ESM Express 6.11 Command Center Demo Script

Summary:

To provide a more streamlined approach for tracking shared account usage in your environment without relying solely on IdentityView, you can use alternative tools and methods that offer similar functionality. Here’s a step-by-step guide to achieve the same goals using other available features within Cisco's ArcSight platform or other SIEM solutions: ### Step 1: Acknowledge the Notification Mario should acknowledge the notification in the My Notifications section of the Command Center to start working on it. This will mark the notification as being actively addressed, and you can view details under Field Set/ArcNet Field Sets/IdentityView v2.0. ### Step 2: Use ArcSight Search to Analyze Events Utilize ArcSight Search to analyze events related to shared accounts. You can run queries to identify logins associated with known shared accounts in the targeted segment (sj-arcnet-serverfarm). The query might look something like this for a logon event using a root account on sj-arcnet-serverfarm: ```plaintext index=ArcNet where DeviceProduct="Server" and EventCode="0x5901" and TargetAddress="sj-arcnet-serverfarm" ``` ### Step 3: Visualize Events with Dashboards Create a dashboard in ArcSight that provides an overview of shared account activity. This can include charts showing source and target addresses, applications, and other relevant details. Hovering over the dashboard will allow you to investigate further using Active Channels. ### Step 4: Interpret Data Using Reports Generate reports on shared account usage based on your department, employee type, role, etc. These reports can help in understanding who is accessing systems and applications within the organization. Use attributes like department, employee type, and role to contextualize the data being monitored. ### Step 5: Compliance and Policy Enforcement Ensure that any practices related to shared account usage comply with corporate policy by attributing activity back to specific individuals using reports and notifications provided in ArcSight. This process helps in maintaining compliance and ensuring accountability for privileged user activities. ### Using User Behavior Analytics (UBA) If IdentityView is considered legacy, you might explore Cisco UBA as an alternative: - **Log into the Command Center** as admin to acknowledge and clear existing notifications and cases. - **Set up a demo replay connector** with specific event files at a controlled pace for simulation of real-time events. - Use User Behavior Analytics (UBA) features within ArcSight or another SIEM tool to detect anomalous behavior that might indicate unauthorized use of shared accounts. ### Conclusion Instead of relying solely on IdentityView, consider leveraging the comprehensive reporting and analytics capabilities provided by Cisco ArcSight or similar SIEM tools. This approach allows for more flexibility in analyzing user activity, provides deeper insights through visualizations and reports, and ensures compliance with corporate policies without being limited by legacy tools. Adjust the speed of event replay as necessary to simulate real-time conditions effectively.

Details:

ArcSight ESM/ESM Express 6.11 is a software tool that provides various security and compliance functionalities through different use cases, demonstrating its capabilities in these areas. The demonstration script version 1 dated November 16, 2017, outlines the contents of the software, which includes detailed explanations and steps for each use case it covers:

• **Security Use Case**: Focuses on enhancing security measures by implementing threat detection strategies.

• **Compliance Use Case**: Addresses compliance issues by ensuring adherence to regulatory standards through automated processes.

• **NetFlow Use Cases**: Covers network monitoring, identifying threats and anomalies in data flows across the enterprise network.

• **ArcSight Activate and Marketplace**: Discusses integrating external security solutions via ArcSight's marketplace for enhanced threat detection capabilities.

• **Reputation Security Monitor Plus**: A specific tool to monitor user reputation based on behavioral analytics within the organization.

• **Command Center**: Provides a central dashboard for managing and visualizing all aspects of an enterprise’s cybersecurity posture.

• **ArcSight Marketplace**: Explores external partnerships, allowing access to additional security solutions beyond ArcSight's standard features.

• **Privileged User Monitoring Use Case (Afterhours Activity)**: Addresses the monitoring of privileged users during off-hours to prevent unauthorized actions that could lead to breaches.

• **Shared Accounts Use Case (Policy Violation)**: Focuses on detecting and preventing violations of shared account usage policies, which is crucial for maintaining data integrity.

• **Shared Accounts Use Case (Legacy Application)**: Addresses the specific challenges posed by legacy applications in modern IT environments regarding user access management.

This document outlines a demonstration script for using Micro Focus ESM/ESM Express with ArcSight Command Center, focusing on privileged user monitoring use case. The setup involves logging into the Command Center as an admin, setting up the dark theme, and starting a demo replay connector to re-play event files at 50 events per minute. The purpose of this demonstration is to showcase how analysts can effectively utilize ESM/ESM Express for investigations by demonstrating its real-time correlation and analytics capabilities. The use case involves: 1. Receiving notifications via email and SMS about suspicious or malicious activity detected by ESM/ESM Express. 2. Navigating through a workflow consisting of notification, dashboard, active channel, report, and case to perform an investigation from start to finish. 3. Interacting with the interface to explore the detected suspicious activities further. 4. Explaining key action points such as clicking on notifications, switching to the dark theme, starting the demo replay connector, selecting event files, and viewing reports related to multiple login attempts to a locked Windows account belonging to 'swri'. This text discusses a workflow process in a system where users log into the Command Center and are notified about pending issues related to multiple login attempts to a locked Windows account. When an acknowledgment is not received within a specified time interval, the notification escalates to the next level. The user then clicks on the notification to view details about correlated events such as multiple failed login attempts to a disabled account. The process involves acknowledging the notification and correlating it with base events like logon failures. SmartConnector's normalization feature simplifies this by structuring data automatically, focusing investigation on relevant fields. This is aided by categorization of events into categories like Authentication/Verify and Operating System for better understanding and portability of content. The text also highlights benefits such as easier comprehension through categorization and provides a layer of abstraction that makes the content more versatile across applications. The text discusses the use of categorization and topology views for analyzing user activity on a device, particularly focusing on event management and visualization. It mentions that categorization helps keep content flexible regardless of changes in specific event IDs or device vendors. For instance, if an Operating System category is selected within Device Group settings, it will trigger on events from various operating systems such as Windows, Unix, Linux, etc., without requiring content rewriting each time there's a new version release. The text also introduces the concept of user activity visualization through a topology view where relationships and connections between different nodes can be explored. This feature allows users to select specific nodes like Source or Target Nodes to see visual representations of related events. For example, selecting 'swright' shows interactions with Cisco VPN and Microsoft Windows, while geographical locations are visualized in the Geo View pane that displays where events originate or terminate geographically. Finally, the text describes how categorization can be integrated into a workflow by showing how cases were created upon receiving notifications about multiple login attempts leading to a locked Windows account for 'swright'. This process demonstrates how categorization and dynamic, interactive dashboards facilitate efficient investigation of user activities across devices and networks. In this case investigation, I followed these steps after locking and staging the case: 1. Clicked "Lock" and then "Stage," changing the stage from "Queued" to "Initial." I added a note stating that I was beginning the investigation. 2. Navigated to the "Notes" section, clicked "Add Note," and wrote about starting the investigation. 3. Moved on to the "Dashboards" and used the User Activity pane to drill down on swright by creating a channel targeting swright. Once loaded, I paused it. 4. Customized the field set to include Security /All Field Sets/ArcSight Foundation/ArcSight Express, selected relevant fields: Name, Target User Name, Target Address. 5. In the Event List, I discovered that swright used a remote VPN with IP address 10.0.110.34 and began seeing Authentication Failures. By tracing his journey from outside through the VPN, I could see both external and internal addresses. 6. To further investigate this internally assigned IP address (10.0.110.34), I right-clicked on it in the Attacker Address column of the User Activity pane and selected "Create

." 7. The visual representation showed a variety of failed logins, including FTP to malicious sites from the firewall and IDS, indicating possible malware infection or unauthorized access. 8. Finally, I clicked on Priority Stats during normalization, noting that SmartConnector collected data about danger levels associated with events interpreted by the data source. The text discusses the process of investigating and managing events related to communications to malicious domains using various event-rating scales and threat intelligence tools. It begins by mentioning that it simplifies these event ratings into a default scale from Very Low to Very High, prioritizing interests like dslzn11.badguy.net. Next, the text describes how to navigate through DNS domain searches and add targets for further investigation. After loading the Active Channel, one can pause it if needed to review conditions and customize fields or field sets as required. The Conditions Summary helps in defining filter conditions for the channel. Moving forward with the investigation, specific events are selected from the Threat Intelligence feed related to dangerous outbound communications to a malicious domain (dslzn11.badguy.net), which is detected on both firewall and IDS/IPS systems like Cisco Pix and IBM ISS RealSecure. The text then discusses adding these events to a case for further analysis, emphasizing that this will serve as the central point of the investigation. The final step involves selecting specific events (such as multiple login attempts to a locked Windows account) and integrating third-party tools using Integration Commands if needed. This process is facilitated through the ArcSight Command Center, which acts as a main interface for security monitoring. When using ArcSight Investigate, users can save searches for future reference or sharing with colleagues. The interface allows for easy navigation through breadcrumbs from previous steps in an investigation. Users can create new or duplicate Active Channels and generate reports to validate findings, such as failed logins and suspicious browsing activities. These reports are critical for confirming the details found during the investigation, which are then attached to a case file as part of the ongoing record-keeping. The provided text seems to be a summary of an internal document or report, possibly related to cybersecurity incident handling and forensic analysis using a software tool (ESM/ESM Express) from a company called ArcSight. Here's a summarized breakdown of the key points mentioned in the text: 1. **Incident Response**: The analyst is instructed to download two reports generated for a specific case involving compromised security, possibly related to a VPN account and unauthorized FTP activity to an external malicious host/domain. 2. **Case Management and Workflow**: Using ESM/ESM Express, the analyst has initiated several actions:

• Attached both report PDFs as evidence in the case file.

• Added notes about the compromised status of the VPN account and the actions taken (disabling the account and taking an infected host offline).

• Updated the case attributes based on findings from the investigation.

• Set the priority of this case as High due to its impact on operational security.

• Changed the case stage to "Follow-Up" indicating further action is required.

3. **Security Measures**: The analyst has taken immediate steps to secure the compromised VPN account and isolate the infected host for a forensic investigation, which includes:

• Disabling the swright VPN account used in the compromise.

• Taking offline the system associated with FTP activity to the malicious host/domain.

4. **Recommendations**: The analyst recommends connecting the infected host to an isolated quarantine network for further digital forensics and investigation to understand the full extent of the breach and prevent potential future incidents. 5. **Customization and Integration**: ESM/ESM Express, as a tool, allows for customization according to specific organizational processes and procedures. It can be integrated with existing case management systems like help desk or ticketing tools for better workflow efficiency within the organization's cybersecurity framework. 6. **Compliance Use Case**: This section outlines steps for setting up a demo replay connector using predefined event files, starting replaying events at a specific rate (50 per minute), and retrieving resources from the company’s file storage related to security operations during an employee exit process. The text is structured around actionable tasks and system interactions that are part of a typical cybersecurity incident response workflow in organizations equipped with advanced digital forensics tools like ArcSight ESM/ESM Express. The text discusses how using ArcSight can help organizations easily track regulatory compliance, particularly regarding revoking access when employees leave. It mentions that ISO 11.2.1 Revoke Access states that access should be revoked in such cases and is recommended by most compliance regulations as a best practice in IT governance. However, managing this effectively can be challenging due to the tedium of manual processes like reviewing log activity manually. The author suggests an alternative approach using ArcSight's Command Center feature. This system automatically alerts users to problems related to ISO 11.2.1 and proactively notifies them about pending issues requiring attention, such as failed login attempts from terminated employees. The process involves acknowledging notifications within a specified time frame; if no acknowledgment is given, the notification escalates to higher levels. The example provided is a case where an attempted login using a former employee's account (mhedberg) was successful despite their departure. ArcSight’s Command Center notifies the user about this issue related to ISO best practice and details are available in the notification itself, prompting immediate action to secure the system according to security settings. This demonstrates how ArcSight can help organizations maintain compliance with regulatory standards without manual log review hassles. This text is about using a software tool called ArcSight to monitor user activity in an organization's IT system, specifically focusing on former employees. The software has features for detecting unauthorized access attempts by former employees through their user accounts. ArcSight can recognize if someone was once an employee because it checks the usernames of all incoming events against a list that is stored in memory and dynamically updated based on what's happening in the environment (like deleting an account from Active Directory). It also allows importing text files to expand this list. Once an unauthorized access attempt by a former employee is detected, ArcSight sends a notification and can create a case for further investigation, which can include attaching detailed reports generated through the software itself. These reports are useful for compliance checks according to ISO 27002 standards and help maintain security within the organization. ArcSight is a technology that allows organizations to quickly detect and respond to security incidents, including zero-day attacks. It provides an automated reporting solution to give visibility into the organization's compliance status. The article refers to using ArcSight for network management with NetFlow use cases. To set up these use cases, one must log in as an admin to the Command Center, then start a demo replay connector by selecting specific event files and replaying them at a rate of 50 events per minute. The article provides information about several dashboards within ArcSight: 1. "Top Bandwidth by Actor" shows high-level bandwidth usage broken down by identity and country. It can be modified to provide a comprehensive view across all devices in the environment, not just NetFlow activity. 2. "Top Port and Bandwidth Usage" dashboard displays which ports are used in the environment, categorized into well-known ports (0-1023) and registered and dynamic ports (1024-65535). It also shows bandwidth usage per top registered and dynamic ports. 3. "Top Source and Target Countries" dashboard helps to understand traffic flow in terms of source and target countries, along with the bandwidth used by each country. 4. The "Microsoft SQL Server Monitoring (port 1433 traffic)" dashboard specifically monitors Microsoft SQL Server traffic for compliance with corporate security policies requiring DMZ segment deployment. The document you've provided appears to be a summary or report related to network monitoring and security analysis, possibly using software like ArcSight for observing traffic flow within an IT environment. Here's a summarized breakdown of its content: 1. **Dashboard Observations**: You noticed unusual traffic directed towards your desktop segment, which could suggest the presence of unauthorized devices such as Microsoft SQL Servers on this network segment. This observation leads to potential security concerns and suggests implementing rules for detection in future monitoring activities. 2. **Archived Reports**: The document provides details about reports generated from previous network flow data:

• **Bandwidth Usage by Port**: This report shows the bandwidth usage across different ports in your environment, highlighting that port 1433 (likely referring to SQL Server) is being used excessively on the desktop segment.

• **Top Bandwidth Hosts**: The specific IP address 192.168.6.101 was identified as having the highest bandwidth usage among all hosts, which requires a more detailed investigation through another report:

• **Detailed Traffic by Host**: This report will provide in-depth information about the traffic and activity on this high-bandwidth host to determine whether it is operating within acceptable parameters or if there are unauthorized activities.

3. **ArcSight Activate and Marketplace Setup**:

• You need to log into the Command Center as an admin and set up a demo replay connector for event replaying to analyze events at a faster pace, starting with specific files provided (activate_50epm.events) at a rate of 50 events per minute.

• Open specified active channels including main and personal investigating channels under the ArcNet Active Channels section.

• The Activate packages installed include both malware monitoring and network monitoring features, each designed to detect different types of threats:

• Malware Monitoring includes tools for indicator detection (L1) and situational awareness (L2), with specific products like McAfee EPO VirusScan.

• Network Monitoring also has L1 indicators and warnings along with L2 situational awareness, supplemented by the PSnort product package for network sniffing capabilities to detect threats more effectively.

This document appears to be part of a security audit or ongoing monitoring process in an IT environment using advanced tools like ArcSight to ensure compliance with network policies and potential threat detection. The document outlines information about ArcSight Activate, a system designed to help organizations efficiently implement and customize use cases using reusable components. It includes links to various resources within the ArcSight Activate wiki for further details. Key points include: 1. **ArcSight Marketplace**: A platform recommended for sign-up where users can access additional content like Protect724 but is not mandatory for a use case demo. 2. **L1 Malware Monitoring** and **L2 Malware Monitoring** are specific use cases detailed in the Activate wiki, providing information on malware monitoring at different levels of severity. 3. **P-McAfee ePO Virus Scan**: Another use case described within the ArcSight Activate documentation, focusing on virus scanning using McAfee technology. 4. **ArcSight Activate Information**: Links to various pages in the Activate wiki discussing its benefits and structure, emphasizing its modular development methodology and collection of reusable components for quick deployment and customization. 5. **Activate Base package**: A foundational component that provides resources (such as filters or global variables) used by all other packages within the system. It also highlights how L1 and L2 Activate packages utilize indicators from multiple event sources to detect malware more effectively. Overall, ArcSight Activate aims to streamline security operations by providing a framework for continuous improvement through standardized deployment tactics, methodology, and best practices, while allowing customization and expansion of use cases using a library of reusable components. This text is about ArcSight Activate, which is a platform for security professionals to share and download security content like packages, use cases, and best practices. It allows users to explore various technologies such as perimeter and network monitoring, application monitoring, physical security, host monitoring, malware monitoring, data security monitoring, and threat intelligence monitoring through L1 and L2 packages. The ArcSight Marketplace is the main place where this content can be found and accessed by security professionals. The provided text discusses ArcSight Activate, a tool designed for monitoring malware within an organization's systems. It highlights how Activate is modular and can be extended to support various products from different vendors through modifications of filters. The platform supports log sources typically used with ArcSight SmartConnectors, FlexConnectors for internal applications, and devices that integrate with ArcSight as part of the Security Technology Alliances Partner Program. Upon searching in the Marketplace under "malware," users can find packages labeled L1-Malware Monitoring (L1) and L2-Malware Monitoring (L2). Among these is an Activate Product Package for McAfee ePO - VirusScan, which supports antivirus software deployed by McAfee. ArcSight Activate not only offers content addressing specific use cases but also provides documentation and best practices to support this content. The guidance provided in the Activate wiki under L1 Malware Monitoring outlines the use cases supported by the package as well as its log sources, demonstrating how modular and extensible the platform is. For instance, a feature called thresholds allows for customization of the content based on specific needs or environments, showcasing further flexibility in tuning the content to fit different contexts. The L2 Malware Monitoring package builds upon the foundational L1 package by addressing additional use cases with more comprehensive features. This text discusses leveraging the Network and Asset Model within HPE's ArcSight product to provide additional context for the L1 package detections, specifically in the area of malware monitoring (L2MalwareMonitoring). When dealing with virus or worm outbreaks, prioritizing responses is crucial; critical assets like servers in a DMZ are more important than workstations. The L2 package and content help manage this by offering additional contextual information about asset criticality. The text then describes how to navigate within the web browser to specific tabs and links related to vendor products, such as McAfee ePO VirusScan, which supports not only malware monitoring but also entity monitoring. It explains that product packages are modular and can be applied across various security use cases. The document includes a test plan for implementing this use case, including test events to verify the content's functionality. The text then shifts focus to the Command Center within HPE ArcSight, where multiple products, including Level 1 and Level 2 Malware Monitoring packages and the McAfee ePO VirusScan product package, are installed. It details how to access specific channels, such as the "ArcSight Activate Main Channel," which displays all correlated events triggered by the use case content. This channel facilitates incident triaging and assignment of incidents to analysts for further investigation, simulating what a SOC manager would see during daily operations. The text provided outlines a scenario involving an analyst named Steve who is monitoring incidents through the ArcSight Activate system. This system allows analysts to focus on assigned tasks by personalizing channels based on their ESM login. Currently, Steve's channel is empty, indicating he is idle. However, there are some activities in the Main Channel, including malware and IDS events related to IP address 172.17.1.1. The text specifically highlights a correlated event involving a W32/SQLSlammer.worm malware infection detected by McAfee ePO VirusScan on an asset named arcnet-dmz in the DMZ (demilitarized zone). The Level 2 package provides additional information about affected critical assets, confirming that the system is indeed part of the DMZ network as per the ESM Network and Asset model. As a SOC manager, you would typically triage such incidents by annotating them for assignment to an analyst like Steve, ensuring he can focus on addressing the malware incident based on your evaluation. This process involves using event annotation in the system to assign the incident to Steve for further action. Annotations are a flexible tool within a light-weight workflow system designed to help users track and escalate events efficiently through their ESM (Extended Security Manager) correlation engine. This feature allows users to flag or assign individual events, groups of related events, or even the entire workflow for follow-up purposes. Annotations can be utilized in various ways depending on the user's workflow setup: they can serve as a triage tool before escalating an event to a case, or they can be used simply through ESM's case management system without additional annotation fields. The key benefit of annotations is that they provide a customizable way for users to track every event that makes it through the ESM correlation engine, offering flexibility in how events are managed and prioritized within the workflow environment. In terms of implementation, stages such as Level 1 Investigating have predefined steps that form part of a collaborative workflow for annotating events. These stages can be assigned to security operations personnel who are investigating events. Once an analyst (in this case, Steve) is assigned to handle the event at the Level 1 stage, the correlated event will move from the main channel to the personal investigating channel of the designated analyst. This process involves changing the correlation event's status in the system and moving it to a more specific location where the investigator can review details without affecting other ongoing investigations. The annotations field within the ESM schema is directly integrated into various content modules like Filters, Dashboards, and Reports, allowing for easy tracking and analysis of events using this tool. The provided text seems to be a report or documentation about an incident response process involving malware monitoring and handling, possibly using ArcSight Activate software for network security management. Here is a summary of the key points from the text: 1. **Metrics**: Various performance metrics are tracked such as cases by status (stage), monthly cases by severity, event categories, closure reasons, time to resolution by severity, and events per analyst hour. 2. **Case Handling**: A specific case involves a malware infection on a host with IP address 172.17.1.1, which is the same worm virus (W32/SQLSlammer.worm). The incident was resolved in the stage of Closed after updating antivirus definitions, removing the malware, and running a full system scan. Comments indicate that these actions were taken to ensure the system's cleanliness. 3. **Monitoring Dashboard**: After closing the event, the user switches to a dashboard provided by the Level 2 Malware Monitoring package, which includes visual data monitors showing the malware infection rate within the organization and in the DMZ area. This dashboard leverages the Network and Asset Model for more detailed analysis. 4. **ArcSight Activate Benefits**: The text highlights several benefits of using ArcSight Activate:

• Easy deployment and scalability with pre-built use cases.

• Content reuse across different cases, adhering to best practices.

• Quick learning curve for new developers and streamlined onboarding for experienced ones.

• Separation of testing, QA, and production implementation helps in efficient content development and management.

5. **Reputation Security Monitor Plus Setup**: A brief guide on how to set up the Reputation Security Monitor Plus by logging into the Command Center as an admin and starting a demo replay connection for further analysis and response. Overall, this text is focused on using advanced security tools and software (ArcSight Activate) to monitor and respond to malware incidents efficiently, with detailed reporting and visual analytics through customizable dashboards. The provided text outlines the steps for using a tool called "Reputation Security Monitor Plus" (RepSM+) to analyze events related to domain and IP entries in a database. Here's a summarized version of the instructions and explanations given: 1. **Event File Selection**: Begin by selecting specific event files, such as "repsm_demo.events". These files are crucial for analyzing malicious activities within the network. 2. **Replaying Events**: Start replaying these events at a rate of 50 events per minute to ensure comprehensive analysis. This process helps in detecting malware infections, zero-day attacks, and dangerous browsing habits among internal assets on the network. 3. **Dashboard Visualization**: Utilize three dashboards provided within the RepSM+ tool for visualizing data:

• **Reputation Domain Database Overview**: This dashboard displays metrics related to domain entries being monitored by the threat intelligence feed. It includes detailed information about exploit types, reputation scores, and potential security risks associated with domain names.

• **Reputation IP Database Overview**: Similar to the domain dashboard, this one focuses on IP addresses, providing insights into internal infections, dangerous browsing habits, and interactions with malicious entities as detected by the RepSM+ tool.

• **RepSM Overview Dashboard**: This comprehensive dashboard gives an overview of various activities including internal infections, dangerous browsing, and contact with entities that pose a threat based on intelligence from the Reputation Security Monitor Plus.

4. **Investigation Process**: During the analysis phase, if infected assets are detected (as indicated by metrics in the dashboards), right-click on specific entries to initiate an investigation into potential malicious activities within the network infrastructure. This step is crucial for maintaining security and preventing further threats from internal networks. The provided text describes an incident involving a Mac mini computer infected with the Flashback Trojan botnet (mystreamvideo.rr.nu). It highlights the following steps and observations: 1. **Infection Detection**: An asset on the dashboard was identified as contacting the domain mystreamvideo.rr.nu, which is associated with malicious activities typically linked to malware like the Flashback Trojan. The internal assets are part of a network where 7 systems are communicating with this botnet. 2. **Investigation Process**: If internet access is available, one can perform searches on mystreamvideo.rr.nu and other related terms to confirm the malicious nature of the activity. In this case, it was confirmed that the Flashback Trojan is present among internal Mac users connected to the network. 3. **Dashboard Actions**: The text provides instructions for using a dashboard's features to further investigate the issue:

• Right-click on an asset in the infected assets panel to bring up more details and select "Drilldown" to view an overview of internal infections.

• Use the Active Channels feature to monitor events related to malicious communication, which can be accessed by right-clicking images or following specific paths through the dashboard (like "Mouse over Events," then clicking "Active Channels").

4. **Normalization and Risk Assessment**: The text mentions the SmartConnector's role in normalizing various event-rating scales into a default scale of Very Low to Very High, helping to assess the danger level associated with each event. 5. **Detailed Investigation**: Specific actions for refining investigations include:

• Refining an active channel to focus on events related to a specific host (macmini) by selecting it in the Attacker Host Name column.

• Viewing detailed event information, such as network communication details and location data from mystreamvideo.rr.nu, which was found to be located in China with communications over port 80.

6. **Utilizing Field Sets**: The text suggests using field sets like "Event Inspector" to get more specific details about the events captured by the system. Overall, this document provides a structured approach for identifying and investigating potential malware infections on internal network assets, utilizing tools provided in an incident management dashboard setup. The provided text describes an exercise involving ArcSight Express and the ArcNet Command Center. Here's a summary of the steps involved: 1. **Visualization**: The analyst visualizes events by selecting specific fields such as Name, Target Host Name, and Target Address. They then narrow down the active channel to include only "macmini" and "mystreamvideo.rr.nu" events. This is done through a series of clicks including 'Event List', 'Add

', and pausing the active channel. 2. **Reports**: The analyst generates two reports:

• One titled "Currently Infected Assets and Recorded Interactions with Malicious Entities" from the "/All Archived Reports/ArcNet Archived Reports/Reputation Security Monitor 1.0/Internal Infection Assets" archive.

• Another report, "Interactions with Malicious Entities During the Last 24 Hours", which is also archived and related to reputation security monitor.

3. **Demo Replay Connector Setup**: The text describes setting up a demo replay connector for events:

• Login as admin to the Command Center.

• Select event files "IdentityView_v2.0.events" and "NetFlow_IdentityView_v2.0.events".

• Start replaying these events at 50 events per minute. This process is noted to generate Notifications and Cases if needed, but they are not directly discussed in the provided text.

4. **Action Talking Points**: The summary emphasizes that analysts and managers use the Command Center for investigations and understanding the environment's status through visualizations and reports. 5. **Navigator Interface**: A user navigates to "Dashboards" and then clicks on "Navigator" after receiving complaints from users. This text outlines a scenario where ArcSight Express functionalities are demonstrated, including event visualization, report generation, and using the Command Center for deeper investigation and setup of a demo replay connector. The text describes the process of analyzing network traffic data from Cisco routers and switches, using NetFlow events to monitor usage on specific ports such as port 1433 which is used by Microsoft SQL Server. The user accesses this information through a dashboard in ArcSight for visualization and detailed analysis. Key steps include bringing up a top port and bandwidth usage dashboard, performing an unstructured search for the term "netflow" to find all related events, and using advanced search features to filter down to specific traffic on destination port 1433. The process involves mouse hovering over bars in a histogram view to get detailed event information, drilling down into specific time periods, and utilizing nested conditions within an advanced search dialog box for more targeted analysis. To nest and add conditions in your search, follow these steps: 1. **Click on the operator** where you want to nest the next condition. For example, click "AND" if you want both conditions to be true, or "OR" if only one needs to be true. 2. **Add a new condition**:

• Select the first field listed under "Name", which in this case is likely "destinationPort".

• Type "destinationp" and start typing when you see "destinationPort" displayed in the dropdown menu, select it.

3. **Set the operator and condition**:

• Change the operator to "=" (equals).

• Enter "1433" as the condition for the port number.

• Click "Go!" to run the search.

4. **View results**: You will see the results of your targeted search, with destination port included in the displayed data. 5. **Expand details** by clicking on "+" next to any event you want to view more closely. 6. **Customize fieldset**:

• Click on "Customize fieldset".

• Add "destinationPort" and arrange it next to "destinationAddress".

• Click "OK" to save your changes.

7. **Top talkers search**:

• Use the netflow AND destinationPort = 1433 | top operator to find the most significant sources on port 1433 in your network.

• Add sourceAddress at the end of your query to see the specific addresses, and you can customize this to show more or fewer results using numbers after "| top".

8. **Chart visualization**:

• Go to "Chart Settings" and select a chart type (e.g., bar chart, line chart) for visualizing data. There are several options available to choose from.

The provided text describes interactions with a software interface that involves creating a pie chart visualization for network events and analyzing IP addresses within the chart. Here's a summarized version of the steps and actions described in the text: 1. **Creating a Pie Chart**:

• Select "Pie" as the chart type and set the display limit to 20, which means only the top 20 events will be shown.

• Click "Apply" to apply these settings.

2. **Closing Chart Settings**:

• After creating the pie chart, click "Close" to close the chart settings window.

3. **Interacting with the Pie Chart**:

• Hovering over a slice of the pie chart will display details such as IP address, number of events, and percentage representation of those events in your search results.

• Clicking on one of the IP addresses within the pie chart will drill down into that specific event, adding it to the search criteria and returning detailed results.

4. **Searching for "Bottom Talkers"**:

• To find the least frequent users on port 1433 in a network, change the query to include "rare" instead of "top", using operators like sourceAddress and destinationPort = 1433.

5. **Generating a Report**:

• Navigate to "Reports", then click on "Bandwidth Usage by Port".

• Run the report with default parameters, which can be found under "/All Reports/ArcNet Reports/NetFlow".

• Open the generated report in Adobe Acrobat to view the results.

6. **Exploring Dashboards**:

• Navigate to "Dashboards" and click on "Navigator" to show available dashboards.

• View the first dashboard, which is a geographic event graph that provides insights into where attacks and threats are originating from and going to, using node highlighting for detailed geo-location data.

This summary captures the main actions taken in the process of creating visualizations and running reports within this software environment, focusing on how users can interact with pie charts and other visual analytics tools provided by the system. The provided text outlines various features and functionalities of the software, likely referred to as ESM (Enterprise Security Manager) or a similar system used for monitoring and managing network activities, security events, and logs across multiple countries, regions, with latitude and longitude coordinates specified. The dashboard provides visual representations such as event graphs that depict activity flows from sources to destinations, with node labels showing details about the zone names (network type like DMZ or internal). The size of nodes corresponds to the intensity of activity. Another dashboard presents an hourly count of events based on their priority levels, allowing users to filter out less significant events for a more focused view. Furthermore, there's mention of changing the layout of these visualizations from graph to pie chart formats. The text concludes by highlighting how such tools aid analysts and managers in conducting investigations and gaining insights into network activities. Additionally, it introduces ArcSight Marketplace setup instructions where users can replay demo events for testing purposes before potentially purchasing or integrating additional modules through this marketplace. To summarize, you need to follow these steps after setting up an account on Protect724: 1. Navigate to the ArcSight Marketplace tab by switching from the main page. 2. In the ArcSight Marketplace, explore various resources such as Legacy Packages, Activate Device Packages, Utilities and Tools, product documentation, best practices, guidelines, Resource Center, and Partner Integrations. 3. To find specific content for monitoring your IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) devices, perform a search by entering "ids" under the Search section. 4. Click on the IDS IPS Monitoring Package in the search results to view detailed information about the package, including its description, screenshot, and details about SmartConnectors that will trigger this content. 5. Download and install the package if it is not already installed, as indicated by a number of resources such as dashboards, Active Channels, reports, Filters, Field Sets, Queries, and Data Monitors. 6. Verify through the Event Sources panel that this content is specifically triggered by network IDS/IPS devices. 7. Finally, switch to the Command Center tab to view a dashboard that visually represents what's happening on your deployed IDS and IPS devices. This text discusses a demonstration of ArcSight Marketplace, highlighting its capabilities for monitoring and analyzing security events such as top attackers, targets, alerts, and generating reports. The demonstration involves using an Active Channel to view detailed information about IDS (Intrusion Detection System) - IPS (Intrusion Prevention System) events with priority higher than 4. Users can also access archived reports including alert counts by attacker and target, along with other specific reports of interest. Additionally, the text mentions a use case for Privileged User Monitoring using IdentityView, noting that this product is still supported but has reached its end of sale. The setup process involves logging in as an admin, acknowledging any existing notifications, and deleting cases before starting a demo replay connector to re-enact events from the IdentityView_v2.0.events file at 50 events per minute, adjusting speed to approximately 25 events per second if necessary. In summary, this text is about using ArcSight Marketplace for security event monitoring and reporting, with a focus on demonstrating its capabilities through a specific use case involving Privileged User Monitoring with IdentityView. In the scenario described, Mario Rossi logs into his Windows system and connects to a Unix system, generating two events in the process. ArcSight ESM and IdentityView are used to enhance event context with user information, providing identity-based correlation through an Actor model created by integrating with Active Directory. This model represents all users within the directory or identity management system, displaying general statistics like total Actors (identities) and account IDs per Actor. The dashboard in question is the "Actor Overview" from ArcSight's IdentityView 2.0, which provides insights into the Actor model, giving an overview of statuses such as active and disabled Actors among a total of 36 Actors with around 3-4 accounts each. The dashboard also breaks down other attributes captured for each Actor, offering a comprehensive view to track activity across various systems where users might have multiple identities. This approach helps in understanding the complex interactions within an organization's network and managing user identity complexity effectively. The text describes an overview dashboard called Actor Roles Overview With IdentityView, which is used to analyze and visualize information about roles and groups within an Active Directory system. This tool helps users understand the structure and composition of their directory by showing how many users are associated with each group or role across different organizational units (OUs). The largest numbers of users are found in the Information Technology and Marketing departments, indicating that these areas have a significant number of roles and groups within the Active Directory system. The dashboard provides insights into the structure of an organization's Active Directory by showing the number of groups or roles present and detailing how many users belong to each group or role. It also highlights top Actors with group/role membership, which can be quite extensive in larger organizations. This feature allows for a deep dive into the complexity of user access management and compliance issues related to least-privileged perspectives. Additionally, there is an emphasis on the implications of having too many groups or users being members of multiple groups within Active Directory, especially concerning compliance policies aimed at controlling privileged access. The dashboard's capability to provide real-time visibility into these complex scenarios offers a significant advantage in managing directory structures effectively and ensuring compliance with organizational security standards. In summary, this identity correlation tool helps organizations visualize their Active Directory structure and identify inefficiencies or potential risks related to excessive group memberships, which can then be addressed through more efficient role management and policy adjustments for better control and compliance. The text discusses a compliance violation involving unauthorized access to a data center by an employee (Mario Rossi) during off-hours through a badge reader authentication system. This situation raises concerns as there's no business reason for such accesses and could potentially be indicative of insider threats. The main issues addressed are: 1. Compliance Violation: There is a violation where someone accessed the data center outside normal working hours using the company’s badge reader, which should only permit authorized personnel in the data centers or specific areas like non-data center operations or administrators. This unauthorized access suggests potential compliance violations and security lapses. 2. Potential Insider Threat: The act of accessing a restricted area off-hours without any business necessity raises suspicion about possible insider threats. Such actions could be linked to intentional misconduct, negligence, or other unethical behaviors within the company. 3. Misconfiguration of Badge Reader Authentication System: There is an issue with the badge reader system allowing non-compliant access by unauthorized personnel, which indicates a misconfiguration in the security settings that need immediate attention and resolution. When such incidents are detected through ArcSight systems (a monitoring tool), it triggers a notification process to be immediately notified. The user can choose from various communication channels like email, text message, or pager to receive notifications. Upon receiving this notification, the employee responsible for the badge access should promptly acknowledge the violation within the system to prevent escalation of alerts to higher management levels. Upon acknowledging the violation, the status of the notification changes from "Pending" to "Acknowledged," which allows the user to initiate an investigation and take appropriate action. The ArcSight system provides detailed information about the incident in a notification that includes correlated events flagged by red lightning bolt icons, indicating potential insider threats or misconfigurations within the security infrastructure. The text describes an event in which Mario Rossi, using a cryptic user name and entering the server room during non-business hours, triggers a correlation alert in ArcSight. This alert is generated due to three correlated components: the badge event itself, the role of the user (Mario Rossi), and the time of day. The ArcSight system identifies the user through identity correlation by looking up the cryptic number against an Actor model, which provides details such as full name and department. The purpose of this process is to determine if there's a legitimate reason for Mario Rossi to access the data center during non-business hours, given his role in Marketing. ArcSight automatically creates a case upon detection of the initial badge-in violation, providing detailed attributes that can be further investigated. After reviewing the alarm triggered by Mario Rossi in the server room after hours, I can assign this case to different users for tracking purposes. To efficiently manage this issue, I will lock the case as it involves events that led to the alarm notification. Next, I plan to analyze all activities conducted by Mario Rossi on my network using the Active Channel feature within IdentityView. This tool allows me to create a filter that displays everything related to Mario's actions across various systems and devices. By applying this filter, IdentityView will automatically gather information from DHCP and Active Directory logs, providing details about the systems he accessed at different times of day. To delve deeper into specific activities, I can click on individual events within the Active Channel. For instance, when examining a Cisco NetFlow event without a populated user name field, I should look for session correlation evidence such as a successful Microsoft Windows login that took place during one of Mario Rossi's sessions. This method helps confirm that the activity is indeed linked to him through contextual information and session correlation across multiple devices and systems. The summary is about a situation where Mario Rossi logged into a desktop workstation named DESKTOP3 and used the account ARCNET.COM\MROSSI to access it. After logging in, he opened a session to another Unix machine called printserver01 using a different account, MARIOR. From this point, suspicious activities were observed through network traffic analysis: 1. Attempted Access: Mario attempted to access his personal email accounts via the Blue Coat proxy but was denied due to security measures implemented by the company's IT department. This might have alerted them about being watched and led him to hide his tracks by switching to another machine using SSH, which revealed more suspicious activities. 2. Web Browsing: From printserver01, Mario accessed job hunting websites like careerbuilder.com, monster.com, and hotjobs.com. These sites are typical indicators of dissatisfaction with the current position and active job searching behavior, suggesting that he might be planning to leave his current employment. 3. Anonymity Proxy Use: The activities on these sites were not only indicative of dissatisfaction but also possibly of trying to conceal his identity or actions from the company by using anonymous proxy servers for internet visits. He could have been attempting to transfer data out of the company, potentially sensitive information like intellectual property, which he might use in a new job position. 4. Further Suspicious Activities: In addition to browsing job sites and possibly seeking other employment opportunities, Mario accessed a hacking website in China via NetFlow reports from Cisco, suggesting that he could be involved in unauthorized data transfer or accessing, which is considered highly suspicious for an employee using company resources for personal purposes. Overall, the evidence suggests that Mario Rossi was engaged in activities potentially aimed at gathering information and preparing to leave his current job, possibly seeking a new position elsewhere by attempting to obtain sensitive company information through anonymous internet access while trying to mask his actions from the company's surveillance. The text describes a process for handling an "abotage activity" incident involving a user named Mario Rossi, who accessed a server room after hours using a badge. To address this issue within ArcSight's case management system: 1. **Visualize Events**: Start by selecting and visualizing the relevant event fields to get a clear view of the situation. This includes the event count, names, target host names, and target addresses. 2. **Investigate Further**: Create an investigation around the selected events and add any additional evidence found during this process to the case. In this instance, the case is titled "Employee Badged Into Server Room After Hours – Mario Rossi." 3. **Case Management in ArcSight**: Utilize ArcSight's case management system to manage and escalate the issue. Here, you can leverage the system for handling cases where evidence needs to be collected and analyzed systematically. 4. **Add Evidence to Case**: From the event list within Active Channel, select a couple of events that serve as additional evidence and add them to the case. This creates a comprehensive record of all relevant activity linked to the incident. 5. **Reporting and Summarization**: Use reporting tools within ArcSight to generate a report summarizing all activities associated with Mario Rossi during the specified time period. The report provides an overview, including graphs and tables detailing his access patterns across various applications. 6. **Archived Reports**: Access archived reports using the All Activity for Specific Actor feature, which pulls together all events linked to Mario Rossi over a given timeframe. This can be saved as a PDF file and attached to the case for further reference and documentation. In this scenario, Mario Rossi uses ArcSight to investigate a potential policy violation related to shared accounts being used on servers in the sj-arcnet-serverfarm segment. He logs into the Command Center as an admin and acknowledges the notification of the breach of policy. The software compiles all relevant activity and evidence for the investigation, which is then packaged into a case file named "Activity for Specific Actor – Mario Rossi.pdf". ArcSight allows him to quickly compile all activities and evidence pertaining to this specific incident, effectively wrapping up the loop by directing it to the appropriate group for further action. The use case in question demonstrates IdentityView, which is still supported but nearing its end of sale. It also introduces User Behavior Analytics as a separate product that should be actively promoted instead of relying on IdentityView. Mario sets up the demo replay connector by selecting specific event files and replaying them at a controlled pace to simulate real-time events. He then navigates through the Command Center, acknowledges the notification, and proceeds to investigate further. The goal is to promptly notify when shared accounts are being used on restricted servers, attribute this activity back to an individual, and ensure that such practices comply with corporate policy. The process starts with a notification from ArcSight via email, which Mario sees in his My Notifications section of the Command Center. He then acknowledges the notification to start working on it. The IdentityView tool helps identify logins associated with known shared accounts within the targeted segment (sj-arcnet-serverfarm), and this information is critical for ensuring compliance with company policy regarding the use of shared accounts on servers. This is a notification about an employee, David West, who used a shared account on a server in the sj-arcnet-serverfarm segment of your network. When you go into the notification, you can see details of the activity under Field Set/ArcNet Field Sets/IdentityView v2.0. The correlated event is Logins to Known Shared Accounts, and it shows that David West logged into a server on that segment using the root account. The dashboard "Shared Account Logins" provides all shared account activity in your environment from source and target addresses to applications. When you mouse over this dashboard, you can see Active Channels where you can investigate further. The Active Channel for David West shows that IdentityView has attributed these events back to him. By pausing the Active Channel and clicking on base events like Successful Logon, you can view more details in your investigation about how IdentityView traced these events back to David West. This document discusses using IdentityView, a tool from Cisco, for analyzing security events within an organization's network. The process involves several steps, including selecting event fields such as Name, Device Product, and Target Address, visualizing these events through charts, running reports on shared account activity, and interpreting the data in meaningful ways. The document also mentions using ArcSight, a product from Cisco that helps manage security information and events management (SIEM) by providing detailed reporting capabilities. The provided text discusses a use case for IdentityView (now considered legacy) in tracking shared account usage within an environment, particularly in a proprietary application without user access control capabilities. To address this issue, one must login as an admin to the Command Center, acknowledge and clear existing notifications and cases, then start a demo replay connector with specific event files at 50 events per minute, adjusting speed later if needed. The use case focuses on tracking activity from a shared account named SystemUser used by multiple users who have full administrative privileges for compliance reasons. The main benefit is that IdentityView allows tracking this activity and attributing it back to the user through human-readable names applicable in notifications, reports, rules, cases, etc. It also mentions an end of sale for IdentityView but highlights its compatibility with User Behavior Analytics as a distinct product. The setup involves logging into the Command Center as admin, clearing existing notifications and cases, starting the demo replay connector, selecting specific event files, and replaying them at 50 events per minute initially, adjusting to around 25 events per second if necessary. The key features highlighted are tracking shared account usage, providing reports for compliance purposes, and using IdentityView's human-readable names in various content types. The report provides an overview of IdentityView 2.0, a system designed to track user activity back to accountable users without it, IdentityView is invaluable in monitoring privileged user activities such as login information by department and employee type. To utilize this tool, administrators should log into the Command Center, acknowledge any existing notifications, delete cases, set up the demo replay connector with specific event files, and begin replaying events at a rate of 50 per minute initially, adjusting to approximately 25 events per second if necessary. The IdentityView dashboard by department displays who accesses systems and applications within an organization based on their department and employee type. This information is crucial for determining appropriate access rights and understanding system and application usage. The tool considers user attributes like department, employee type, and role to provide contextual insights into the data being monitored. This document provides information about archived reports related to user activity monitoring and reporting. It includes details on specific reports titled "Activity Based Modeling by Department," along with additional reports such as "All Activity for Employee Type," "All Activity for Role," "Activity Based Modeling by Employee Type," and "Activity Based Modeling by Role." The content is part of a larger documentation effort to track user activities, particularly focusing on privileged users within an organization. Additionally, there's trademark information about Micro Focus and the company's details including registration number and address.