CPPM TechNote: Network Threat Detection with SIEM Integration

Summary:

```json { "constructing_the_request": { "description": "The setEndpoint function constructs a URL and headers for the API request, then retrieves the existing XML representation of the endpoint using another internal function getEndpoint(mac). It parses this XML to find or create the 'EndpointTags' element where new attributes can be added." }, "updating_or_adding_attributes": { "description": "The code iterates through the parsed XML to check for the existence of the specified attribute in 'EndpointTags'. If found, it updates its value; otherwise, it creates a new 'EndpointTags' element with the given attribute and value." }, "sending_the_request": { "description": "After constructing the updated XML payload, the function sends this data back to the API using callAPI(REALM, URL, HEADER, CONTENT). If the response code is not 200 (indicating a successful request), it prints an error message and terminates the program." }, "sending_coa_profile": { "description": "The final part of the snippet outlines a function sendCOA(mac, profile_name) which sends a CoA profile to the device associated with the given MAC address." } } ```

Details:

This document provides a guide for integrating ClearPass/ArcSight and network threat detection systems, specifically focusing on ArcSight Enterprise Security Manager (ESM). The integration allows for the collection of security event data from various sources including firewalls and other third-party threat detection systems. Key components covered include firewall syslog configuration, AESM (Advanced Encryption System) configuration, field sets configuration, filter configuration, rule configuration, and more. Version history is noted with dates and names of contributors. Appendices provide additional information and configurations as referenced in the main text. The provided text outlines a series of figures and their descriptions related to an integration between ClearPass (a product by Aruba, now part of HP Enterprise) and ArcSight Enabler Suite (ESM). The document focuses on detailing the process for creating new rule sets in ArcSight ESM to filter and analyze network threats detected by ClearPass. The introduction states that this technical note is about integrating ClearPass Policy Manager (CPPM) with ArcSight Enabler Suite (ESM), which is used for detecting network threats. The document mentions that it will likely go through multiple iterations, suggesting ongoing updates or revisions based on feedback and changes in the technology. The figures referenced include:

• Figure 3: CEF Threat Syslog Format - Described as a placeholder indicating where information about the format of messages from a third-party network threat detection system might be found.

• Figure 4: Setting CPPM FQDN & Admin Password in Python script - Indicates how to configure the FQDN (Fully Qualified Domain Name) and admin password for ClearPass in a Python script used for integration with ArcSight ESM.

• Figure 5: Script arguments detail - Provides detailed information about the arguments that need to be set when running the script mentioned in Figure 4, focusing on enabling Syslog forwarding from CPPM to ArcSight ESM.

• Figure 6 through Figure 14: These figures seem to cover specific steps and configurations within ArcSight ESM for creating rules to filter and manage threats detected by ClearPass. This includes setting up a new field set, defining fields, selecting required CEF Key Value Pair (KVP) fields, creating filters, naming rules, setting conditional matches, building rule actions, etc.

Each figure is intended to help in the configuration of the integration between ClearPass and ArcSight ESM for better threat detection and management within the network security infrastructure. The document outlines the configuration of the Advanced Enterprise Security Manager (AESM) as part of a framework for enterprise security management, emphasizing its integration with various firewall vendors and ClearPass Policy Manager (CPPM). AESM is designed to configure firewalls for syslog settings that detect network threats, which are then reported to a SIEM system. The document covers specific configurations for Palo Alto Networks, CheckPoint, Juniper SRX, and Fortinet firewalls. Key features of AESM include: 1. Syslog Configuration: Detailed instructions are provided for configuring syslog on various firewall brands including Cisco ASA (Palo Alto Networks), CheckPoint, Juniper SRX, and Fortinet. These configurations aim to detect network threats effectively by setting up triggers that can alert the SIEM system about malicious activities. 2. AESM Syslog Trigger: A powerful feature within AESM uses CPPM's inbound XML APIs to dynamically update endpoint attributes and trigger a 'Change of Authorization' (CoA), which forces devices to re-authenticate, often disconnecting them from the network until they are authenticated again. This system is designed to act on endpoints with unresolved threat status by isolating them in a VLAN or restricting their network access. 3. Integration: AESM seamlessly integrates with CPPM through multiple touchpoints, allowing for easy expansion and adaptability as new firewalls or additional functionality might be required. 4. Syslog Parsing: Detailed steps are provided to create field sets, filters, and rules necessary for parsing syslog data from the various firewall configurations. 5. Deployment Notes: The document assumes that AESM has already been deployed; its focus is on configuring existing systems rather than deployment or updating the system itself. 6. Technical Implementation Details: AESM utilizes Python scripts to manage XML API calls between AESM and CPPM, which are discussed later in the document. These details are crucial for understanding how real-time threat status updates and network access controls are managed within the enterprise environment. In summary, this document provides a comprehensive guide on configuring AESM and its integration with various firewall systems to enhance security posture by detecting and managing threats effectively through syslog configurations and dynamic network access controls based on endpoint threat status. This document discusses the use of ClearPass Policy Manager (CPPM) integration with ArcSight Enterprise Security Manager (ESM) and Palo Alto Networks (PANW) firewall syslog configurations for network security in a corporate environment. When malicious data is detected on the network, CPPM orchestrates actions to isolate infected devices and users through compatible switches and wireless LAN Controllers. It also triggers updates to inform relevant parties about the incident and suggests remedies. The PANW firewall can send five types of syslogs, with each field being a comma-separated value (CSV) string for easier parsing. The document focuses on configuring the Syslog settings specifically for threat logs within the PANW firewall as an example of how to set up this integration between CPPM and ArcSight ESM. This setup is not exhaustive but aims to provide a template for further customization based on individual needs. The text provides a detailed guide on how to set up and customize the syslog server for integration with external log parsing systems. It starts by explaining the basic setup of the syslog server, including specifying the transport protocol (UDP/TCP), port number, format, and facility. The focus then shifts to customizing the log format for better integration with external systems like ArcSight. The customization involves changing the default CSV formatting to a more specific CEF message format tailored for threat logs. This includes adding or modifying key-value pairs such as subtype, type, severity, source IP (src), destination IP (dst), and various other fields related to network traffic, user details, application information, and security event data. The provided example of the customized CEF syslog message format is detailed, showing all possible attributes that can be included in a threat log entry. This format helps in mapping and parsing specific threat logs from Palo Alto Networks devices into ArcSight for better analysis and management of cybersecurity incidents. The final part includes a reference to Figure 3 which presumably lists the complete customized CEF syslog message format. In summary, this text is about configuring a Syslog server specifically for integrating with external log systems like ArcSight using a custom CEF syslog message format for threat logs. It explains how to set up and customize such messages by adding detailed attributes specific to network traffic and security events. This document provides technical instructions for integrating ClearPass Policy Manager (CPPM) with ArcSight Event Command和管理器 (ESM) within a PANW environment, specifically focusing on configuring AESM for use with structured CEF syslog messages. It emphasizes the importance of proper formatting and configuration to ensure effective integration between the two systems. The document outlines steps for setting up AESM on a Red-Hat Linux system by creating a Python script file called "arcsight_block.py" which should be placed in the $ARCSIGHT_HOME/scripts directory, with adjustments made based on specific needs for testing and functionality. It also highlights that the typical location of $ARCSIGHT_HOME is /opt/arcsight but may vary depending on the installation. Additionally, it provides guidance for adjusting file parameters to ensure compatibility and proper functioning. Please note that this document does not provide instructions for configuring other third-party firewalls or threat detection systems' syslog configuration, which will be added at a later date. The provided text outlines a procedure for configuring field sets within Aruba's ClearPass (CPPM) to integrate with ArcSight Extended Security Manager (ESM). The steps include creating a new field set in the ClearPass interface, defining specific fields from the available list of CEF key-value pairs. Here’s a summarized version of what the text is about: 1. **Accessing Field Sets**: Navigate to the 'Field Sets' section within ClearPass by clicking on the drop-down menu and selecting it. Right-click to create a new field set. 2. **Naming the Field Set**: Assign a name to the newly created field set. 3. **Defining Fields**: Move to the 'Fields' tab in the Inspect/Edit frame. Use the search function to find and select the required fields from the list of available CEF key-value pairs. These fields represent data associated with Common Event Format (CEF), which is used for security information management. 4. **Configuration Details**: The text mentions that these fields are chosen based on the entire list of defined CEF KVPs, providing flexibility to select relevant information according to the threat or event being managed. The integration described here aims to enhance the efficiency and effectiveness of security monitoring by allowing ClearPass (CPPM) to seamlessly share data with ArcSight ESM, facilitating better analysis and response to threats based on specific CEF fields. The article provides a technical guide for configuring filters and rules within Aruba's ClearPass 6.x system to integrate with ArcSight Enterprise Security Manager (ESM). Here are the summarized steps: 1. **Creating a Filter:**

• Navigate to 'Filters' in the ClearPass interface, right-click to create a new filter, and name it.

• In the filter configuration, add a condition for 'event1' using logical operators. This will help limit the data displayed in active channels by setting specific criteria.

2. **Building the Filter:**

• Click on 'event1' and set up conditions within the Inspect/Edit frame to narrow down the events as needed.

3. **Creating a Rule:**

• From the Navigator, select 'Rules', right-click to create a new rule, and provide it with a name.

• On the 'Conditions' tab, set a condition named "THREAT" and apply it. Under the 'Aggregation' tab, add relevant fields and configure the number of matches and time frame based on your environment. This helps in triggering actions for each threat recorded or aggregated as per the detected type.

4. **Setting Actions:**

• Define actions based on the conditions set in the rule configuration to ensure appropriate responses are triggered according to specified criteria.

This guide is part of a technical note titled "CPPM Integration with ArcSight ESM" and aims to help users configure their ClearPass 6.x system for effective integration with ArcSight ESM, ensuring that alerts and actions respond efficiently to security threats as defined by the rule conditions set up in this process. The passage outlines the process of setting up a rule in Aruba's ClearPass Policy Manager (CPPM) to integrate with ArcSight Enterprise Security Manager (ESM). To achieve this integration, specific settings need to be configured within CPPM. These include disabling the 'On First Event' option and enabling 'On Every Event', then adding an 'Execute Command' action and configuring it appropriately. Additionally, setting up an 'Event Field Action' is recommended for better event summarization. The passage also provides detailed information about the format of CEF (Common Event Format) syslog messages used by Palo Alto Networks devices, including details such as subtype, type, rule, virtual system, source and destination zones, application, session ID, ports, protocol, action, bytes, packets, and elapsed time. This information is crucial for correctly configuring the CPPM integration with ArcSight ESM to ensure accurate log analysis and threat detection. In summary, this passage serves as a guide for setting up a rule in Aruba's ClearPass to effectively integrate with ArcSight Enterprise Security Manager using specific CEF syslog message formats from Palo Alto Networks devices, enhancing event monitoring and security analysis capabilities. This document from Aruba, an HP Enterprise Company, provides technical information about configuring log formats for CPPM (Cloud Protect Plus Module) integration with ArcSight ESM (Enterprise Security Manager). The interface uses the CEF format and includes specific fields such as LogProfile, SessionID, Virtual System, and more. The log format consists of optional fields that can be added to configure detailed logs: Before Change Detail, After Change Detail, Flags, Direction, URL Category, Threat ID, File Path, File ID, and File Hash. The system match log format includes module information, event ID, operating system details, and more. This configuration is intended for use with PAN-OS 6.0.0 and later versions of the Palo Alto Networks firewall. This document, part of a technical note provided by Aruba (now a part of HP Enterprise) for their ClearPass Policy Manager (CPPM) integration with ArcSight Event Management System (ESM), discusses the use and purpose of a specific Python script used to handle endpoint updates and configuration approval (CoA) processes in response to threat notifications from a Palo Alto firewall. The script, titled `arcsight_block.py`, is designed for processing threat syslog messages that originate from Palo Alto firewalls. It requires five arguments: IP address of the attacker (`AttackerAddress`), IP address of the target (`TargetAddress`), category of the threat (`ThreatCategory`), name of the threat triggered (`ThreatName`), and direction of traffic flow (`Direction`). The script functions as follows: 1. Reads input arguments to identify the details of the threat event. 2. Retrieves the MAC address associated with the attacker IP address. 3. Updates the endpoint's information based on the detected threat category and name. 4. Initiates a configuration approval (CoA) process to quarantine the affected device in response to the threat detection. The script includes minimal error checking, which means that if something goes wrong during execution, it might be difficult to diagnose the issue. The script is intended for use alongside other external scripts within the Arcsight setup and should be run from a specific location as specified by `$ARCSIGHT_HOME/scripts`. This technical note likely serves as a guide or reference document detailing how organizations can leverage their ClearPass Policy Manager with ArcSight ESM to manage network security more effectively, including real-time threat detection and automated response actions such as endpoint updates and CoA processes. The script is designed to interact with a ClearPass Policy Manager (CPPM) device via its API, specifically for retrieving information about network devices based on their MAC addresses or IP addresses. Here's a breakdown of the key components and functionalities: 1. **Configuration Constants**: Defines constants such as the IP address and login credentials for accessing the CPPM system. It also specifies default threat status and severity settings, and profiles for specific devices (like Aruba and HP enterprise endpoints). 2. **API Call Function (`callAPI`)**: This function handles authentication and makes GET or POST requests to the CPPM API based on provided parameters. It supports basic HTTP authentication and can return data in JSON format. If there's an error, it captures the status code and any additional information. 3. **MAC Address Retrieval (`getMAC`)**: Uses the IP address of a device to query the CPPM for its MAC address via the `/async_netd/deviceprofiler/endpoints/{ip}` endpoint. It constructs a request with appropriate headers and handles potential errors gracefully, exiting if unable to retrieve the MAC. 4. **Device Information Retrieval (`getEndpoint`)**: Utilizes the MAC address obtained from `getMAC` to query the CPPM for detailed device information. This is done by sending a POST request to `/tipsapi/config/read/Endpoint` with specific headers and content type, then parsing the response JSON or XML data based on API responses. 5. **Output Functionality**: Writes debug information to a file located at `/opt/arcsight/scripts/arcsight_block_debug.txt`, appending new data rather than overwriting existing files. This could be used for logging and debugging purposes during script execution. 6. **General Usage Context**: The script is intended for integration with ArcSight Event Management System (ESM) to manage network security threats more effectively by blocking or handling devices based on their threat status, severity, and type. This script assumes a clear understanding of the CPPM API endpoints and authentication mechanisms, as well as specific configurations related to your ClearPass Policy Manager setup. Adjustments might be necessary depending on differences in IP addresses, network environments, or specific requirements. The provided code snippet is designed to interact with an API for managing network endpoints using their MAC addresses. It involves several steps including making a request to retrieve endpoint data based on the MAC address, checking if a specific attribute exists within the endpoint's tags, and updating or adding this attribute if it does not exist. If the operation is successful, it will send a CoA (Change of Authorization) profile to the device associated with the given MAC address. Here's a breakdown of what each part of the code does: 1. **Making an API Request**: The function `setEndpoint(mac, attribute, value)` constructs and sends an XML request to update or add an attribute (specified by 'attribute') to an endpoint identified by its MAC address ('mac'). It first checks if the attribute already exists within the endpoint's tags; if not, it adds the new attribute. 2. **Constructing the Request**: The `setEndpoint` function constructs a URL and headers for the API request, then retrieves the existing XML representation of the endpoint using another internal function `getEndpoint(mac)`. It parses this XML to find or create the 'EndpointTags' element where new attributes can be added. 3. **Updating or Adding Attributes**: The code iterates through the parsed XML to check for the existence of the specified attribute in 'EndpointTags'. If found, it updates its value; otherwise, it creates a new 'EndpointTags' element with the given attribute and value. 4. **Sending the Request**: After constructing the updated XML payload, the function sends this data back to the API using `callAPI(REALM, URL, HEADER, CONTENT)`. If the response code is not 200 (indicating a successful request), it prints an error message and terminates the program. 5. **Sending CoA Profile**: The final part of the snippet outlines a function `sendCOA(mac, profile_name)` which sends a CoA profile to the device associated with the given MAC address. However, this functionality is not fully described in the provided text. The code assumes that the API endpoint and its authentication details are correctly configured within the `callAPI` function and other variables (`CPPM_IP`, etc.). It also uses ElementTree (ET) for XML parsing and manipulation. The provided code snippet is a script designed to integrate with ClearPass Policy Manager (CPPM) and ArcSight Event Management System (ESM). Here's a summarized breakdown of its functionality: 1. **Configuration**:

• The script uses specific URLs, realms, headers, and content types for API communication.

• It constructs JSON payloads containing details like profile name, MAC address, and other relevant information to interact with CPPM and ArcSight ESM.

2. **Arguments Handling**:

• The script takes several command-line arguments such as attacker's IP, target's IP, threat category, threat ID, and direction (client-to-server or server-to-client).

• It extracts these from `sys.argv` to use in further processing.

3. **MAC Address Retrieval**:

• Based on the local IP address provided as an argument, it retrieves the MAC address of the client device using a function called `getMAC`.

4. **COA Profile Selection**:

• The script determines the type of COA (Configuration and Orchestration Appliance) profile to be used based on whether the threat name contains 'keep'. If it does, a specific HP COA profile is selected; otherwise, an Aruba COA profile is used.

5. **Error Handling**:

• The script includes error handling mechanisms where if there are insufficient arguments provided or if API calls fail (non-200 status code), it prints relevant messages and exits gracefully using `sys.exit()`.

6. **Output**:

• It also handles output by printing various debug statements, including the current time, script execution details, and error messages to a specified file or standard output.

This script is part of a larger integration effort between ClearPass CPPM and ArcSight ESM, aimed at managing network access based on detected threats and device characteristics. The text is a script snippet that outlines the process of setting endpoint attributes on ClearPass using Aruba as part of HP Enterprise's offerings. Here's a summary of what each section does: 1. **Printing Information**: The script starts by printing various details about an endpoint, including its MAC address, local and remote IP addresses, threat category, name, severity, status, and COA (Coordinated-OMP) profile. These are printed to a specified output file. 2. **Set Endpoint Attributes on ClearPass**: The script then uses specific functions (`setEndpoint` and `sendCOA`) to update the endpoint's attributes on the ClearPass platform:

• It sets the threat category, name, severity, and status for the endpoint identified by its MAC address.

3. **Send COA with Enforcement Profile**: The script sends a CoA message along with the specified enforcement profile to manage the endpoint accordingly. 4. **Exit Script**: Finally, the script exits after performing these operations. This script is designed to be run in a Python environment and uses system-specific functions (`print` for output and custom functions like `setEndpoint` and `sendCOA`) to interact with ClearPass or another platform related to HP Enterprise's network management solutions.