ArcSight Logger RBAC MSSP Procedure v2.1

Summary:

This document provides a detailed procedure for configuring ArcSight in a Multi-Source Security Platform (MSSP) environment to map and restrict access to customer data, ensuring distinct segregation between multiple customers' datasets. Key steps include setting up connectors, creating mappings, filters, and user groups, followed by assigning search group filters for testing purposes. The document covers the installation of a Syslog connector on the Logger appliance, configuring receiver settings, mapping NAT IP addresses to customer names, and creating user accounts with specific permissions tailored to each customer's data access requirements.

Details:

This document outlines a procedure for ArcSight to map and restrict access to customer data in a Multi-Source Security Platform (MSSP) environment. Key aspects include handling overlapping IP address spaces, filtering log data, and restricting access based on roles such as operations personnel. The process involves several steps including installing connectors, creating mappings, filters, groups, and users, followed by assigning search group filters for testing. This procedure is tailored to manage multiple customer datasets within a MSSP setup, ensuring that each customer's data is distinguishable from others through hostname, NAT IP addresses, domain names, or loopback addresses. The procedure document outlines a test scenario to validate ArcSight's ability to handle overlapping IP address spaces between different customers by using Logger with onboard connectors and role-based access control. It involves setting up VMWare with NAT addresses for Customer A (142.134.151.202) and Customer B (142.134.151.204), sending Syslog messages through Snare. The customer can alternatively use the "Test Connector" to generate test events from source addresses. To achieve these requirements, SmartConnectors and Logger group filters are employed in combination. This procedure outlines the steps to install a Syslog connector on the Connector Appliance (Logger) to parse NAT IP addresses and map them to customer names. The following are the detailed steps: 1. **Install the Connector**:

• Navigate to "Configuration/Connectors" on the Logger appliance.

• Expand the "localhost" connector container, then click on "Container 1" and select "Configure Connector".

• Choose "Syslog Daemon" from the pull-down list and proceed with default settings.

• Select "ArcSight Logger SmartMessage (encrypted)" as the destination type.

• Configure the destination by providing the Logger destination IP Address and Receiver Name, leaving other defaults unchanged. Remember the receiver name for later use in creating a Syslog rule on the ArcSight Logger appliance.

• Fill in all details about the connector including its descriptive name and location.

2. **Create Connector Mappings**:

• A mappings file will be created to parse NAT IP addresses, mapping them to appropriate customer names (Customer URI fields).

3. **Configure Search Group Filters**:

• Create two Search Group Filters for each Customer URI: "CustomerA-Restrict" and "CustomerB-Restrict". These filters provide base settings for user groups.

4. **Create User Groups and Assign Permissions**:

• Two user groups, GroupA and GroupB, are created with Logger rights and search permissions.

5. **Add Users to Their Respective Groups**:

• Create two users, UserA and UserB, and assign them to their respective groups (GroupA for UserA and GroupB for UserB).

6. **Assign Search Group Filters to Groups**:

• Assign the "CustomerA-Restrict" filter to GroupA and the "CustomerB-Restrict" filter to GroupB.

7. **Verify Permissions**:

• Log in as each user (UserA and UserB) and verify that they can only view data corresponding to their assigned customer, ensuring proper segregation of duties.

This setup ensures that each user has access only to the specific customer data based on the permissions granted through group assignments and filters. This is a guide to setting up a connector and creating mappings in Logger for event input/output. Here's a summary of the steps involved: 1. **Device Location**: Identify the physical location of the device sending events to the connector, which will be used during setup. 2. **Create the Logger Receiver** (Procedure 2):

• Navigate to "Configuration/Settings" and select "Event Input/Output".

• Go to the "Receivers" tab, click "Add", enter a name for the receiver, select "SmartMessage Receiver" from the dropdown menu, and click "Next".

• Leave defaults on the next window and click "Save". Once enabled, use the disabled icon to activate the receiver.

3. **Create the Mappings File** (Procedure 3):

• In Logger, go to "Configuration/Bulk Operations" and select "Map Files".

• Click "Retrieve Container Files", choose "Container 1" from the dropdown menu, and click "Next". Once retrieved, download the map files.

• Open the downloaded .zip file in a zip manager (e.g., WinZip) and double-click on "map.0.properties" to edit it.

• Delete existing text and replace it with custom properties for mapping. Save the file as "map.0.properties".

These steps ensure that your connector is properly set up in Logger, allowing for effective event input/output management. This procedure outlines how to upload, map, and configure file updates for a Syslog connector within a specific container in a Logger system. The steps involve downloading and updating a zip file containing mapping files, adding these updated files to an existing archive, deleting the old connector file, uploading the new zip file as a repository, configuring the connector to reload custom map files, and finally creating filters based on source zone URI for proper message routing. To summarize the procedure outlined in the text: 1. **Create Filters:**

• For "CustomerA," create a filter named "CustomerA-Restricted" by entering a query that matches its criteria and saving it.

• Repeat this process for "CustomerB," creating a filter named "CustomerB-Restricted."

2. **Create Groups:**

• Navigate to "System Admin" > "Manage Groups".

• Add a new user group, selecting "Logger Rights" and naming the group "CustomerA". Set granular permissions for "Filters," "Search Filters," and "Saved Search" to "Yes."

• Repeat these steps to create another group named "CustomerB" with similar settings.

3. **Create Users:**

• Go to "System Admin" > "Manage Users", then click "Add User".

• Fill in the user details for "UserA" and save the user after providing necessary information (login: UserA).

This procedure involves setting up specific permissions and filters tailored to each customer using Logger software, ensuring that users with access can effectively manage and search relevant data. The provided text outlines a procedure for setting up user accounts and assigning search filters in a Logger system for managing data access based on different customer groups. Here's a summarized step-by-step guide: 1. **Create Users:**

• Log into the system as an administrator.

• Create UserA with credentials: Login (UserA), First Name (User), Last Name (A), Password (arcsight), Email (usera@customer.com), Phone Number (555-555-5555). Assign Logger Rights Group to CustomerA and Logger Search Group to CustomerA.

• Create UserB with similar credentials but assign Logger Rights Group to CustomerB and Logger Search Group to CustomerB.

2. **Assign Search Group Filters:**

• Navigate to Configuration/Settings > Filters.

• Edit the “CustomerA-Restrict” filter, changing its type to “Search Group” and saving it.

• Repeat for the “CustomerB-Restrict” filter.

• In the Search Groups section, edit the “CustomerA” search group to assign the “CustomerA-Restrict” filter.

• Similarly, edit the “CustomerB” search group to assign the “CustomerB-Restrict” filter.

3. **Testing:**

• Log in as UserA and run a query from the Analyze/Search window. Ensure only Customer A data is displayed.

• Repeat for UserB to ensure Customer B data is shown when logged in with UserB.

• As an alternative to real data, use the Test Connector to generate test events for mapping.

This procedure ensures that each user has access restricted to their respective customer groups and verifies the functionality by running queries specific to those groups.