ArcSight Use Case for IP Submission Privileged Logins

Summary:

This document outlines a method for identifying and alerting on privileged account usage during critical hours in an organization's IT infrastructure, specifically designed for ArcSight ESM version 5.0. The primary objective is to prevent potential issues by monitoring privileged user accounts during office hours and alerting when unauthorized activities are detected. **Key Components of the Solution:** 1. **Use Case Description**: The customer has implemented strict controls around the use of privileged accounts during office hours to avoid disrupting operations for users online. 2. **Proposed Solution**: An ARB (ArcSight Response Broker) package will be developed to set up rules and conditions within ArcSight ESM, triggering alerts when privileged users log in during non-business hours. 3. **Required Event Feeds**: Specific event feeds related to user login activities, including details about privileged users logging into systems during office hours. 4. **Additional Requirements**: Local variables in conditions and actions within the rules, sample alert and report outputs for understanding and implementing the solution effectively. 5. **Content Used**: Rules, conditions, aggregation and actions, local variables, sample alerts, queries, and reports to identify abnormal login patterns and provide historical analysis post-incident. 6. **ARB Package Instructions**: Detailed steps on how to implement this ARB package are outlined for smooth deployment and maintenance across the organization's IT infrastructure. **Main Rule and Filters:** The main rule "Logons of privileged users at office hours" detects successful logins by privileged users only during business hours (8AM-5PM) on weekdays. Customization to each customer’s specific schedule is possible through adjustments in conditions. The rule filters for logon activities, incorporating detailed filters to minimize false positives. **Actions and Notifications:** The system alerts via email, console, or an active channel if certain criteria are met (e.g., logins outside normal office hours). This approach helps identify unauthorized access attempts and ensures compliance with security policies. This solution is tailored for ArcSight ESM version 5.0 GA but should be adaptable to other versions as well.

Details:

The document outlines a use case for monitoring privileged user accounts during office hours in an organization's IT infrastructure, specifically designed for ArcSight ESM (Enterprise Security Manager) version 5.0. This solution is aimed at preventing potential issues by alerting when such activities are detected and providing reporting capabilities to review past incidents. **Use Case Description:** The customer has implemented strict controls around the use of privileged accounts during office hours to avoid disrupting operations for users online. The goal is to identify any unauthorized changes or actions taken on these accounts that could potentially cause problems, especially during critical times when services are most active. **Proposed Solution:** To meet the requirements, an ARB (ArcSight Response Broker) package will be developed. This solution involves setting up rules and conditions within ArcSight ESM to trigger alerts when privileged users log in during non-business hours. The alert should notify both the SOC (Security Operations Center) or NOC (Network Operations Center) and allow for querying past events, such as a week or month prior to review potential violations of the policy. **Required Event Feeds:** The use case requires specific event feeds related to user login activities, including details about privileged users logging into systems during office hours. **Additional Requirements:** Apart from alerts and queries, there are requirements for local variables in conditions and actions within the rules, as well as sample alert and report outputs to help in understanding and implementing the solution effectively. **Details of the Content Used:**

• **Rules:** These define the criteria for identifying abnormal login patterns involving privileged users during non-office hours.

• **Conditions:** Specific parameters are set up to trigger alerts when these rules are violated, such as logins outside normal office hours.

• **Aggregation and Actions:** The system aggregates relevant data and takes predefined actions like sending immediate notifications or triggering automated responses based on the identified violations.

• **Local Variables:** These help in customizing alert messages specific to local settings and user preferences.

• **Sample Alert:** An example of what an alert might look like when a privileged user logs into the system during non-office hours, providing details for review by security personnel.

• **Queries and Reports:** Allow for historical analysis post-incident, helping in forensic investigations and compliance reporting.

**ARB Package Instructions:** Detailed steps on how to implement this ARB package are outlined within the document, ensuring smooth deployment and maintenance of the solution across the organization's IT infrastructure. The document outlines a method for identifying and alerting on privileged account usage during critical hours in order to enhance security measures. It involves creating rules based on logon details from various devices and systems, such as network or security devices, Windows domains, and Unix servers. The main rule, "Logons of privileged users at office hours," is designed to detect successful logins by privileged users only during business hours (8AM-5PM) on weekdays. This flexibility allows customization to each customer's specific schedule. The rule filters for logon activities and incorporates a detailed filter to minimize false positives, which can be adjusted through exceptions or adjustments in conditions. The content package includes rules and filters that analyze the use of privileged accounts during specified hours and alert via email, console, or an active channel if certain criteria are met. This approach helps in identifying unauthorized access attempts and ensures compliance with security policies. This document outlines a setup for an event management system called "ArcSight" which involves configuring rules, queries, conditions, reports, and local variables to track logons of privileged users during office hours. The main actions involve setting the name of events, but more functionalities can be unlocked based on customer requirements. Variables used include day and hour from the event's end time, while queries focus on identifying successful logins by privileged users only on weekdays between 8AM and 6PM. Reports are generated for these logons using a standard table template. The setup is version-specific (ArcSight version 5.0 GA), but should be adaptable to other versions as well.