ArcSight Implementation in 4 Hours

Summary:

The provided instructions and summaries outline various functionalities of HP ArcSight Express for event management, reporting, and correlation rules. Here is a detailed breakdown of the information presented: 1. **Accessing Reports Resource:** - Navigate to "Reports" in the HP ArcSight Express interface. - Right-click on "New Report" under the Shared -> All Reports -> Public folder. - Provide a name for the report, such as "Windows Login Sessions." - Set default template settings and configure data source by selecting "Session Lists" and "Windows Login Sessions." - Save and run the report, which will appear in the Reports section under the Public folder. - Run the report by right-clicking on it and selecting "Run > Report," then changing format to HTML if needed. 2. **Using Network Tools:** - Access network tools via the toolbar or Tools menu. - Add, copy, edit, or delete various tools as required. - Example of running a tool command: Select an IP address in a grid view, right-click and select "Tools" -> dropdown menu -> desired option. - For example, right-clicking on a port field and selecting "Port Info" will show details in a new window. 3. **Creating Correlation Rules:** - Example rule: Fire if an event is received three times within 30 seconds. - Add Type=Base to avoid recursive errors and ensure proper trigger conditions are met. - Correlation of assets categorized as "California Senate Bill 1386." - Adding columns like Attacker Address and Target Address for active list correlation. - Creating rules based on specific event thresholds, such as the first occurrence of three events within a set time frame. - In physical and logical correlation, subnets are filtered using NOT Character Match criteria. 4. **Configuration Change for Attack Detection System:** - The attacker's IP address was manually changed to 10.2.1.30. - This change is crucial as it impacts how network traffic is monitored and analyzed within the organization’s security infrastructure. - The rule triggered due to matching the subnet pattern of 10.2.1.* indicates a targeted approach towards a specific network segment potentially involved in malicious activities. - Adjusting the IP address enhances asset correlation by category, improving accuracy of threat detection and directing resources efficiently towards addressing potential risks associated with this network segment. This detailed breakdown provides a comprehensive understanding of how to effectively utilize HP ArcSight Express for security operations, including managing reports, configuring tools, creating effective correlation rules, and enhancing system configurations for improved cybersecurity measures.

Details:

This document serves as a quick reference guide for HP ArcSight Express and provides general guidance based on discussions with the Sales Engineer. It emphasizes the importance of working closely with the Sales Engineer to fully understand and explore specific needs within the powerful and capable solution offered by HP ArcSight. The letter concludes with a formal notice about the confidential nature of the information provided, stating that it must be kept secure and not shared outside the evaluation team without authorization from HP. Additionally, the document mentions current HP products, sales, and service programs which may be subject to change at HP's discretion. This document outlines a proposal for a solution related to data management, compliance, and cybersecurity within an organization. The terms "solution," "partner," or "partnership" do not imply specific contractual obligations but rather suggest a collaborative working relationship between Hewlett-Packard (HP) and the recipient. HP does not guarantee that its proposed products and services will meet all requirements, and any issues should be addressed with the sales representative. The document also provides an introduction to a console tool designed to assist in data security and compliance efforts, including navigating, viewing, inspecting, editing, searching for fields, creating active channels, filtering events, running network tools, and managing dashboards and data monitors. The purpose of this console is to enhance the management of digital assets within organizations by enforcing compliance and deterring cybercrime through real-time monitoring and analysis. The HP ArcSight Security Intelligence Platform (SIP) is an integrated suite designed to collect, analyze, and assess security and risk information, providing comprehensive visibility into IT infrastructure activities for better protection against threats like malware, hackers, data breaches, fraud, application flaws, configuration changes, and compliance issues from audits. It includes leading SIEM products that rapidly identify, prioritize, and respond to cybersecurity incidents by correlating logs, user roles, and network flows. The platform helps safeguard businesses through increased threat awareness and enables swift actions against potential attacks and insider threats. For seven consecutive years, Gartner has positioned HP ArcSight in the Leaders quadrant for SIEM, while IDC has recognized it as the SIEM market share leader. To summarize this text, we're discussing how important it is to protect businesses with automated security and compliance monitoring due to increasing regulations and fines. HP ArcSight offers two consoles - the Express console and the Web console, but for now, we focus on the Express Console. We introduce three main topics for beginners: navigating, viewing, and inspecting and editing resources within the console. Navigating involves using the Navigator panel to locate and manage security resources in your business environment. This is done by selecting a resource tree from a drop-down list, expanding or collapsing groups of resources with + and - signs (or right/left arrow keys), and right-clicking to access context menus for further actions like inspecting or editing data related to the resources. Viewing focuses on how information about security events is displayed in the Viewer panel, which can show various types of views tailored to different needs. The Inspect/Edit panels are used to analyze resource data, allowing users to view or adjust attributes as necessary. This combination helps ensure businesses can effectively respond and adapt to potential threats while maintaining compliance with regulatory requirements. The Viewer is a continuously evaluated collection of security-event data where resources like dashboards and channels are shown by right-clicking in the Navigator tree and choosing "Show ". To quickly close views, use Shift+Click on the tabs or right-click to choose Close. Floating the Viewer panel allows it to be separate from other windows, with options to display HTML content automatically including reports, reference pages, and more complex content requiring an external browser for security reasons. The Web Viewer tab has a live link at the top that opens in fully functional external browsers, and you can use standard browser commands by right-clicking within the viewer. Adjusting views is possible through the Navigator panel or by choosing Window>Viewer Panel if needed. The provided text discusses how to interact with the Inspect/Edit panel in a software tool called "Express," which allows users to examine and modify details of events and resources within the application. To utilize active channels and their various views, one should refer to topics under headings such as Monitoring Events, Selecting and Investigating Events, Using Dashboards, Inspecting and Editing. The panel automatically opens when double-clicking an event in a grid view or selecting to edit a resource in the Navigator panel. Alternatively, right-click on an event in a grid view or an item in the Navigator panel's resource tree to access it. If you want to explore the Inspect/Edit panel, you can manually open it using "Window>Inspect/Edit Panel" command and choose options like double-clicking an event in a grid view or right-clicking on an item in the Navigator panel. To close specific editors or inspectors, simply right-click their tabs and select "Close." For finding items within Event Inspector, Resource Editors, or CCE (Common Conditions Editor), you can search for fields by clicking any field Name while typing which will display a Search popup that updates as you type. This functionality helps in efficiently navigating through the list of fields. This text provides a summary and explanation of how to use the "predictive" search feature in various tools, such as the Event Inspector and resource editors using field sets and filters. It explains how to view an active channel, sort events within it, and perform other related tasks. Additionally, there is information about setting up a replay connector for specific event files. The text also discusses identifying different types of failed logon attempts in Microsoft Windows systems based on various codes, such as 529 through 540. The provided text outlines the process of creating an Active Channel within HP ArcSight for monitoring Microsoft Windows Security audit log events such as pre-authentication failures and successful logins. 1. **Understanding the Logs**: The article refers to specific Microsoft Windows Security audit log codes which include:

• 675 – Pre-authentication failed

• 4624 – An account was successfully logged on

• 4625 – An account failed to logon

• 4634 – An account was logged off

These logs are stored in the field called "Device Event Class Id" within HP ArcSight. 2. **Traditional Logging Solutions**: The text mentions that traditional logging solutions view these log entries in a tabular or grid format, which in HP ArcSight terms are referred to as Active Channels. 3. **Creating an Active Channel**:

• Navigate to the "Active Channels" section within HP ArcSight.

• Select the group folder where you want to create the Active Channel (in this case, choose Public).

• Right-click and select "New Active Channel".

• Name the channel appropriately, such as "Microsoft Logon Failures".

• Set the time range for the start of the events. Here, it is set from 30 minutes ago to 10 minutes ago.

• Enable continuous evaluation by selecting the appropriate radio button.

• Click OK to create the channel. The resulting active channel will be displayed in the Viewer panel.

4. **Customizing the Display**: By default, the channel named "Microsoft Logon Failures" displays all incoming events. To enhance understanding, add the column for "Device Event Class Id", which shows the event IDs as defined by the vendor. This can be done using the options to Add, Replace, or Remove columns in the grid view. Overall, this process helps in setting up a focused monitoring system within HP ArcSight specifically tailored to track pre-authentication failures and successful logins on Microsoft Windows systems running on Windows 2008R2. To customize the display of data in a grid view or Event Inspector, you can use several methods including right-clicking on column headers and selecting options like "Add Column," "Replace This Column," or "Remove This Column." You can also drag and drop columns to reorder them. These actions allow you to define which columns are displayed and their order. For instance, if you want to add a new column called "Device Event Class ID" next to the "Name" column, right-click on the "Name" column header and select "Customize Columns > Add Column > Device > Device Event Class ID." This will insert the new column to the right of the "Name" column. You can similarly replace or remove any existing column by selecting "Replace This Column" or "Remove This Column," respectively, from the right-click menu on the column header. In addition to these actions, you can drag and drop any column header to rearrange the display according to your preference. These options help tailor the view of data as per specific needs. For more advanced customization, especially when dealing with large datasets or specialized contexts like customer accounts or vulnerability information, field sets are useful. Field sets are named subsets of available data fields that can be managed and applied through the Navigator panel's Field Sets section. They allow you to focus on particular contexts by including common fields relevant to specific events, such as Microsoft Windows events. To create a field set: 1. Navigate to the Field Sets section in the Navigator panel. 2. Go to Field Sets > Share. 3. Follow any additional prompts or steps required to define and apply your field set according to your needs. To summarize this process: 1. **Create a New Field Set:**

• Right-click on the Public folder and select "New Field Set."

• Alternatively, use menu options like File > New or click the New Resource button ( ).

• In the attributes tab, enter the name "Microsoft OS."

• Go to the Fields tab and add specific fields: End Time, Name, Device Event Class ID, Attacker User Name, Attacker Address, Target User Name, Target Address, Priority, Device Vendor, and Device Product.

• You can scroll through available fields or search for them by typing in the "Search for" field.

• Add fields to the list in the "Selected Fields" section. You can save your changes with "Apply" or finalize with "OK."

2. **Apply the Field Set:**

• Right-click on any field header and choose "Field Sets > Select Field Set."

• In the Field Sets Selector dialog, select the "Microsoft OS" field set you created. Click OK to apply it to the active channel.

• The active channel will now display columns as per the selected field set.

3. **Create a Filter:**

• To filter events in the active channel or use them later:

• Double-click in the grey area next to "Start Time / End Time / Filter" at the top of the active channel.

• Define conditions for your filter by selecting appropriate attributes and values, then click OK to apply the filter.

• Filters help focus on specific event attributes, reducing the number of events processed by the system. They are used for monitoring, analysis, and reporting as well.

To filter for specific Windows logon failure events, follow these steps: 1. **Access the Filter Panel**: Open the panel where you can define filters. This is typically found on the right side or at the top of the screen in a window that allows you to inspect and edit settings. 2. **Navigate to the “Filter” Tab**: In the filter section, go to the “Filter” tab to set criteria for displaying only the events you are interested in. 3. **Select the Device Vendor Field**: Scroll down in the list of fields under “Device” or use the search bar at the bottom of the window to find “Device Vendor” and select it. 4. **Set the Condition**: In the condition field next to “Device Vendor”, enter "Microsoft". You can also click on the dropdown arrow next to the field to see a list of vendors, but for this example, you will type directly. 5. **Define the Operator (op)**: The operator box immediately to the left of the condition should automatically populate with an equals sign (=). If not, manually enter "=". 6. **Apply the Filter**: Click “Apply” to save your selection and continue adding more fields. Now you will see a filter criteria at the top that includes Microsoft as the device vendor. 7. **Add Event Class ID Field**: Scroll up or search for “Device Event Class Id” in the list of available fields under Device. 8. **Set the Operator (op) to “In”**: Click on the "op" box next to "Device Event Class Id" and choose "In" from the operator list, which indicates that you are looking for events listed within a set. 9. **Enter Specific Events**: In the condition field beside "op", enter the event codes you are interested in: Security:529, Security:533, Security:681, and Microsoft-Windows-Security-Auditing:4625. Make sure to separate these codes with a comma (,) as shown. 10. **Apply the Filter**: Click “Apply” again to finalize your filter settings. 11. **View Results**: The filtered events should now display in the active channel of the viewer center panel, showing only the selected Windows logon failure events. 12. **Optional: Additional Filter Example**: For reference, hovering over "Device Event Class Id" will show a detailed view of your event conditions. Here, you would choose "In" and select all relevant Microsoft security codes as per your interest. This is an advanced example to demonstrate the versatility of filters in the tool. By following these steps, you can effectively filter for specific Windows logon failure events using the defined criteria. To summarize the process of creating an Active Channel named "Microsoft Logon Failures" in ESM (Elastic Security Module), follow these steps: 1. **Create New Active Channel:**

• Navigate to the Navigator panel and select "Active Channels" from the Resources drop-down list.

• Expand the Public folder, right-click on it, and select "New Active Channel."

• In the New Active Channel window, type "Microsoft Logon Failures" in the Channel Name field.

• Set the Use as Timestamp to "End Time" and configure the time parameters to "Continuously Evaluate."

• Click OK to create the channel.

2. **Customize Displayed Fields:**

• In the Viewer Panel, right-click on any column header and select "Customize Columns -> Add/Remove Columns."

• Add the following categories: Category Behavior and Category Outcome.

• Repeat this step to add Device Event Class ID.

3. **Define Filter Conditions:**

• Open the inspector panel by double-clicking just to the right of the start time.

• Go to the "Filter" tab, set the following conditions:

• Device Vendor: OP and Microsoft (Condition: =).

• Device Event Class Id: In (Condition) with values (Security:529, Security:533, Security:681, Microsoft-Windows-Security-Auditing:4625).

• Click OK to apply the filter.

4. **Create a Global Filter:**

• From the Viewer Panel, select "Microsoft Logon Failures."

• Copy the filter conditions and create a global filter that can be used by all users with appropriate permissions.

By following these steps, you will have an active channel filtering Microsoft Windows security logon failure events as specified. The process outlined is for creating and implementing a new filter within an active channel. Here’s a step-by-step summary of what to do: 1. **Identify the Grey Area**: Locate and double-click on the grey area to the right of the "Start Time," "End Time," and "Filter" fields in your workspace. 2. **Access the Inspector Panel**: In the inspector panel that appears, click on the "Filter" tab. 3. **Copy Filter Definition**: Right-click on the "& AND" condition within the filter settings and select "copy." 4. **Navigate to Navigator Panel**: Go to the navigator panel and use the dropdown menu to access the "Filters" section. 5. **Create a New Filter**:

• Name your new filter as "Microsoft Logon Failure Events."

• Paste in the copied filter definition by right-clicking on the "{Event}" condition and selecting "paste."

6. **Save Your Work**: Click "Apply" to finalize and save your newly created filter. 7. **Replace Old Filter**:

• Open the active channel where you initially set up the "Microsoft Logon Failures" filter.

• Delete the existing detailed filter.

• In the condition editor, right-click on the "{Event}" condition and choose delete to remove it.

8. **Create a New Matches Filter Condition**: Right-click on the event heading and select "New 'Matches Filter' Condition." Choose the newly created filter ("Microsoft Logon Failure Events") from the public folder. 9. **Finalize**: This completes the setup of your new global filter in the active channel. By following these steps, you efficiently create a custom filter for your data analysis within the specified platform or software environment. To summarize the steps provided, here's a simplified version of what needs to be done when working with inline filters in an Active Channel viewer: 1. **Delete "& AND"**: Right-click on the "& AND" and select "Delete". 2. **Create New Matches Filter Condition**: Right-click on "{Event1}" and choose "NEW 'Matches Filter Condition'". 3. **Choose Filters**: Go to "Filters" -> "Shared" -> "All Filters" -> "Public" -> "Microsoft Logon Failure Events", then click "OK". 4. **Add In-Line Filter**:

• Click in the grey area near the "Inline Filter" above the radar.

• A column of all headings will appear, click on the Target User Name field, and select your desired value (e.g., "mjohnson").

• Click the small "Apply" button in the filter section. If no values appear, adjust the time window by setting the start time to an earlier value or higher as needed.

5. **Save Inline Filter**: Right-click on the inline filter condition in the Active Channel Viewer panel, select "Save Inline Filter" from the context menu, then follow the prompts to save it under Filters -> Shared -> All Filters -> Public with a name like "Target User Name – mjohnson". 6. **Closing an Active Channel**: If you add an inline filter and close the Active Channel, the system will prompt you to save the criteria set in the Inline Filter as part of the active channel's filter criteria. You can choose to do so by clicking "Yes". 7. **Saving Later or for Others**: The saved inline filter is available to other users who view Filters -> Shared -> All Filters -> Public from the Navigation pane. These steps help in efficiently managing and filtering data within an Active Channel, especially when you need to focus on specific details like a particular user name. To summarize this information, here's a brief overview of how to create a Data Monitor for showing the last 10 Windows logon failure events in ArcSight software: 1. **Navigate to Dashboards and Data Monitors**: Open ArcSight and go to the Navigator Panel. Select "Dashboards" from the dropdown arrow and then click on the "Data Monitors" tab. 2. **Create a New Data Monitor**: Right-click on the "Public" folder and choose "New Data Monitor". This will open the "Data Monitor Editor" window where you can configure your settings. 3. **Configure the Data Monitor**:

• Under the "Attributes" tab, select "Last N Events" from the "Data Monitor Type" dropdown list.

• Name your data monitor as "Last 10 Logon Failure Events".

• Enable the data monitor by checking the box next to "Enable Data Monitor".

• Restrict the data monitor by selecting the "Microsoft Logon Failure Events" filter that you previously created in the "Public" folder.

• Click OK to save your changes and close the panel, or click Apply if you want to keep the editor open for further adjustments.

4. **Add Data Monitor to a Dashboard**: Before proceeding, ensure no dashboards are open on the viewer screen. Then, right-click on the newly created data monitor "Last 10 Login Failure Events" and select "Add to Dashboard As" -> "Table". This will display your logon failure events in table format on the dashboard. This process allows you to effectively monitor and visualize specific logon failures using ArcSight's Data Monitor feature, ensuring quick access to critical information about system login activities. The text describes a process to create and customize a dashboard using a data monitor. Here's a summary of the steps involved: 1. **Creating a New Dashboard**: A new, untitled dashboard is created where events will be displayed as they happen due to real-time monitoring. 2. **Filtering Events**: The same filter used for creating an active channel and a data monitor is applied. This ensures that the event data from both sources are synchronized. 3. **Verification through Active Channels**: If there's an active channel using the same filter, it can be opened to verify if recent events are being received by the system. These events should also appear in the dashboard powered by the data monitor. 4. **Customizing the Display**: To add more information columns:

• Open the Data Monitor editor for “Last 10 Logon Failures”, which can be accessed through the Inspect\Edit Window.

• If not already open, right-click on “Last 10 Logon Failures” in the Public Folder and select “Edit Data Monitor” from the context menu.

• In the Data Monitor editor, add columns for Priority, Name, Source User Name, Target User Name, Target Host Name, Category Object, Category Outcome, Category Technique, Category Behavior, Category Device Group, and Category Significance.

• For specific fields like “Source User Name”, “Target User Name”, and “Target Host Name”, use the Inspect Edit Panel to modify the display settings by clicking on “More Information” and adjusting field names within the Field Sets tab.

This process involves setting up a real-time data monitoring system with customizable displays for better insights into specific events like logon failures. To customize your data display by removing or adding columns in the Inspect/Edit pane, follow these steps: 1. **Access the Inspect/Edit Pane**: Navigate to the bottom of the panel where you can find options for modifying column visibility. 2. **Remove a Column**: Click on any highlighted column to delete it by using the red X button provided next to each column. 3. **Search and Select Columns**: Use the search box at the bottom to enter "Source User Name," "Target User Name," and "Target Host Name." Check the corresponding checkboxes above these fields to select them for display. 4. **Add Selected Columns**: Click the “OK” button under the search field to add the selected columns to your view. You can either click “OK” to close the pane or “Apply” to keep it open, noting that adding new columns will reset the data monitor and start displaying newly collected events. 5. **Reorder Columns**: If needed, you can manually reorder added columns by left-clicking on the column header and dragging it left or right as per your preference. 6. **Categorize Events**: All events are categorized in HP ArcSight: "/Host Operating System" (Category Object), "/Authentication/Verify" (Category Behavior), and "/Operating System" (Category Device Group). This categorization simplifies content creation, reporting, and analysis without needing expert knowledge of each vendor's codes. 7. **Drill Down for Details**: Double-click on any event entry to view detailed information about that specific event. 8. **Adding a Pie Chart to the Dashboard**: To visualize logon failures as a pie chart, create a Data Monitor tailored to display these events graphically. This process allows you to efficiently manage and customize your data visualization according to your analysis needs. To create a new data monitor for failed Operating System logon events in ArcSight, follow these steps: 1. Open the Navigator Panel (left-most pane) and click the drop-down arrow to select "Dashboards". 2. Click on the "Data Monitors" tab. 3. Right-click on the "Public" folder and select "New Data Monitor". 4. In the "Inspect/Edit" Panel (right-most pane), under the "Attributes" tab, choose "Top Value Counts (Bucketized)" from the "Data Monitor Type" drop-down list. 5. Name the data monitor "OS Logon Failures" and check the box to enable it. 6. Use the provided filters to restrict by "Failed Operating System Login Events". Select "/Shared/All Filters/ArcSight Express/Devices/Operating System/" in the filter browser. 7. Update the following values in the Data Monitor section:

• Bucket size in Seconds to 180 (which equals 3 minutes).

• With a default selection of 12 buckets, this will display data for the last 36 minutes.

• Set "# of top entries" to 20.

• Aggregate Field to "Target User Name".

8. Click OK to save the new aggregate field setting and then click Apply to save the updated Data Monitor definition. 9. Add the Data Monitor to your current dashboard by right-clicking on "OS Logon Failures" and selecting "Add to Dashboard As > Pie Chart". 10. To rearrange panels, simply click and drag the data monitor to a new location. To save and customize your new dashboard titled "Untitled - Dashboard" as "OS Logon Failures," follow these steps: 1. **Save the Dashboard**:

• Right-click on the tab with the untitled dashboard and select "Save Dashboard As."

• Save it in the Public Folder, naming it something like "OS Logon Failures."

2. **Change Data Monitor Filter to Use Categorization**:

• Navigate to Filters / Public.

• Click on the Microsoft Logon Failure Events object and drag it onto the Public folder. When prompted, click "Yes" to create a copy.

• Double-click on the new entry to edit its properties. In the Attributes tab, rename the filter to "OS Logon Failures by Category."

3. **Customize the Filter**:

• Go to the Filter tab and remove all existing conditions by right-clicking "& AND" and selecting "Delete." Confirm deletion when prompted.

• Add a new condition using the category:

• Right-click on "event1" and select "New Condition > Category > Category Behavior."

• In the drop-down next to the field, choose "/Authentication/Verify" and click "Apply."

• Repeat these steps for the following conditions:

• Add another condition with:

• Category Object = /Host/Operating System.

• Category Outcome = /Failure.

4. **Use the New Filter**:

• Edit Active Channels and Data Monitors to apply this new filter definition, which now includes any OS logon failures across different operating systems, not just specific Microsoft Windows events.

To edit an open data monitor, click the Pencil icon in the lower right-hand corner. Alternatively, you can right-click on a Data Monitor in the Navigator (from the Dashboards section) and choose "Edit". After navigating to the specific dashboard such as "OS Logon Failures", click the pencil icon to access the Inspect/Edit window. Here, navigate to the Restrict by Filter section, select the new filter "OS Logon Failures by Category" and apply the changes. For example, if you want to change the data monitor to show the top 10 users with failed logons using the Top Value Counts (Bucketized), set the duration to 180 seconds. When creating a report, follow these steps: create the query, then the query viewer, and finally the report. As a data source, queries can utilize HP ArcSight's database of events, actors, modeled network objects, cases, notifications, session lists, or active lists, among other sources. To create a query, navigate to the Queries tab in the Navigator panel under Reports, right-click on Public and select "New Query". Set the name as "OS Logon Failures" and add necessary columns from the fields list. To create a query for retrieving OS logon failure events using HP ArcSight, follow these steps: 1. **Select Available Fields**: In the query interface, use the search bar to find and select fields such as "Priority," "Name," "Source User Name," "Source Address," "Target User-Name," and "Target Host Name." Adjust their order by clicking on the field name and selecting up or down arrows. 2. **Add 'ORDER BY' Columns**: Click on the link to add 'ORDER BY' columns, select "Priority" from the list, and change its default sorting from ASC (ascending) to DESC (descending). 3. **Set Conditions**: Under the Event conditions section, click on "{ } Event" and then use the filters to choose "OS Logon Failures by Category." Select the specific filter for logon failures and click OK to apply this condition. This limits the returned events to those meeting specified categories. 4. **Save the Query Definition**: Click Apply to save the query definition, which specifies which event categories should be retrieved. 5. **Create a Query Viewer**: Optionally create a query viewer to validate the data for eventual report generation. In the Navigator panel, navigate to "Query Viewers," right-click on the Public folder, and select New Query Viewer. Name it "OS Logon Failures" and assign the previously created query to this viewer. By following these steps, you will have set up a detailed query in HP ArcSight to retrieve specific OS logon failure events as per your requirements. To create a report based on the "OS Logon Failures" query, follow these steps: 1. **Open Query Viewers / Public**: Navigate to the "Query Viewers / Public" section and right-click on the "OS Logon Failures" query. Select "View Data as a Table." By default, events from the last 24 hours will be displayed. 2. **Set Up the Report:**

• Go to "Reports" in the Navigator.

• Click on the "Reports" tab and then under "Reports -> Shared -> All Reports," right-click on the Public folder and select "New Report."

• Name the report "OS Logon Failures."

3. **Select Template and Data Source:**

• Click on the "Template" tab to choose a layout (leave defaults for this exercise).

• In the "Data" tab, set up the data source:

• Under "Data Source," select the dropdown and choose the query you created earlier under the Public folder ("OS Logon Failures").

4. **Configure Report Parameters:**

• Click OK to confirm the selection of the query as the data source.

• The available fields in the query will be listed.

• To see a preview, click on the "Preview" button.

• In the Preview window that appears, you can change the report format by clicking on the field next to the "Report Format" row and selecting "html". Click OK to close the Report Parameters window.

• Click "Apply" to save the report definition and continue.

5. **Preview and Adjust:**

• To view the preview within the Viewer panel, click the "Preview" button on the lower-left of the Inspect/Edit panel.

6. **Grouping:**

• If you want to make changes to groupings, add them by dragging field names from the "Fields" row into the "Groups" row in the desired order: Name (vendor description of event), Source User Name (user failing the logon), and Source Address (failing logon system).

By following these steps, you will have successfully created a report summarizing OS Logon Failures according to your specified groupings. To find out who's logged into your systems, you can use Session Lists in HP ArcSight SIEM. These lists track users from their logon to logoff time, allowing you to see their session activity over time. Here’s how to set it up: 1. **Create a Session List**: This is like a container where you'll store information about user logins and logoffs. Make sure the list has the right schema for Windows login/logoff events. 2. **Set Up Rules**:

• Create a rule that gets triggered when a successful Windows login happens, and it fills the session list with the relevant event data from this login.

• Another rule should be set up to remove user information from the list when they log off.

3. **Report or Utilize Events**: Use the Session List to generate reports on session activity or access events that have been stored in the list for further analysis. This helps you monitor who's using your systems and can be useful for security audits, performance monitoring, etc. To create a session list for storing Windows login sessions and then use rules to populate it with login events and termination events, follow these steps: 1. **Create a Session List:**

• Navigate to the Lists resource in the Navigator.

• Click on the "Session Lists" tab.

• Under the Public folder, right-click and select "New Session List".

• In the Session List editor, name the session list and add necessary fields.

• At the bottom of the parameter fields section, add three fields: Username (key-field), Login Time, and Logout Time. Set "Username" as the key-field.

• Click "Apply" to save the changes.

2. **Create Rules to Populate the Session List:**

• Navigate to the Rules resource from the Navigator drop-down menu.

• Right-click on the Public user group and select "New Rule".

• Create two rules: one for triggering on Windows session logins and another for when a Windows session terminates.

• **Rule 1: Trigger on Windows Session Logins**

• Use attributes such as Computer Name, User Name, Login Time, etc.

• Set conditions based on these attributes to detect login events.

• Aggregate the data using actions like "Add Record" or "Update Record".

• **Rule 2: Trigger when a Windows session terminates**

• Use similar attributes and set conditions for detecting termination events.

• Perform actions like "Remove Record" based on these conditions.

• Save and deploy the rules under Real-time Rules after testing in a user folder.

3. **Verify Rules:**

• Use the Verify Rules with Events tool to ensure that the rules are triggered correctly and that your session list is populated appropriately with session login times and logout times.

4. **Create a Report:**

• Create a new report using the session list as the data source.

• Run the report to visualize or analyze the stored Windows sessions.

By following these steps, you will have created a session list that captures Windows logins and logouts, populated by rules triggered on specific events, which can then be used for reporting or further analysis. The provided text describes the process of setting up and configuring a session login rule in a security system, specifically for monitoring successful Windows logins. Here's a summary of the steps involved: 1. **Attributes Tab**: Define the name of the session login rule as "Successful Windows Login". 2. **Conditions Tab**:

• Set up conditions to trigger the rule on any Windows login event.

• Configure the condition to be triggered when an event with Event Class ID Security:528 occurs, which typically represents a successful login attempt.

3. **Aggregation Tab**:

• Aggregate events based on specific fields to ensure that only events sharing identical values for fields like "Target User Name", "Target Nt Domain", and "Device Host Name" are considered in the aggregation.

4. **Actions Tab**:

• Add a session list named "Windows Login Sessions". This step involves mapping the fields from the Microsoft Windows login event to the corresponding field names defined in the session list.

• Map the fields:

• Start Time and End Time to the respective logon times.

• Username to Target User Name.

• NT Domain to Target Nt Domain.

• Device to Device Host Name.

• Ensure that every time a matching login event occurs, details from each event are added to the "Windows Login Sessions" list.

This setup facilitates the monitoring and analysis of successful Windows logins by consolidating related events into a single session for easier review and reporting. To create rules for managing session logins and terminations in HP ArcSight, follow these steps: **Rule 1: Triggers on Logins of Windows Sessions** 1. **Define the Rule:**

• Go to the "Inspect/Edit" tab.

• Name the rule "Add to Session List."

2. **Configure Attributes Tab:**

• Set the Rule Name to "On Every Event."

3. **Set Conditions Tab:**

• Use the condition: `.Device Event Class ID = Security:500`.

4. **Aggregation Tab:**

• Add fields: Device Host Name, Target User Name, and Target Nt Domain.

5. **Actions Tab:**

• Select "Add | Session List | Add to Session List."

6. **Map the Fields:**

• Map End Time to Event Time.

• Map Username to Target User Name.

• Map NT Domain to Target Nt Domain.

• Map Device to Device Host Name.

7. **Save and Close:**

• Click "OK" to save the rule configuration.

**Rule 2: Triggers on Termination of Windows Sessions** 1. **Define the Rule:**

• Use the same settings as Rule 1 but change the Rule Name to "Terminate Session List."

2. **Configure Conditions Tab:**

• Set condition: `.Device Event Class ID = Security:551`.

3. **Aggregation Tab:**

• Add fields: Device Host Name, Target User Name, and Target Nt Domain.

4. **Actions Tab:**

• Select "Add | Session List | Terminate Session List."

5. **Map the Fields:**

• Map End Time to Event Time.

• Map Username to Target User Name.

• Map NT Domain to Target Nt Domain.

• Map Device to Device Host Name.

6. **Save and Close:**

• Click "OK" to save the rule configuration.

These rules will automatically update session lists based on Windows logon and logoff events, capturing details like device hostname, username, and NT domain for each event. To summarize this text, it talks about creating a rule set for logging in events related to Security:528 or Security:551 and naming it "Verify Rule 528 and 551." This is done through an active channel where logon events are tested. After confirming the rules work as expected, you move them from a Public folder to the Real-time Rules Folder, making them operational in real time with new incoming data. The rule set will trigger based on event details added to a Session List, which can be reviewed by checking entries when they're added. This document outlines how to create and run a report using the session list feature in HP ArcSight Express, focusing on Windows login sessions as an example. Here’s a summarized step-by-step guide for creating such a report: 1. **Access the Reports Resource**: Navigate to the Reports section within the HP ArcSight Express interface. 2. **Create a New Report**: Right-click and select "New Report" under the Shared -> All Reports -> Public folder, providing a name like "Windows Login Sessions". 3. **Set Default Template Settings**: Leave the default template settings as they are. 4. **Configure Data Source**: Under the Data tab, choose "Session Lists" for the data source type and select the "Windows Login Sessions" list as the data source. 5. **Save and Run the Report**: Click OK to save the session list selection and then click OK to save the report. The report will appear under the Public folder in the Reports section. 6. **Run the Report**: Right-click on the created report and select "Run > Report". Change the format to HTML if desired, and click OK. 7. **View the Report**: Check out the resulting HTML version of the Windows Login Sessions report, which should now be available for review or further use within HP ArcSight Express. This process demonstrates how to utilize session lists in a simple report setup within HP ArcSight Express, providing valuable insights into user login activities as part of security and operational reporting efforts. This summary provides an overview of using network tools in HP ArcSight for event management. The network tools can be accessed via the toolbar or Tools menu on the interface. They allow users to add, copy, edit, or delete various tools as needed, with automatic adjustments to the toolbar buttons and menu commands. To run a tool command: 1. Select an IP address in a grid view. 2. Right-click and select "Tools," then choose the desired option from the dropdown menu. 3. Based on the selected tool, a window will appear displaying relevant information. For example, right-clicking on a port field and selecting "Port Info" will show details in a new window. 4. Close the window after reviewing the information. The document also discusses creating correlation rules:

• Example rule: Fire if an event is received three times within 30 seconds.

• To implement, add Type=Base to avoid recursive errors and ensure proper trigger conditions are met.

Further examples include:

• Correlation of assets categorized as "California Senate Bill 1386."

• Adding columns like Attacker Address and Target Address for active list correlation.

• Creating rules based on specific event thresholds, such as the first occurrence of three events within a set time frame.

In physical and logical correlation, subnets are filtered using NOT Character Match criteria. The summary concludes with an example where three events arrived but did not meet the specified threshold due to character match restrictions. The provided information outlines a configuration change for an attack detection system, specifically setting the attacker's IP address to 10.2.1.30 and noting that the rule triggered due to matching the subnet pattern of 10.2.1.*. This setup is related to asset correlation by category within an organization's security infrastructure. The detailed summary of this information can be presented as follows: **Subject:** Configuration Change for Attack Detection System **Details:**

• **Action Performed:** The IP address of the attacker was manually adjusted and set to 10.2.1.30. This change is significant in a security context because it directly impacts how network traffic is monitored and analyzed.

• **Triggering Condition:** The specific rule that activated this setting likely pertains to detecting anomalies or threats within the IP address range defined by the subnet pattern "10.2.1.*". This wildcard notation indicates all possible IP addresses starting with 10.2.1 in the third octet, suggesting a targeted approach towards a network segment potentially involved in malicious activities.

• **Purpose:** The adjustment of the attacker's address aids in asset correlation by category within the organization’s security infrastructure. This process involves organizing and analyzing assets based on their functionality or importance to the business operations. By focusing specifically on this IP, the system aims to improve the accuracy of threat detection, ensuring that resources are allocated efficiently towards addressing potential risks associated with this specific network segment.

• **Impact:** The shift in focus from a generic IP address setting to a more precise one based on subnet matching should enhance the effectiveness of detecting and responding to security threats within the 10.2.1.* range, thereby improving overall asset protection.

This summary highlights how changes in system configurations can lead to enhanced cybersecurity measures by directing resources towards areas where risks are most likely to occur, thus supporting a more targeted and efficient defense strategy against cyber threats.