutting-edge security information similar to what large companies have, facilitating efficient management of security measures.
The provided text discusses ArcSight Activate, a platform that provides content and documentation to address use cases related to various security services such as physical security, host monitoring, malware monitoring, data security monitoring, and threat intelligence monitoring. These services are designed to detect and report on events indicating malicious activity through indicators and warnings at the L1 level, providing situational awareness with context at the L2 level.
ArcSight Activate supports a wide range of vendors and products that can be integrated via SmartConnectors, FlexConnectors for in-house applications, or companies participating in the Security Technology Alliances Partner Program. The platform is modular and extensible, allowing for easy addition of support for additional devices and products by modifying filters.
When searching for content related to malware monitoring within the Marketplace, specific L1 (Malware Monitoring) and L2 (Malware Monitoring) packages are available. For instance, ArcSight Activate supports McAfee ePO VirusScan through an Activate Product Package. The platform not only provides content addressing use cases but also offers documentation and best practices to support this content, as demonstrated by the guidance provided in the Activate wiki for malware monitoring.
When you edit a few filters in an application called "Activate," you can see extra options when you scroll down. These extra options are like special settings that let you change what the app shows, so it looks and works better for your computer or phone. In this case, there are thresholds (limits) that you can adjust to make sure everything is just right for your situation.
When you go to a specific part of the app called "Extensibility," you'll find more choices, like special rules for when something should happen in the app. These extra settings help show different kinds of information based on how important or valuable those things are to you and your computer. For example, if there's a big virus problem, these extra options can help you fix it faster by telling you which parts are more important, like important servers or ones that protect part of your house (like the DMZ).
The L2 Malware Monitoring package is even better because it adds more information to what the L1 package shows. It uses special computer "parts" called Network and Asset Model to find out exactly where in your computer things are happening during a virus or worm problem. This extra help can make fixing problems much faster, especially if important parts of your computer get affected.
There's also an even bigger tool called McAfee ePO VirusScan that works with the L2 Malware Monitoring package to find viruses and other not-so-nice stuff on your computer. It can do more than just look for malware; it can also keep track of important things like people or devices on your computer.
To see how all these tools work together, you should go to a special place in the app called "ArcSight Console." There, you'll find both L1 and L2 Malware Monitoring packages along with the McAfee ePO VirusScan tool. To learn more about Activate, you can look at test plans that show how well everything works together by testing different events on your computer.
This document outlines the functionality and usage of two main channels within the ArcSight Activate system designed for Security Operations Center (SOC) managers and analysts to manage and monitor security incidents.
1. **Activate Main Channel**: This channel is used by SOC managers to view all correlated events triggered by the Activate use case. The manager can triage and assign these incidents to specific analysts based on their subject matter expertise and availability. In a demo scenario, this channel simulates what the SOC manager would see during incident management.
2. **Activate Personal Investigating Channel**: This is tailored for analysts who monitor assigned incidents. Each analyst's view in this channel automatically personalizes according to their ESM (Extended Security Manager) login, allowing them to focus on their designated cases. In a demo scenario, the channel represents what an analyst would see when not actively working on any incidents.
The document then details a demonstration where the user switches between these channels to inspect specific correlated events. For example, they double-click on an event related to malware activity affecting IP address 172.17.1.1, revealing that it was triggered by the Level 1 Malware Monitoring package using the McAfee ePO VirusScan product. This content is vendor and product agnostic, applicable across various antivirus solutions including McAfee, showcasing flexibility in incident handling.
The document concludes with a note to select DMZ-related events for detailed inspection within this context.
The text discusses how a SOC manager is using ESM (Extended Security Module) for incident management in identifying critical assets affected by malware, specifically W32/SQLSlammer.worm. They are using the network and asset model to analyze an infected system named arcnet-dmz, which includes other DMZ hosts.
The SOC manager finds multiple correlated events from IP address 172.17.1.1 and uses event annotation in ESM for tracking purposes. Event annotations allow them to track and escalate the incident further by assigning it to a Level 1 analyst named Steve. This is done through the workflow setup, where different stages are defined for collaborative investigation of correlated events.
The process involves opening the Inspect/Edit panel within the SOC environment, right-clicking on a correlated event with IP address 172.17.1.1, selecting Annotate Events, and entering comments to assign this to Steve for Level 1 investigation. This method uses annotations as a light-weight workflow tool for tracking and escalating events through various stages defined by SOC Stages tailored to the organization's workflow environment.
The summary discusses the transition of an event from the Main Channel to Steve's Personal Investigating Channel in a surveillance system called ArcSight. The event becomes correlated and is displayed there after switching to the Active Channel named "ArcSight Activate" under "Personal Investigating Channel". Event annotations, such as comments about malware removal or antivirus updates, can be added to track specific metrics like cases by status, monthly cases by severity, time to resolution, events per analyst hour, and more. Annotating the event allows users to monitor metrics effectively.
Additionally, it mentions a Level 2 Malware Monitoring package that includes a Dashboard with four Data Monitors to visually represent malware activity. These monitors track the infection rates within the organization and in the DMZ area. The content of these dashboards leverages the Network and Asset Model for better visualization and understanding.
The ArcSight Activate system offers several benefits, including easy deployment of pre-packaged use cases and the ability to extend or expand use cases as needed.
The provided text discusses various aspects related to ArcSight Marketplace, including its benefits, setup instructions, and how it facilitates sharing of content between clients and ArcSight Professional Services. Key points include:
1. **Benefits**:
**Ever-expanding library of use cases** available on ArcSight Marketplace and Protect724, which allows for a comprehensive collection of security solutions tailored to various requirements.
**Content Development benefits**: including reuse of content between different use cases, enforced best practices, standardization in content development, easy sharing across clients and professional services, quicker learning curve for new developers, and streamlined onboarding for skilled developers due to the Activate methodology familiarity.
**Separation of testing, QA, and production implementations** of new content helps ensure quality and efficiency.
2. **Setup**:
To set up ArcSight Marketplace:
Log in to the ArcSight Console as an admin.
Start the Demo Replay Connector by selecting demo.events files and replaying them at 50 events per minute.
Open the specific use case, such as IDS – IPS Monitoring from /All Use Cases/Downloads/Network Monitoring.
Access ArcSight Marketplace via a web browser using the URL: https://marketplace.microfocus.com/arcsight. It is recommended to sign up for an account on both ArcSight Marketplace and Protect724.
3. **ArcSight Marketplace**:
As a platform, ArcSight Marketplace serves as a hub where security professionals can share and download various security resources like packages, utilities, tools, best practices, guidelines, product documentation, use cases, etc., grouped into different categories.
Users can search for specific content related to their deployed IDS and IPS products by entering "ids" under the Search field.
This summary highlights how ArcSight Marketplace supports security professionals in managing their security environment through a vast repository of pre-built solutions and guides, facilitating efficient sharing and integration of best practices among users.
In this process, you start by searching for "IDS IPS Monitoring SmartConnectors" in a search results page. You find the specific content you need by clicking on "Click IDS IPS Monitoring Package." This action leads you to a description, screenshot, and details about the SmartConnectors that will trigger relevant content. Since the package is already installed, you don't have to install it again.
You then switch to the ArcSight Console where you can see resources from the installed content in the Marketplace. You access an IDS – IPS Monitoring Use Case dashboard, an Active Channel, and a Viewer Panel. The Event Sources panel confirms that this content is triggered by network IDS/IPS devices. By clicking on the IDS – IPS Overview Dashboard, you visually see what's happening on your deployed IDS and IPS devices, such as top attackers, targets, alerts, and counts.
To analyze more details about a slice of the alert counts or any specific event in the Active Channel, you can double-click on them using the Inspect/Edit Panel to view detailed normalized fields and categorized information. For reports, you find default reports included with the Marketplace content which run automatically but don't reflect recent events unless you archive them first. You can explore these reports through the Navigator Panel by expanding paths like "/All Archived Reports/Downloads/Network Monitoring/IDS – IPS Monitoring" to view or run specific reports of interest.
The text provided is a summary of a demonstration focused on showcasing the value and capabilities of ArcSight Marketplace in enhancing compliance with standards like ISO 27002. The demonstration involves navigating through various components of the ArcSight platform, including dashboards, archived reports, and specific modules for tracking regulatory compliance.
Key points include:
1. Introduction to ArcSight Marketplace as a hub for exploring security content, apps, documentation, community sharing, and SIEM best practices related to ArcSight security.
2. The demonstration starts by logging into the ArcSight Console as an administrator and accessing specific modules like IT Governance 3.0 and ISO Sections Overview.
3. Steps involve acknowledging and clearing existing notifications or cases before reviewing archived reports and images such as "ISO 11.2.1 Revoke Access.jpg" to discuss access control best practices from the ISO 27002 standard.
4. The scenario highlights manual versus automated approaches in compliance reporting, with a focus on how ArcSight allows for tracking regulatory compliance by automatically managing lists when Active Directory accounts are disabled and showing former employees' active list through reports.
5. Final action points emphasize using ArcSight to track compliance within an organization effectively, starting with the Replay agent and focusing on enhancing regulatory compliance practices.
This text discusses the challenges of compliance regulations, particularly in managing former employee access controls. The author highlights the inefficiencies of manual log reviews and how they can lead to errors or missed issues. To address these problems, ArcSight offers a solution that automates log review processes and alerts users about potential non-compliance issues.
The system automatically identifies former employees who have accessed systems and generates alerts for them. This allows auditors to quickly identify compliance issues without having to manually cross-reference lists of former employees with extensive logs. The ArcSight Console provides an automated way to detect, investigate, and report on these access attempts, making it easier for organizations to demonstrate their compliance with ISO standards such as 27002-11779.
The solution includes a dashboard that displays the current compliance status of various sections within the ISO standard. If there are red alerts indicating non-compliance in specific areas like section 11, double-clicking on these will show detailed correlation events and provide insights into why the issue occurred. The system uses lists for tracking purposes and to assist with correlations between different logs and data sources.
The provided text discusses the use of ArcSight, a security information and event management (SIEM) tool, for monitoring and managing former employee accounts. Key features include dynamic population of a privilege list based on user activity in Active Directory, automatic updating when accounts are deleted or added directly via text files, and advanced correlation rules that can identify compromised accounts or potential zero-day attacks.
ArcSight enables efficient management of access rights by comparing incoming event usernames against the stored list, which is loaded into memory for quick processing. It includes a feature where if an account is removed from Active Directory, ArcSight automatically adds the user name to the list, ensuring up-to-date security measures. Users can directly import text files to update the list, enhancing flexibility and responsiveness in managing access controls.
In terms of compliance and reporting, ArcSight provides automated reports on IT governance, allowing for quick retrieval of archived information that would have been manually filtered through previous methods. This includes generating detailed reports on former employee account accesses with options for scheduling and automatic email delivery, which can help organizations maintain visibility over their security and compliance status.
Additionally, the tool supports NetFlow use cases, including setup procedures for managing notifications and cases, as well as monitoring top port usage, bandwidth, source/target countries, and Microsoft SQL Server performance through customizable dashboards. The dashboard layout can be adjusted to a circular format for enhanced visualization. Overall, ArcSight enhances security operations by providing an automated and comprehensive solution that supports real-time analysis and historical reporting capabilities.
To summarize the provided instructions and talking points, follow these steps:
1. **Navigate to the Reports resource:**
Open the Reports, Archives tab.
Expand the entire tree under the /ArcNet Archived Reports group.
The reports are stored in PDF format in the Report Archives.
Navigate to the /NetFlow folder which contains NetFlow Reports.
2. **Hide the Navigator and Inspect/Edit panels and leave the Console open:**
This will allow you to focus on the specific tasks at hand.
3. **Start the Demo Replay Connector:**
Select the event files: NetFlow_IdentityView_v2.0.events.
Start replaying these files at a rate of 50 events per minute.
After approximately 2-3 minutes, adjust the replay speed to about 25 events per second if necessary.
4. **Show the Dashboards:**
**Top Bandwidth by Actor:** This dashboard provides a high-level view of bandwidth usage categorized by identity and country using NetFlow data. It can be modified to include cross-product and cross-vendor views across all devices in the environment.
**Top Port and Bandwidth Usage:** Displays which ports are used, distinguishing between well-known ports (0-1023) and registered/dynamic ports (1024-65535). It also shows bandwidth usage per top registered/dynamic ports.
**Top Source and Target Countries:** Helps to understand the origin and destination of traffic from a country perspective, with information about bandwidth used by target countries.
**Microsoft SQL Server Monitoring:** Monitors Microsoft SQL Server traffic on port 1433 within the environment. The corporate security policy requires that all Microsoft SQL Servers be deployed in the DMZ segment (Target Zone Name: sj-arcnet-dmz). According to this dashboard, traffic is being routed to the desktop segment (Target Zone Name: sj-arcnet-desktops), which might indicate an unauthorized installation.
This summary captures the main tasks and objectives outlined in the instructions, emphasizing the use of NetFlow reports for analysis and the specific dashboards provided for visualizing network data.
In this segment, we explore how Microsoft SQL Server can be configured for monitoring network activities such as policy violations, generating correlation rules for notifications, and investigating events in real-time with the help of the ArcSight Console Interface. We demonstrate a use case involving an "36Worm Outbreak" to illustrate practical applications using these tools.
Firstly, we configure Microsoft SQL Server to monitor out-of-policy activities like unauthorized access attempts or policy violations. This can be achieved through setting up correlation rules and notification mechanisms that alert the concerned parties when such incidents occur within the network environment. Optionally, one can investigate these events in detail by double-clicking on specific targets, such as "sj-arcnet-desktops" Target Zone Name.
Next, we delve into various archived reports provided by ArcSight to gain insights into network bandwidth usage and traffic distribution across different hosts. An example is the "Bandwidth Usage by Port" report which highlights the top port consuming bandwidth in the environment, while another report titled "Top Bandwidth Hosts" identifies significant contributors like 192.168.6.101 as having the highest bandwidth usage. To further investigate this host's traffic details, we can review the "Detailed Traffic by Host" report which provides more granular insights into network activities of that specific host.
The demonstration then moves to using the ArcSight Console Interface to replay worm outbreak events at 200 EPM, starting with the Replay Agent and following up with opening the ArcSight Console excluding other dashboards except for the "Worm Outbreak" dashboard. We analyze different data monitors including Worm Propagation by Host and Zone, which helps in understanding how the worm spreads from one host to another across various zones of the network. Additionally, the report on "Worm Infected Systems" identifies hosts that have been infected and need to be cleaned up, while the statistical data monitor showcases detection mechanisms used by ArcSight to detect such outbreaks.
In summary, this segment not only explains how to utilize Microsoft SQL Server and ArcSight for network monitoring but also demonstrates practical applications of these tools in dealing with simulated real-world security incidents like a worm outbreak, providing actionable insights into network traffic, host activities, and potential threats.
The passage discusses enhancing security measures with ArcSight ESM/Express by leveraging advanced correlation rules and notifications for increased efficiency in event management. It highlights how users can receive alerts on a dedicated notification screen, providing an alternative to constant console monitoring. The demonstration focuses on double-clicking a notification to access the event inspector, where one can explore rule chains, content of events, and details about correlations between different pieces of information.
The passage concludes by emphasizing that with such tools, organizations can rapidly identify and respond to security incidents, including potential zero day attacks, thereby improving overall efficiency in security operations. Additionally, it mentions the comprehensive automated reporting solution provided by ArcSight ESM/Express, which enhances visibility into both security and compliance within an organization.
This document outlines a series of steps for using the "IdentityView 2.0" feature within an ArcSight system, focusing on actor management and privileged user monitoring. The process involves several tasks including configuring settings for event graphs, inspecting and editing panels, setting up a demo replay connector with specific events, and reviewing reports related to identity investigations.
**Steps Overview:**
1. **Actor Management > Actor Overview**: This section provides an overview of how actors are managed within the system, likely focusing on user profiles and roles.
2. **ArcNet Dashboards > IdentityView v2.0 > Privileged User Monitoring > Identity Investigation**: Here, specific investigations related to privileged users are conducted.
3. **Top Bandwidth by Actor**: This subsection focuses on analyzing the bandwidth usage of actors.
4. **Login Activity by Department**: This part involves monitoring login activities categorized by department within organizations.
5. **Open the Active Channel: /ArcNet Active Channels/IdentityView v2.0/Actor Investigation – Mario Rossi**. This step involves accessing a detailed view of specific actor actions, in this case, Mario Rossi.
6. **Open the Navigator and browse to the Reports resource**: Navigate through the system to find reports related to IdentityView v2.0, specifically within the "Report Archives".
7. **Open the Navigator and browse to the Actors resource**. This involves accessing a list of all actors in the system for further management or investigation.
8. **Configure your ArcSight Console Event Graph options**: Customize the display settings for event graphs to better visualize data related to network activities.
9. **Hide the Navigator Panel** and inspect/edit the panel: This step is about simplifying the interface while still being able to interact with detailed views within the console.
10. **Start the Demo Replay Connector**: Set up a demo replay of specific events (as mentioned in point 10a-c) to recreate scenarios for analysis, starting at a faster pace initially and adjusting as needed.
**Additional Notes:**
The document also mentions configuring settings such as "Show Event Nodes", "Source/Target Node Identifier", and setting up an "Organic Layout" for graphs.
It highlights the importance of user context enrichment within the ArcSight system to support detailed investigations and reporting, especially in privileged user monitoring scenarios.
This guide is structured around enhancing surveillance capabilities related to identity and access management by enriching event data with user context, facilitating more informed decision making regarding privileged users' network activities.
To build an identity correlation system using a directory service like Active Directory through integration with ARCNET.COM, follow these steps:
1. Open the Viewer Panel to display the Dashboard.
2. In the Navigator Panel, select the model and connect to either a directory system or Actors resource. Expand the ARCNET.COM identity management system, then expand the Actor model which includes groups such as Contractors and Employees. This will show all users that have been created through this integration.
3. When connecting to Active Directory via the ARCNET.COM domain, pull in all user information from your domain. The system automatically groups these users by their Organizational Unit (OU) within Active Directory, creating OU-specific subgroups that represent different accounts and organizational units.
4. Close the Viewer Panel and double-click on an Actor to open the Inspect/Edit Panel. In this panel, you can view detailed information about the specific user, including all user attributes from Active Directory such as full name, employee type (e.g., full time), status (active), department (e.g., Marketing), and account identifiers used for accessing various network systems or applications.
The text provides an overview of a system where users within a network or organization have multiple identification points across various systems or applications, which makes it challenging to determine their exact activities on the platform. To address this issue, the concept of an "Actor" was introduced in the Active Directory system, where each user is represented by an actor and assigned roles automatically based on group membership. The text describes a dashboard called "Actor Overview," which provides general statistics about the number of actors (users) and their associated account IDs, indicating that most users have between 3 to 4 accounts per user across the platform.
The Actor model helps in identifying which activity belongs to a specific actor by assigning roles based on group membership in more sophisticated identity management systems or groups such as Account Managers and Internal Employees. The dashboard provides an overview of statistics like total number of active and disabled actors, offering insights for correlation rules that track activities from potentially compromised accounts.
The dashboard titled "Actor Roles Overview" provides a detailed view of an organization's Active Directory environment through integration with IdentityView. It allows users to monitor various aspects such as account statuses, network activity from terminated employees, and breakdowns by Organizational Unit (OU). Additionally, it shows the number of groups created in the actor model and the distribution among different departments like Information Technology and Marketing.
In this dashboard:
The first panel reveals that there are 95 groups in Active Directory.
Users can examine group memberships based on the number of groups they belong to, with specific examples showing users like Erika Mustermann who is a member of 6 AD groups.
On the top right, one can view the largest groups by user count, highlighting potential inefficiencies or overuse of group membership in large organizations.
The dashboard also includes "Top Bandwidth by Actor," where information from previous events and insights are synthesized to provide a bandwidth overview per actor. This feature leverages the comprehensive user context gathered through IdentityView for more refined analysis and reporting on network activity related to terminated employees, ensuring compliance with least-privileged access principles and suggesting opportunities for optimization in group assignments within Active Directory.
The passage describes a dashboard that focuses on user context to analyze network traffic and login activities. By considering the user perspective rather than just the IP address, it enables better correlation of policy enforcement and enhances security by allowing only authorized users access to specific systems or applications based on their department. This approach helps in building stronger correlations from a policy standpoint, avoiding potential compliance issues, insider threats, and misconfigurations related to unauthorized access.
When something happens in the ArcSight system, like an employee badging into a server room after hours, it sends me a notification so I can take action right away. The notifications show up on a dashboard where all pending acknowledgments are listed. If I don't acknowledge them quickly, they could escalate and my manager would be notified.
To stop the automatic escalation, I click "Acknowledge" which moves the notification from the pending to the acknowledged queue. Now I can investigate further by double-clicking on the specific notification. This opens more details in a panel where it explains that an employee has badged into the server room after hours and who this employee is. The notification also shows the base event that triggered this action, helping me understand what happened exactly.
This is a security alert triggered by a single badge event involving Mario Rossi. The alert was generated through correlation of three components: the badge event itself, the role of the user (in this case, Mario Rossi), and the time of day.
The badge event initially showed a cryptic username without any recognizable information, but after identity correlation in the ArcSight system, it revealed that Mario Rossi is actually part of the Marketing department. The alert highlighted that during non-business hours, there should be no business reason for him to access the data center, which was considered a violation.
To investigate further, we can look at details from the badge event and use the ArcSight system to analyze all activities related to Mario Rossi in the past few days using the Active Channel feature. This allows us to see his activity across different systems without manually searching through logs.
The passage describes an advanced method for analyzing network activity using security tools like Blue Coat and Cisco, focusing on identifying specific user activities through session correlation. It explains how events are correlated to identify who is logged into which machine at what time. For instance, if a Microsoft login event occurs on a workstation assigned to Mario Rossi during his working hours, subsequent network traffic from the same IP address (192.168.6.103) can be confidently attributed to him due to session correlation.
Moreover, it highlights the use of ArcSight, an advanced security analytics tool that allows for complex queries and filtering capabilities. By setting up a filter like "Show me everything that Mario Rossi did," the system automatically retrieves all related activity data from various sources including Microsoft logins, Unix sessions, and network traffic. This method helps in detecting suspicious activities originating from different countries (e.g., China, Brazil), which could potentially indicate unauthorized access or malicious behavior.
Finally, ArcSight offers a feature called "Event Graph" where one can select all events in the Active Channel to visualize them on a graph for better understanding of the overall activity and potential threats. This method ensures that security analysts have an efficient way to monitor user activities across multiple devices and networks, thereby enhancing network security management.
The provided text describes a visual analysis of network traffic data using an Event Graph, which was then laid out hierarchically for better understanding. It starts with a successful login event that sets up a session for Mario on his desktop after which there's blocked web browsing traffic from the Blue Coat proxy, indicating attempts to access personal email accounts which were denied. To conceal his activities, Mario uses SSH to connect to another machine (U machine), revealing more suspicious behavior such as accessing job hunting websites and potentially downloading hacking tools. The text also mentions a correlation with Cisco NetFlow events that show extensive traffic to anonymous foreign sites and a known hacking website in China, suggesting potential data leakage or sabotage actions against the company. The situation escalates for further investigation by human resources due to these findings.
In the given scenario, an incident involving Mario Rossi who was accidentally badge into the server room after hours has been recorded by ArcSight's case management system. The process involves opening the Navigator Panel to view cases, selecting the Cases resource and double-clicking on the specific case named "Employee Badged Into Server Room After Hours – Mario Rossi". This action opens the case in the Inspector/Edit Panel where various attributes such as stages, impact, severity can be set, and users assigned. The Events tab within this panel displays both correlated alerts and original base events that triggered the alarm during the investigation.
To further investigate and document the incident, the user should lock the case for editing from the Active Channel view and then right-click on all selected events in the active channel to add them to the case. This added evidence becomes part of the case file, providing a comprehensive record of the event and its resolution. The system also allows for visual aids like graphs (Event Graph) to be attached to the case as attachments, making it easier to understand and convey the situation at hand.
The case presentation involves adding an event graph as a JPEG attachment to the case for easy visual understanding by others. To access this visual representation later, one can right-click and select "add graph view" from the case menu. This feature helps in quick visual assessment of user activities without requiring reloading data or recreating the graph manually.
In addition to adding the event graph, there are reporting tools available within the system for further analysis and evidence presentation. These include:
1. Archiving detailed reports such as "Archived Report Activity for Specific Actor – Mario Rossi" which can be customized with specific time frames or actors using filters like "$Now – 1h" for start time, "$Now", and specifying the actor's name.
2. Running comprehensive reports like "All Activity for Specific Actor" to summarize all activities of a particular user over time, providing an overview of accessed applications and network traffic details.
3. Automated report generation such as the "49Hours Building Accesses and Physical Access" or "System Events" reports which compile data related to specific users automatically, even when certain information like usernames is not explicitly available through session correlation methods.
These reporting tools facilitate transition of evidence for further review in human resources or legal departments, offering a structured package that includes all necessary documentation justifying the initiation of formal user investigations.
The provided text discusses the use of ArcSight for incident management and highlights its capabilities in quickly compiling evidence for investigations. It explains how to navigate through the software, including opening notifications, deleting cases, accessing specific dashboards, reviewing reports, and starting a demo replay connector with predefined event files. This setup is tailored for an IdentityView v2.0 use case focused on shared accounts and demonstrates ArcSight's utility in managing user behavior analytics and compliance with policies regarding multiple account usage by the same individual.
The ArcSight Console is a tool that helps in managing notifications related to incidents such as logins to shared accounts on servers within a specific segment of a network. When an incident occurs, such as unauthorized use of a shared account on a server in the designated segment, the console prompts for acknowledgment and initiates a workflow process.
The Alert Page is where the workflow starts, allowing users to view and acknowledge notifications related to incidents. For example, if an employee has used a shared account on a server within the network segment, this would be considered an incident that needs attention. The ArcSight Console provides detailed information about such incidents in the Inspect/Edit panel, including the identity name and details of 'session opened' events which have a target user name of 'root'.
The escalation process involves notifications being reported on metrics related to cases. ArcSight can also generate reports on these notifications and case metrics. In the specific incident of shared account logins in the sj-arcnet-serverfarm, the console provides detailed information about the event, including who used the shared account (in this case, an employee) and details about the server segment being violated.
The ArcSight Console offers a Network Model that monitors specified behavior; for instance, it focuses on unauthorized use of shared accounts in the particular network segment under scrutiny. The events related to this incident highlight the identity name and department, as well as indicate the target user name 'root' associated with these sessions.
A custom Dashboard called "Shared Account Logins" is available within the ArcSight Console, which provides a visual summary of all shared account activities in the environment, including source and target addresses, applications using shared accounts, etc. This dashboard uses Data Monitors for dynamic updates based on the specific network scenario being monitored, compared to default Dashboards that utilize Query Viewers.
In conclusion, the ArcSight Console is instrumental in managing incidents related to unauthorized use of shared accounts within a defined network segment, providing detailed information through its workflow processes and reporting mechanisms. The system uses advanced monitoring techniques and user-friendly dashboards tailored for specific needs, demonstrating effective incident handling and management capabilities.
The text provides a detailed overview of using a dashboard with drill-down capabilities for investigating shared accounts, specifically focusing on David West's activities within a known shared account context. It details the steps to use a dashboard filter and right-click options for drill-down, creating an active channel to view event details, and how this tool can be used to generate reports that show both summary (Logins to Known Shared Accounts) and detailed information (Details of Logins). The text also highlights how IdentityView within the system helps trace shared account activity back to specific identities, showcasing its utility in providing attribution either by name or IP. Additionally, it mentions a default report feature that covers SU and SUDO activities related to shared accounts, demonstrating how this tool can help manage security-related actions across an organization's network model.
This use case is about using ArcSight's IdentityView to monitor user behavior in a shared account scenario within an application called MyLegacyApp. The setup involves logging into the ArcSight Console as an admin, acknowledging and deleting any pending notifications or cases, accessing specific dashboards and reports related to IdentityView, starting a demo replay connector with pre-selected event files for replay, and showing how to inspect and edit the activity in the system.
The main goal is to track user login activities using a shared account named SystemUser across different sessions within MyLegacyApp, which lacks proper access control capabilities. This tracking is crucial for compliance reasons related to user access management. The IdentityView feature of ArcSight helps address this challenge by providing visual analytics on the dashboard and detailed event reports that can be inspected in real-time during a demo replay.
The key talking points involve demonstrating how to show the MyLegacyApp Login Sessions dashboard, double-click on specific activities from the graph data monitor to inspect details, and review the IdentityView fields within the active channel field set. This use case highlights the utility of ArcSight's products in monitoring shared account usage across applications where traditional access control is absent or inadequate.
The provided text outlines a procedure for using ArcSight IdentityView and its associated products to track shared account activity back to an identifiable user. Here’s a summary of the steps involved:
1. **Setup**: Begin by logging into the ArcSight Console as an admin. Acknowledge any pending notifications and delete associated cases. Navigate to specific dashboards within the IdentityView module, which includes sub-sections such as "Login Activity by Department" and "Login Activity by Employee Type". Access archived reports related to privileged user login sessions in the SystemUser context.
2. **Correlation Options**: For detailed event tracking, right-click on correlated events and select Correlation Options > Detailed Chain. This allows users to track SystemUser account activity back to an accountable user (in this case, Chan Siu Ming).
3. **Reporting**: Generate a report titled "MyLegacyApp Login Sessions.pdf" which shows access by the SystemUser shared account over time, essential for compliance and providing reports to auditors.
4. **Use Case Note**: The text mentions that IdentityView is still supported but nearing its end of sale; users should consider using User Behavior Analytics as an alternative product.
5. **Demo Replay Connector**: Set up a demo replay connector by selecting pre-recorded event files and initiating replay at a rate of 50 events per minute. Adjust the speed based on the system's performance capabilities (up to ~25 events/sec).
Overall, this process is designed to facilitate detailed monitoring and reporting of user activities tied back to specific individuals within an organizational framework using ArcSight IdentityView and its associated features.
This summary is about understanding system and application usage by analyzing login activities categorized by department, employee type, or role. It provides valuable insights for determining appropriate access rights within an environment. To view these details, one can open specific reports such as "Login Activity by Employee Type" and "Archived Report: All Activity for Department," among others. Micro Focus International plc is the organization behind this feature, with a registered address in England and Wales.
Comments