Bit9 Security Platform 7.2.1 CEF Configuration Guide

Summary:

Based on the provided text, it appears that the log is used to track various events related to digital governance systems, such as software products or similar digital environments, which are monitored for integrity and compliance with defined security policies. The log includes detailed information about specific vendor-specific event definitions translated into ArcSight data fields by Bit9's SmartConnector. Here’s a breakdown of the key aspects: ### Key Points: 1. **Event Numbers**: - Above 1000: These numbers indicate lifecycle events such as onboarding new systems or updating digital credentials, marking additions or modifications to entities like publishers, files, and devices. - Between 1100 and 1111: Associated with alert management, including the creation, deletion, modification of alerts based on potential risks like malicious files or deviations from baseline security settings. 2. **Data Fields**: - **File hash**: A unique identifier for the file generating the event, typically a SHA-256 hash. - **Process device/ProcessName**: The process associated with the event, often including its full path if relevant. - **Root Hash device/CustomString1**: Unique hash representing the root version of the file involved. - **Installer Filename device/CustomString2**: Relevant for files being installed or updated. - **Bit9 Policy device/CustomString3**: Details about the Bit9 policy affecting the machine where the event occurred. - **Ban name device/CustomString4**: Indicates why a file was blocked, providing insights into ban reasons. - **Rule name device/CustomString5**: The specific rule or policy that triggered the event. - **Updater name device/CustomString6**: Identifies the updater tool involved in process or file updates. - **Indicator Name Reason**: Linked to threat indicators relevant to the file or process. - **Process Key sourceProcessName**: Unique key for tracking processes on a specific machine. - **File Trust device/FloatingPoint1**: Trust rating of the file, ranging from -2 (pending) to 10 (highest trust). - **File Threat device/CustomFlexString1**: Indicates threat levels associated with the file. - **Process Trust device/FloatingPoint2**: Trust rating for processes, similar in range and interpretation. - **Process Threat device/CustomFlexString2**: Indicates potential threats posed by running processes. ### Purpose: - The log is essential for understanding how a software product or digital governance system monitors its environment, detects threats, and responds to them. It helps maintain the integrity of systems and ensures compliance with set security policies. ### Integration and Analysis: - **Mapping to ArcSight Data Fields**: This process allows Bit9's SmartConnector to integrate and manage collected security information from devices or systems by mapping it to standardized ArcSight data fields for better analysis and management through the ArcSight platform. This detailed log provides a comprehensive view of events, processes, files, and their associated risks within a digital governance system, facilitating effective risk assessment and compliance monitoring.

Details:

The "CEF Connector Configuration Guide" is a document intended for informational purposes only and its content may change without prior notice. It is meant to assist users in setting up the HP ArcSight CEF connector, which allows it to process events compliant with the HP ArcSight Common Event Format (CEF). This format ensures that events are correctly interpreted by the HP ArcSight product, enabling them to be utilized within the platform for correlation rules, reports, and dashboards. The document is part of a series related to Bit9 Security Platform 7.2.1, which includes various versions with updates from May 2012 up to May 2015. The version history shows changes in certification status by HP Enterprise Security throughout this period. For support information, if issues arise outside the ArcSight team's capabilities, it is recommended that Bit9 Customer Support be contacted:

• Phone: 877-248-9098

• Email:

Additionally, for specific assistance with customer issues related to HP ArcSight integrations with Bit9 Parity, the guide directs users to contact Bit9 support directly. This setup is crucial for troubleshooting and maintaining the efficiency of the integration between these two systems. The Bit9 Security Platform for ArcSight ESM is a security solution designed to protect systems running on Windows platforms from unauthorized changes and threats. It supports devices starting from version 6.0.1 and offers real-time application whitelisting, software reputation services, and monitoring of unauthorized changes through the ArcSight console using the ArcSight connector based on the Common Event Format (CEF). Key features include:

• Automated software approvals

• Device control

• Registry protection

• Memory protection

• File system protection

• File integrity monitoring

To configure Bit9 Security Platform to integrate with ArcSight, you need to update the Syslog server and port settings in the Bit9 Console. This includes changing the syslog format to CEF (ArcSight) and enabling the syslog option. The configuration changes can be applied by clicking on the Update button after editing the parameters. Bit9 Security Platform also generates specific events with unique IDs, such as Server shutdown, Server restart, or Database server reached specified limit, which are captured in the ArcSight console for monitoring purposes. This information is crucial for maintaining system security and ensuring that only authorized software changes are made on endpoints and servers. The provided text lists various events and their corresponding numbers, each representing a specific occurrence or error in the system. These include database verification errors, server backup stops, upgrade successes or failures, SSL certificate issues, memory rule changes, registry rule modifications, communication errors, software reputation service connections, reporter operations, notifier actions, file analysis requests, network connector statuses, and more. Each event number is followed by a brief description of what occurs when that particular event takes place. The list serves as a reference for understanding the different states or issues encountered within the system, helping in debugging and monitoring the performance and integrity of the Bit9 platform. This is a list of events and actions related to system management and user activities in a software or hardware environment, recorded with sequential numbers from 178 to 455. The events include changes in the health status of connectors (178-184), modifications and interactions with network connectors (185-186), file inventory deletions (187), export of rules (200), user console logins and logouts (300-301), creation, deletion, and modification of users and groups (302-308), addition and removal of computers (400-401), agent restarts and policy changes (405-408), synchronization events (410-411), errors and alerts (431-449), and various other administrative actions. The provided text lists a series of numbers and their corresponding descriptions, which appear to represent various events or actions related to a system or software. Here's a summary of each item based on the numbering scheme:

• **456**: Resend all policy rules request

• **457**: Agent health check request

• **458**: Carbon Black sensor status

• **459**: Computer registered

• **600**: Policy created

• **601**: Policy deleted

• **602**: Policy modified

• **603**: Install package created

• **604**: AD rules changed

• **605**: AD rules loaded

• **606**: Policy file tracking disabled

• **607**: Policy file tracking enabled

• **608**: Trusted directory check

• **609**: Trusted directory scan

• **611**: File properties modified

• **613**: Trusted directory created

• **614**: Trusted directory modified

• **615**: Trusted directory deleted

• **616**: Trusted User added

• **617**: Trusted User deleted

• **618**: Publisher approval created

• **619**: Publisher approval removed

• **620**: Updater enabled

• **621**: Updater disabled

• **623**: File local approval

• **625**: File remove local approval

• **626**: Trusted directory import

• **627**: File approval created

• **628**: File approval modified

• **629**: File approval deleted

• **630**: Publisher modified

• **632**: Meter created

• **633**: Meter deleted

• **634**: Meter modified

• **635**: File ban created

• **636**: File ban modified

• **637**: File ban deleted

• **638**: Custom rule created

• **639**: Custom rule modified

• **640**: Custom rule deleted

• **641**: Device rule created

• **642**: Device rule deleted

• **643**: Device rule modified

• **644**: Approval request created

• **645**: Approval request opened

• **646**: Approval request closed

• **647**: Script rule created

• **648**: Script rule deleted

• **649**: Script rule modified

• **650**: Justification Created

• **651**: Certificate approval created

• **652**: Certificate approval modified

• **653**: Certificate approval deleted

• **654**: Certificate ban created

• **655**: Certificate ban modified

• **656**: Certificate ban deleted

• **657**: Publisher ban created

• **659**: Publisher ban deleted

• **660**: File approved (certificate)

• **800**: Tamper protection blocked

• **801**: Execution block (unapproved file)

• **802**: Execution block (banned file)

• **803**: Report execution block

• **804**: Execution block (still analyzing)

• **805**: Execution block (network file)

• **806**: Execution block (custom rule)

• **807**: Report execution (custom rule)

• **808**: Write block (custom rule)

• **809**: Report write (custom rule)

• **810**: File approved (trusted user)

• **811**: File approved (updater)

• **812**: File approved (publisher)

• **813**: File approved (local approval)

These numbers and their descriptions seem to represent a log or audit trail of various actions or events within a system, likely related to policy enforcement, security, or software management. This document appears to be a log of various events and alerts related to security measures in software or systems, particularly focusing on file execution, write permissions, memory access, registry rules, and other digital security concerns. The numbered entries correspond to specific actions or states the system may take based on detected behaviors that could indicate potential threats (e.g., unauthorized files, untrusted users, malicious files) or normal operations requiring different levels of attention. Some key points include:

• Event numbers 814 to 848 cover various scenarios such as execution permissions based on user trust level, write restrictions for both removable media and the registry, access controls for memory and file storage, tamper protection mechanisms, custom rule approvals (e.g., for unapproved or trusted files), and reporting options for suspicious activities like unauthorized processes or malicious content.

• The 800 series numbers are particularly relevant to detailed security configurations and alerts generated by software applications that monitor system behavior for potential threats or misconfigurations.

• Numbers beyond 1000 mark the addition of new entities (like publishers, files, devices) or modifications in certificates, indicating lifecycle events like onboarding new systems or updating digital credentials.

• Event numbers from 1100 to 1111 are associated with alert management, including creation, deletion, modification, and triggering of alerts based on the detection of potential risks such as malicious files or deviations from baseline security settings.

This log is crucial for understanding how a software product (or similar digital governance system) monitors its environment and responds to threats, maintaining integrity and ensuring compliance with defined security policies. This summary details how vendor-specific event definitions are translated and mapped to ArcSight data fields by Bit9's SmartConnector. The mappings from ArcSight data fields to these specific vendor events include various attributes such as device vendor, product, version, unique event type (signatureID), severity, timestamp, IP address, hostname, username, file ID, full path, and filename. This process helps in effectively integrating and managing security information collected from devices or systems by mapping them to standardized ArcSight data fields for better analysis and management through the ArcSight platform. The provided text describes various fields in a file or event related to security and system processes, as used within the Bit9 ArcSight integration. Here's a summary of these fields with their descriptions: 1. **File hash**: A unique identifier for the file generating the event (SHA-256). Some files are marked with an asterisk (*) indicating they may not be present in every instance of this type of event. 2. **Process device/ProcessName**: The name or identifier associated with the process that is creating the event, possibly including additional information such as the full path to the executable file. 3. **Root Hash device/CustomString1**: A unique hash value representing the root version of the file generating the event. 4. **Installer Filename device/CustomString2**: The filename of the installer used for the file in question, which might be relevant if the file is being installed or updated during the event. 5. **Bit9 Policy device/CustomString3**: Details about the specific security policy (policy) enforced by Bit9 that pertains to the machine generating this event. 6. **Ban name device/CustomString4**: Indicates why a file was blocked, providing information on the ban reason or name. 7. **Rule name device/CustomString5**: The name of the specific rule or policy that triggered the event, which could be related to security settings or other system configurations. 8. **Updater name device/CustomString6**: Identifies the updater tool or process associated with this event, which might have been involved in updating files or software on the system. 9. **Indicator Name Reason**: The name of a threat indicator linked to the specific type of event; applicable if there is an active threat related to the file or process being described. 10. **Process Key sourceProcessName**: A unique key that identifies this instance of the process on a particular computer, which can be used for tracking and management within Bit9's system. 11. **File Trust device/FloatingPoint1**: Indicates the trust level assigned to the file by Bit9's SRS (Security Rating System), with values ranging from -2 (pending) to 0 (no threat) through 10 (highest trust). Values are floating-point numbers and can be interpreted as a measure of how secure or trustworthy the file is. 12. **File Threat device/CustomFlexString1**: Indicates the level of threat associated with the file, with values such as Unknown (indicating pending evaluation), 0 (no threat), 1 (potential risk), or 2 (malicious). This field can help in understanding whether there are any security risks related to this file. 13. **Process Trust device/FloatingPoint2**: Shows the trust level of the process, similar to File Trust but specifically for processes rather than files, also ranging from -2 to a maximum trust value of 10. This is used to assess how secure or reliable the executing code is. 14. **Process Threat device/CustomFlexString2**: Similar to File Threat, this field indicates the level of threat associated with the process, using values such as Unknown, No threat (0), Potential risk (1), or Malicious (2). This helps in assessing potential threats posed by running processes. These fields are crucial for detailed analysis and tracking within a security information management system like Bit9 ArcSight, providing comprehensive details about files, processes, and their respective trust levels and associated risks.