ArcSight Logger 5.3 SP1 - Use Case Demonstration Scripts

Summary:

This document provides a series of demonstration scripts tailored for HP ArcSight Logger version 5.2, focusing on various use cases such as security operations, compliance auditing, and IT management tasks. Key instructions include configuring Internet Explorer settings to avoid security warning pop-ups when accessing reports or iPackager, handling initial Security pop-ups in iPackager, investigating a recently departed user for forensic analysis, reviewing PCI Compliance insights, monitoring web server status, utilizing multiline log events from application development, charting sources communicating with Microsoft SQL servers, pinpointing network performance problems, searching raw events for failed login attempts and credit card numbers, and analyzing machine transactions using POSTFIX logs. The document aims to showcase the versatility of HP ArcSight Logger across different operational scenarios in security, compliance, and IT management environments.

Details:

This document outlines several demonstration scripts for HP ArcSight Logger, designed to be used with at least Logger version 5.2. It includes instructions for configuring Internet Explorer settings to avoid security warning pop-ups when accessing reports and iPackager. Additionally, it covers various use cases including Security, Compliance, IT Operations, Application Development, NetFlow, Raw Events and Regex, and additional use cases related to POSTFIX Mail and Logger TRANSACTION. ### 1. Overview The overview section provides instructions for setting up the environment by configuring Internet Explorer settings to prevent security warning pop-ups when accessing reports or iPackager. It also explains how to handle initial Security pop-ups in iPackager. ### 2. Security Use Case This use case focuses on incident response and security, instructing users to investigate a recently departed user by using the ArcSight Logger for forensic analysis. ### 3. Compliance Use Case The compliance use case is focused on regulatory compliance specifically reviewing the PCI Compliance Insight Package and related drill-down reports and dashboards within the HP ArcSight Logger. This document serves as a guide to demonstrate various functionalities of the HP ArcSight Logger, emphasizing its applications in security operations, compliance auditing, and IT management tasks. 4. IT Ops Use Case - Web Server Down: This use case involves investigating a report of a web server being down. The goal is to identify and resolve the issue causing the server to be unavailable, ensuring minimal downtime for users. 5. Application Development Use Case - Ability to take in multiline logs: In this scenario, the focus is on utilizing multiline events from application development logs. This helps in understanding complex log entries that span multiple lines and can provide more comprehensive insights into system activities or errors. 6. NetFlow Use Case - Who is talking to my Microsoft SQL Servers?: The objective of this use case is to identify and chart the sources communicating with Microsoft SQL servers. By analyzing network traffic data, one can monitor which devices are interacting with the SQL servers, helping in security monitoring and performance tuning. 7. Raw Events and Regex Use Case - Finding a network performance problem from RAW events: This involves searching for network latency issues by examining round-trip averages (RTA) that exceed 1 ms in raw event data. It aims to pinpoint and resolve network performance bottlenecks. 8. Additional Use Cases:

• Finding failed logins from RAW events using Discover Fields capability: The use case focuses on searching through raw events for signs of failed login attempts, which is crucial for security monitoring and ensuring the integrity of access controls.

• Finding and masking credit card numbers: This involves identifying and potentially anonymizing credit card numbers in various records to comply with data protection regulations like GDPR or PCI DSS.

9. Analyzing Machine Transactions: This use case introduces higher-level event grouping (TRANSACTION), real-time file receivers, on-board parsers, and dashboard drill-downs. The demonstration uses events from POSTFIX, an open-source mail transfer agent, focusing on the QueueID field to illustrate how these Logger functionalities can be applied in practical scenarios:

• a) Reading log files directly: The system is capable of accessing and interpreting log data without relying on external connectors.

• b) Parsing events without SmartConnector: It demonstrates the ability to parse event logs without needing a specialized SmartConnector, making it versatile for various environments.

• c) Grouping events into transactions using common values: Events are grouped based on shared attributes to form higher-level transaction structures that provide more meaningful insights than individual events.