ArcSight ESM Express Use Cases with iRock

Summary:

The ArcSight ESM/Express document highlights its capabilities in various use cases, including SIEM (Security Information and Event Management), FIM (File Integrity Monitoring), and data pivoting. Key scenarios include demonstrating how it can monitor multiple systems, track activities, manage access control lists, and support hierarchical policy containers. It also covers the tool's extensibility through provisioning new accounts, adding log event-generating devices, manipulating policies, and retrieving external data for reporting. The document emphasizes its role in anomaly detection, custom parser development, integrations with vulnerability management, endpoint security, network security, and identity management systems, showcasing its versatility and ability to handle complex data scenarios. The footer of the webpage provides information about the plugin's domain (irock.jiveon.com), version number, revision details, copyright by Jive Software, and links to other parts of the website for further assistance.

Details:

ArcSight ESM/Express is a tool used for various use cases including SIEM, FIM (File Integrity Monitoring), and data pivoting. It has been documented with different scenarios to showcase its capabilities in real-world applications. Here are the main use cases highlighted: 1. **SIEM/FIM POC Use Cases**: This involves demonstrating how ArcSight ESM can monitor multiple systems, track activities, manage access control lists (ACLs), and support hierarchical policy containers. The use cases include:

• Demonstrating everything done across multiple systems.

• Simultaneous logins using time proximity.

• Tracking activities when a generic service account is used for all users on the target.

• Same IP address being used by multiple accounts from different geographical locations.

• Network authentication differs from application authentication.

2. **Dashboard / Reports**: This includes generating reports and managing access control lists, with specific use cases such as:

• Grouping IP addresses or ranges by network segment.

• Tracking applications and people/accounts using correlation rules applied at the system level.

• Allowing creation of "Sub-Admins" to delegate access controls within their respective containers.

3. **Extensibility**: This involves extending the tool's functionality through:

• Provisioning new accounts (via API/SDK or scripting).

• Adding and configuring new log event-generating devices.

• Manipulating policies, group/tag structure, and general settings.

• Retrieving data from external sources for reporting purposes.

4. **In Reporting**: This includes using the tool to trigger alerts, run scripts, perform remediation actions, and demonstrate specific features such as:

• Triggering an alert when a certain condition is met.

• Executing custom scripts in response to events.

These use cases showcase ArcSight ESM/Express's versatility in security information and event management, providing practical examples of how it can be used across different scenarios and environments. The text provided outlines various use cases related to anomaly detection and system integrations in a product like ArcSight SIEM (Security Information and Event Management). Here's the summary of what is being discussed: 1. **Anomaly Detection**: There are specific use cases for detecting anomalies based on deviations from normal profiles, including too many events compared to baseline (UC 30), too few events compared to a baseline (UC 31), and when data falls outside normal temporal windows (UC 32). This is crucial for identifying potential security threats or system issues that do not conform to expected behavior. 2. **Custom Parser Development**: The ability to write custom parsers is emphasized, which is essential for handling unique or specialized log formats that are not natively supported by the SIEM tool. This skill allows users to extend the functionality of ArcSight to accommodate less common data sources. 3. **Product Integrations**: The document mentions several integrations with other security and management products:

• **Vulnerability Management**: QualysysGuard SaaS is integrated for managing vulnerabilities through a vulnerability management system.

• **Endpoint Security**: McAfee ePolicy Orchestrator (ePO) versions 4.5/4.6, Imperva SecureSpher Web Application Firewall version 8.5, and Snort IDS versions 2.8.x / 2.9.x are integrated for different aspects of security posture management.

• **Network Security**: Integration with Cisco ASA (Adaptive Security Appliance) and FWSM (Firewall Workstation) firewalls is mentioned.

• **Identity Management**: Oracle Identity Management or other LDP IAM solutions are also listed as integration points.

These use cases highlight the versatility of ArcSight SIEM, its ability to handle complex data scenarios through custom parsers, and its robust integration capabilities with a variety of security technologies and tools. This is a webpage footer that includes information about the plugin, such as its domain (irock.jiveon.com) and how to ensure it connects successfully. It also mentions the copyright of Jive Software and provides links to other parts of the website like "Home," "Top of page," and "Help." The footer gives details about the version number (2016.1.0.0, revision: 20160301103719.6b9730c.release_2016.1.4) and who powered this webpage by Jive Software.