Current ArcSight Activate Content Packages for ESM v6.5c

Summary:

The document outlines the structure and contents of ArcSight Activate Content Packages for ESM v6.5c version 3, designed as a central repository for all available content packages related to the Activate Framework. Key points include: 1. **Package Prefixes**: There are three levels (L1, L2, and L3) and a product-specific prefix (P). L1 includes indicators and warnings, L2 covers situational awareness, while L3 is for threat tracking but not yet available. Product specific packages (P) include filters tailored to particular products like Check Point VPN & FW, HP TippingPoint Unity One IPS, Microsoft Windows, and Snort. 2. **Available Packages**: The document lists the currently available content packages which should be installed in a specific order: ESM6.5_Activate_Base.arb (always first), followed by ESM6.5_L1-Operating System - Tracking and Identification.arb, ESM6.5_L1-Perimeter and Network Monitoring - Tracking and Identification.arb, ESM6.5_L2-Perimeter and Network Monitoring - Situational Awareness.arb, and specific product packages like ESM6.5_P-Check Point VPN-1 and FW-1.arb. 3. **Installation Order**: Always start with the Activate Base package followed by Level 1, then Product, Level 2, and finally Level 3 if available. If you import all packages and install a product package, required L1 and Activate Base packages will be installed automatically. Uninstalling the Activate Base package will uninstall all other Activate packages. 4. **Configuration**: Proper configuration of these packages is necessary which can be found in the solutions area. The document also provides information on various content items within the Lightning Framework, detailing their sizes, intended platforms, and organization for easy access and integration into broader security operations frameworks.

Details:

The document provides information about current ArcSight Activate Content Packages for ESM v6.5c, version 3. It is designed as a central repository for all available content packages related to the Activate Framework. The main points are: 1. **Package Prefixes**: There are three levels (L1, L2, and L3) and a product-specific prefix (P). L1 includes indicators and warnings, L2 covers situational awareness, while L3 is for threat tracking but not yet available. Product specific packages (P) include filters tailored to particular products like Check Point VPN & FW, HP TippingPoint Unity One IPS, Microsoft Windows, and Snort. 2. **Available Packages**: The document lists the currently available content packages which should be installed in a specific order:

• ESM6.5_Activate_Base.arb (always first)

• ESM6.5_L1-Operating_System_-_Tracking_and_Identification.arb (Level 1 for operating systems)

• ESM6.5_L1-Perimeter_and_Network_Monitoring_-_Tracking_and_Identification.arb (Level 1 for perimeter and network monitoring)

• ESM6.5_L2-Perimeter_and_Network_Monitoring_-_Situational_Awareness.arb (Level 2 for situational awareness in perimeter and network monitoring)

• Specific product packages like ESM6.5_P-Check_Point_VPN-1_and_FW-1.arb, etc.

3. **Installation Order**: Always start with the Activate Base package followed by Level 1, then Product, Level 2, and finally Level 3 if available. If you import all packages and install a product package, required L1 and Activate Base packages will be installed automatically. Uninstalling the Activate Base package will uninstall all other Activate packages. 4. **Configuration**: The document emphasizes that while it covers installation order, proper configuration of these packages is still necessary which can be found in the solutions area. The text provides a summary of various content packages within the Lightning Framework, specifically related to different operating systems and network monitoring tools. Here's a brief breakdown of what is mentioned: 1. **List of Content Packages**: The text lists several content package files with their respective sizes in kilobytes (e.g., ESM6.5_P-Snort.arb, 3.1 KB; ESM6.5_P-Red_Hat_Linux.arb, 17.9 KB). These packages are designed for various platforms including Snort for the Lightning Framework and specific Linux distributions, Microsoft Windows, HP TippingPoint Unity IPS, Check Point VPN-1 and FW-1, as well as different layers of network monitoring (L2 and L1) with both perimeter and tracking functionalities. 2. **Size Variation**: The sizes of these content packages vary, ranging from 3.1 KB to 96.2 KB and beyond. This indicates that the complexity and scope of each package may differ based on their intended use and the features they include. 3. **Tags and Categories**: The text also mentions tagging for easier searchability within a knowledge management system (KMS), with tags related to ES, content packages, lightning framework, activation, etc. This suggests that these packages are part of an ecosystem where organization and categorization play important roles in accessibility and usability. 4. **Comments Section**: The text includes a section for comments, showing previous interactions or inquiries regarding the content (e.g., Damian Skeeles asked about L3 content execution and structure). This indicates that there is ongoing interaction and support related to these packages within the community using the Lightning Framework. In summary, the passage provides information on various content items under the Lightning Framework umbrella, detailing their sizes, intended platforms, and how they are organized for easy access and integration into broader security operations frameworks. Damian Skeeles responded to Prentice Hayes's comment by expressing excitement for the upcoming release and requested guidelines on content categorization conventions, specifically regarding how events should relate across different layers. He also mentioned confusion about certain rules in the Windows package that profile system processes, such as System Process Profiling and Unknown Process Detected on Server. Skeeles questioned whether these rules were intended to baseline known good processes or open the door for baselining "bad" processes. He suggested considering a static list of known good processes instead, or using an active list more effectively in rule configurations. Stephen Bridge suggests several recommendations for improving HP's Perimeter Defense L1/L2 content in their SIEM solution. He advises against reusing default filters due to potential conflicts with other system components and recommends creating independent copies of Foundation content beneath the Activate folder to customize rule settings without altering the original content. Additionally, he proposes using more descriptive names for rules, like "FW Excessive Denied Traffic to Same Host," to avoid confusion and facilitate easier management and threshold adjustments in future updates. The summary of the text is: "For small networks, asset modeling isn't always necessary. Instead, consider using zone-based conditions and global variables in rules for more flexibility. Emphasize multi-sensor correlation and include web proxies and authentication events in perimeter defense packages to focus on critical alerts and reduce noise." Damian Skeeles agrees with Stephen Bridge on many points but prefers to use specific values like "25+, last hour, last day" in the text of rules for clarity and ease. He believes that explicitly stating these values helps avoid confusion when building a chain of content or reusing it later, as well as making verification easier during audits or multiple authors. Damian references John mentioning this point but doesn't recall details from him. This appears to be a user interface or dashboard for managing and displaying statuses of various connections or participants in a communication platform. Here's a breakdown of what each element represents:

• **Rooms**: Indicates the rooms or groups that the user is part of, providing an entry point to interact with them.

• **Contacts**: Lists all the contacts associated with the account, which can be used for easy access and management.

• **Loading...**: Indicates that data is currently being fetched or loaded, such as when refreshing a list of contacts or rooms.

• **Available, Busy, Invisible, Offline**: These statuses represent different online presence and activity levels of the contacts listed under "Contacts." Each status helps in understanding if someone can be reached immediately (Available), unavailable due to other commitments (Busy), intentionally hidden from view (Invisible), or completely offline (Offline).

• **Web Notifications Off**: This setting allows the user to control whether they receive real-time notifications for incoming messages and interactions directly through their web browser.

• **0 More, 0**: These numbers represent unread messages or pending actions related to contacts or rooms. The "0" indicates that there are no more unread items to show at this time, while the additional zero might be a placeholder indicating other metrics like pending tasks.

• **Connection Lost**: A warning message that indicates a loss of connection with the server or platform, which could mean inability to load data, send messages, etc.

• **Reload**: An option provided to try and reconnect or refresh the page/data in case of a "Connection Lost" scenario, allowing the user to attempt to restore functionality.