ESM Express 6.11 Console Demo Script

Summary:

This step-by-step guide provides a detailed process for using the IdentityView feature within the ArcSight Console to analyze user behavior related to legacy applications, specifically focusing on privileged user monitoring. Here’s how you can follow these instructions to achieve your goal: ### Step 1: Open the IdentityView Software and Navigate to Reports Section - Start the IdentityView software if it is not already running. - Access the "Reports" section within the software, usually found in a dedicated tab or menu. This section will contain various reports related to user activities. ### Step 2: Hide Unnecessary Panels for Focus - To enhance clarity and focus on the primary task of reviewing reports, hide any unnecessary panels such as the Navigator, Inspect/Edit panel, etc., within the IdentityView interface. ### Step 3: Start Demo Replay Connector - **Select Event Files:** In this step, choose the event files named "IdentityView_v2.0.events" which are essential for simulating user activities related to privileged users. - **Replay Configuration:** Initiate the replaying process with specified configurations: - Set replay speed at approximately 50 events per minute initially; adjust to about 25 events per second if needed, after allowing a few minutes of playback. ### Step 4: Display Relevant Dashboards - **Login Activity by Department:** This dashboard will display the breakdown of who is accessing systems and applications within your organization, categorized by department. - **Login Activity by Employee Type:** Here you can view login activities segmented based on employee type (e.g., full-time, part-time, contractors). ### Step 5: Review Specific Archived Reports in Navigator Pane - **All Activity for Department:** This report provides a comprehensive overview of all activity within a specific department. - **Activity Based Modeling by Department:** Optional; this report can provide more detailed insights into how activities are modeled based on the department’s role within your organization. - **All Activity for Employee Type:** Offers an analysis based on employee type, which might reveal patterns in usage across different categories of staff members. - **Activity Based Modeling by Employee Type:** Optional; this report can offer a detailed breakdown according to employee types. - **All Activity for Role:** Useful if you want to analyze activities from the perspective of roles within your organization (e.g., admin, analyst). - **Activity Based Modeling by Role:** Optional; provides detailed analysis based on different job roles in your company. ### Step 6: Understand the Value of These Reports - By examining these reports, you can better understand and determine appropriate access rights for individuals within your organization’s system and applications based on their departmental role or employee type. This process aids in maintaining a secure environment while ensuring that only authorized personnel have the necessary access to systems and data.

Details:

This document is a demonstration script for ArcSight ESM/ESM Express version 6.11, focusing on various security and compliance use cases, as well as NetFlow and reputation monitoring features. The script includes detailed content ranging from the general overview to specific scenarios such as Worm Outbreak Use Case, Privileged User Monitoring, and Shared Accounts Use Case. Each section provides a structured approach to demonstrating how ArcSight can be used for enhanced security and regulatory compliance across different business environments. The provided text outlines a demonstration script for using ESM/ESM Express with the ArcSight Console, focusing on a security use case. Here's a summarized version of what the text covers: 1. **Setup**:

• Log in to the ArcSight Console as an admin.

• Delete any existing notifications and cases from the admin’s Cases.

• Start the Demo Replay Connector by selecting event files (demoexpress-SP1.events) and start replaying them at 50 events per minute.

• Hide unnecessary panels like Navigator, Viewer, and Inspect/Edit.

2. **Synopsis**:

• Demonstrates how to use ESM/ESM Express for investigation by utilizing its correlation and analytics features.

• The workflow includes: Notification -> Dashboard -> Active Channel -> Report -> Case.

• Actions include acknowledging notifications and selecting the Pending option upon receiving alerts about suspicious or malicious activity detected by ESM/ESM Express.

3. **Action Talking Points**:

• Upon receiving an email and SMS notification of potential suspicious or malicious activity, acknowledge the notification.

• ESM/ESM Express provides real-time and historical correlation and analytics capabilities within memory in real time, without requiring disk access or scheduling.

This summary captures the main steps and objectives for using ESM/ESM Express with ArcSight Console as outlined in the text, focusing on setting up a demonstration scenario and discussing the process of investigating potential security threats. The provided text is a description of the workflow process for handling security alerts within an ArcSight system, which appears to be part of an enterprise-level monitoring and alerting solution. Here's a summarized version of what's being conveyed: 1. **Initial Notification**: When you log into the ArcSight Console, you may find that there are notifications pending acknowledgment. You must acknowledge these notifications within a specified time frame; otherwise, they will be escalated to the next level in the workflow. 2. **Event Details and Correlation**: Upon acknowledging a notification, details about events associated with this notification appear, including a correlated event marked by a red lightning bolt. This is often linked to multiple login attempts resulting in a locked account due to an invalid attempt on a disabled Windows account. 3. **Investigation Tools**: Within the ArcSight Console, you can view base events and correlate them with other relevant information using specific field sets that are tailored to highlight only pertinent data fields of interest. This helps streamline investigation by focusing attention on significant details. 4. **SmartConnector and Normalization**: The SmartConnector automatically performs normalization processes, which are essential for correlation and analytics across unstructured event data. It simplifies this process by categorizing events into meaningful groups like /Authentication/Verify or grouping devices as part of the Operating System. 5. **Benefits of Categorization**: Event categorization aids in easier comprehension of what each alert entails and enhances the portability of security content by providing a layer of abstraction. This abstraction makes it possible to write and implement consistent, reusable policies across different systems. Overall, this workflow provides an efficient means to respond to potential security threats efficiently through automation, correlation, and categorization tools that are built into the ArcSight system's infrastructure. The text discusses a method for managing and analyzing data related to operating system events using categorization instead of specific event IDs. This approach ensures flexibility as device versions change since the content isn't tied to any particular device or vendor. By categorizing events under categories such as "Operating System," relevant events from different devices can be triggered, providing a unified view across all systems. The text then describes how this method is applied in an operational scenario involving user login activities monitored through a dashboard and case management system. The steps include navigating to the required dashboards or cases, adjusting settings like case stages, adding notes for better record-keeping, and focusing on specific accounts by opening active channels dedicated to detailed analysis of those events. In summary, this method leverages categorization for efficient handling of varied device data in a scalable way, while providing detailed insights into operational activities such as user login attempts. The summary is about an incident where a user named swright, using a remote VPN, had authentication failures and was assigned the IP address 10.0.110.34. An investigation revealed he accessed corporate network resources through the VPN and showed activity including failed logins and FTP to malicious sites from the firewall and IDS logs, indicating malware infection on his device. During normalization in a security system, events are rated based on their danger level according to default scales such as Very Low, Low, Medium, High, and Very High. An investigation involved adding the target DNS domain dslzn11.badguy.net to the active channel for further analysis using threat intelligence feeds that detected dangerous browsing activities. The summary is about using a system to track outbound communications to malicious domains, specifically mentioning events like FTP_USER/FTP_PASS and Accept from a domain named dslzn11.badguy.net. It talks about how this system supports various threat intelligence feeds and can integrate with different solutions including Micro Focus and third-party open-source options. The user interface allows adding specific events to a case for further investigation, which is useful when passing the work to another analyst. The system also provides features like saving searches and easily navigating back through previous steps in an investigation without starting from scratch. Additionally, there's a feature to generate reports, such as one showing failed logins, which can be customized with specific parameters. To summarize this text in a clear and concise manner, let's break down the key actions performed within the context of incident handling using PDF reports and ESM/ESM Express. Here's what happened step-by-step: 1. **Generating Reports**:

• A report was generated on failed login attempts by destination address from a specific timeframe (last 24 hours) to the current time, formatted in PDF.

• The report was saved and opened as a PDF file for review.

2. **Using Threat Intelligence Tool**:

• Data from the ESM/ESM Express with Threat Intelligence feed was used, specifically focusing on all reports related to ArcSight under /All Reports/ArcSight > Solutions/Reputation Security Monitor > 1.0/Dangerous Browsing.

3. **Downloading and Attaching Reports**:

• Two specific reports were downloaded: "Dangerous Browsing Activities During the Last 24 Hours - Short Form".

• These reports were attached to a case as part of the incident handling process, confirming findings with visual evidence in PDF format.

4. **Case Management and Workflow**:

• In the Navigator Panel within ESM/ESM Express, the analyst clicked on "Cases" where they found multiple login attempts leading to the locked out account of swright.

• The report titled "Multiple Login Attempts to Locked Out Account: swright" was used for reference during this process.

• Attached reports were reviewed by right-clicking and opening them, ensuring all related data could be accessed easily.

5. **Updating Case Attributes**:

• The case attributes were adjusted based on the findings from the investigation.

• Specific actions taken included disabling the compromised VPN account used for access and taking the infected host offline for further forensic analysis in an isolated quarantine network.

6. **Notes and Follow-Up Actions**:

• Notes were added to document what was done and what needs to be addressed, including recommendations such as connecting the infected host for a forensic investigation.

• The case management system indicated that actions taken included disabling the VPN account (swright) and taking the infected host offline.

• Follow-up actions recommended adjusting some attributes of the case in ESM/ESM Express to reflect ongoing steps in the workflow process.

This summary captures the main functions executed during the incident handling phase, highlighting the use of PDF reports for visual evidence and detailed analysis within a case management system. The text provided is a summary of a presentation or training session about using ArcSight, a security information and event management (SIEM) tool, to enhance compliance with standards such as ISO 27002. Here's a condensed version of the key points discussed: 1. **Customization for Environment**: The tool can be tailored to fit specific organizational processes and procedures, integrating seamlessly into existing case management systems like ticketing tools. 2. **Integration Capabilities**: ArcSight can integrate with various IT environments including legacy case management and ticketing systems, making it versatile for compliance use cases. 3. **Compliance Use Case Setup**: The session involves setting up the ArcSight Console as an administrator to access solutions related to IT governance 3.0. This includes acknowledging notifications, managing archived reports, and reviewing specific documents like former employee activity and ISO standards. 4. **Scenario Discussion**: The scenario revolves around discussing best practices in compliance, focusing on section 11 of ISO 27002 which deals with access control. It contrasts manual reviews (e.g., checking login reports) with automated processes using ArcSight to enhance efficiency. 5. **Automated Processes and Compliance Tracking**: The tool demonstrates how it can automatically detect when an Active Directory account is disabled but the user still attempts to log in, highlighting a potential loophole that needs addressing. It also showcases how ArcSight maintains lists of users whose AD accounts have been deleted, ensuring continued compliance tracking. 6. **Reporting and Compliance Management**: The session ends with a demonstration of how to use ArcSight for reporting purposes, including viewing former employees' active list and discussing the effectiveness of automated compliance solutions like ISO 27002 in managing organizational security practices. 7. **Action Talking Points**: During this part of the session, participants are guided through starting the replay agent within a demo environment to simulate real-time data analysis capabilities of ArcSight. The goal is to show how the tool can efficiently track regulatory compliance across an organization. This summary highlights the key aspects of using ArcSight for improving organizational compliance with standards such as ISO 27002, emphasizing its flexibility and automation features in managing user access and monitoring compliance metrics. The article discusses the importance of revoking access when necessary, such as when an individual leaves an organization. This is not only considered good IT governance practice but also aligns with most compliance regulations. However, ensuring adherence to this best practice can be challenging without a reliable method for reviewing and monitoring former employee activity. To address these issues, the article suggests using ArcSight as a solution. Instead of relying on manual processes like log reviews, which are tedious, time-consuming, and prone to errors, ArcSight automates log review and provides proactive alerts about compliance issues. For example, when an alert regarding former employee access is triggered in the ArcSight Console, it indicates that there's a problem with the ISO 11.2.1 Former Employee Account Access best practice. This allows for immediate attention to be given to specific instances where access has not been revoked as required. ArcSight also provides a compliance status dashboard (like All ISO Sections dashboard) that shows the current state of compliance across various sections, such as ISO 27002-11779. By double-clicking on red alerts within this dashboard, one can view detailed information about specific non-compliant areas like Section 11, which in this case is related to access attempts by former employees. In summary, while the article advocates for best practices such as revoking access when necessary and manual log reviews, it also introduces ArcSight as a tool that streamlines these processes, providing more efficient compliance monitoring and alerting mechanisms without compromising on adherence to regulatory standards. ArcSight uses a list feature in its Navigator window to track and reference events for compliance and correlation purposes. This list, which can be dynamically populated or manually imported, is used by ArcSight to quickly check incoming event user names against it, ensuring fast processing. The system automatically updates this list when accounts are deleted from Active Directory or other sources, adding the affected usernames. ArcSight offers several features for managing and utilizing these lists effectively:

• **Show Entries**: Allows users to view all entries in a selected list by right-clicking on it and choosing 'Show Entries'. This helps in monitoring who has access after an employee leaves.

• **Import Text Files**: Users can import text files directly into the list, which is useful for bulk additions or updates.

• **Dynamic Population**: ArcSight automatically adjusts the list when accounts are removed, ensuring that the information remains current and accurate without manual intervention.

• **Report Generation**: Through reports under /ArcNet Dashboards/NetFlow, users can generate quick, automated reports on former employee account access attempts, which were previously cumbersome to compile manually. This includes options for scheduling these reports and automatically emailing them to relevant parties.

The integration of advanced correlation rules with actions like notifications and case management allows organizations to swiftly detect and respond to security incidents or potential threats, even those that are not yet known (zero day attacks). ArcSight's comprehensive reporting solution provides a detailed view into the organization’s compliance status across both security and compliance aspects. To summarize, by leveraging its list feature and advanced correlation capabilities, ArcSight enhances the efficiency with which organizations can manage user access rights post-employment and maintain robust cybersecurity measures, providing immediate visibility and actionable insights to address potential threats efficiently. The text provided is a summary of a series of actions and the corresponding dashboards shown, focusing on network traffic analysis. Here's a breakdown of what each section represents: 1. **Top Port and Bandwidth Usage**: This involves showing a dashboard that highlights high-level bandwidth usage by identity and country. It can be adapted for cross-product and cross-vendor views across all devices in the environment. 2. **Top Source and Target Countries**: The dashboard here displays information about where traffic is coming from and going, broken down by countries, along with bandwidth used per country. 3. **Microsoft SQL Server Monitoring**: This specific dashboard monitors Microsoft SQL Server traffic on port 1433, configured to be in a designated DMZ segment (Target Zone Name: sj-arcnet-dmz). Each of these dashboards provides insights into different aspects of network traffic, helping in understanding and managing the usage across various components of the system. The text you've provided appears to be a summary or interpretation of various security and network monitoring activities, possibly related to an IT environment using ArcSight for surveillance and reporting. Here’s a breakdown of what seems to be discussed: 1. **Traffic Analysis**: You noticed traffic going to the "sj-arcnet-desktops" segment, which suggests potential unauthorized software like Microsoft SQL Server might be installed on some desktops in this network segment. This could indicate an intrusion or unapproved configuration. You can configure a correlation rule and notification system to alert about such out-of-policy activities. 2. **Investigation Tools**: The text encourages investigating the "sj-arcnet-desktops" segment by double-clicking on its target zone name, which might lead to event details. It also suggests reviewing two specific archived reports:

• **Bandwidth Usage by Port** (Port Utilization): This report provides information about the bandwidth usage across different ports in your environment, showing what’s typical and highlighting any anomalies like unusual increases or usages related to unauthorized SQL Server installations.

• **Top Bandwidth Hosts**: This report identifies high network traffic generators; in this case, it highlights 192.168.6.101 as having the highest bandwidth usage among all hosts. You might want to further investigate this host using another archived report: **Detailed Traffic by Host**.

3. **Advanced Network Monitoring and Reporting**: The text then discusses how to set up ArcSight for more detailed network monitoring, including:

• Logging into the ArcSight Console as an admin.

• Starting a demo replay of events (with specific files) at a controlled rate to simulate real-time data.

• Opening active channels related to ArcNet activities and dashboarding specific malware outbreak statistics.

• Installing various Activate packages for different monitoring tasks, including Malware Monitoring with indicators and warnings, Network Monitoring with Snort alerts, and other associated products like McAfee EPO VirusScan and Snort.

This summary suggests a proactive approach to network security through continuous monitoring and reporting, using ArcSight as the primary tool to detect anomalies and unauthorized activities in real-time or near-real-time conditions. To summarize the provided information, follow these steps: 1. Open multiple web browser tabs and navigate to the following sites:

• a. https://marketplace.microfocus.com/arcsight

• b. https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/L1MalwareMonitoring (L1 Malware Monitoring)

• c. https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/L2MalwareMonitoring (L2 Malware Monitoring)

• d. https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/PMcAfeeEpoVirusScan (P-McAfee ePO Virus Scan)

2. Sign up for an ArcSight Marketplace account and have accounts on Protect724 if possible, though this is not required for the use case demo. 3. Visit the following Activate wiki pages:

• i. https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/WebHome

• ii. https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/WhyActivate

• iii. https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/WhyProblemsActivateSolves

• iv. https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/Packages

4. Understand that ArcSight Activate is a modular content development methodology and collection of reusable components designed to quickly deploy and develop actionable use cases. It allows for the implementation and customization of packaged use cases with minimal reinventing, empowering users to develop their own use cases using a library of reusable components, standardized deployment tactics, methodology, and defined best practices. 5. Activate organizes its packages by type:

• The Activate Base package provides resources like filters, global variables, or active lists used across all other packages.

• Content for Level 1 (L1) Activate packages consumes indicators from the base package to identify threats and provide early warnings of potential malware issues.

In summary, this information outlines the need to access specific ArcSight-related sites and understand the capabilities of the ArcSight Activate framework, which helps in rapidly deploying effective use cases with minimal effort through a collection of reusable components and standardized deployment methods. ArcSight Activate content is available through the ArcSight Marketplace, designed for security professionals to share and download security resources. The marketplace includes classic packages, flex connectors, utilities and tools, resource center, and partner integrations. The ArcSight Activate packages consist of L1 (indicators and warnings) and L2 (situational awareness) packages that detect potential malicious activities and provide contextual information, respectively. The document discusses ArcSight Activate, a platform for integrating various vendors' products into a unified security monitoring solution. It highlights how Activate is modular and can be easily extended to support more products and vendors by modifying filters. The example provided involves adding support for McAfee ePO - VirusScan antivirus software. The document mentions that ArcSight Activate provides documentation and best practices to support the content related to malware monitoring, which can be found in the Activate wiki. It describes how the L1 Malware Monitoring package supports specific use cases and log sources, while also mentioning extensibility options such as thresholds for customization based on individual environments. For the L2 Malware Monitoring package, there are additional use cases supported, possibly with more detailed analysis or reporting features, although this information is not explicitly provided in the text snippet you've shared. This summary talks about a package called "Activate" which builds on top of another package called L1. It uses information from a network and asset model to provide extra details about what L1 has detected. For example, if there's a virus or worm outbreak, this package helps prioritize responses based on the importance of affected assets like critical servers or those in a DMZ area compared to workstations. The Activate package also supports different security monitoring use cases, such as malware and entity monitoring. It can be used across various products for more comprehensive protection. To ensure everything works properly, there's a test plan that includes specific events to check the content of the package. In the demo shown here, an "Activate Main Channel" is displayed in the ArcSight Console, showing all correlated events triggered by the Activate use case. The SOC manager can then triage these incidents and assign them for further investigation. The summary of the text provided outlines an analyst's role in monitoring and investigating incidents using specific software tools to identify and address issues related to malware and intrusion detection systems (IDS). Here is a breakdown of the key points from the text: 1. **Analyst Role**: An analyst is responsible for identifying and assigning incidents based on their subject matter expertise and availability. The system automatically personalizes the channel view based on the analyst's ESM login, allowing them to focus on assigned tasks. 2. **Monitoring Channels**: The analyst uses two main channels - "ArcNet Active Channels/ArcSight Activate" for active investigations and a "Main Channel" for broader overviews of found issues. In this scenario, Steve is looking at the "Activate Personal Investigating Channel," which currently has no incidents assigned to him. 3. **Incident Detection**: The analyst notices some malware activity in the form of correlated events triggered by antivirus software (McAfee ePO). These events are detected through IDS and indicate potential threats on network assets. 4. **Inspecting Incidents**: By double-clicking a correlated event related to IP address 172.17.1.1, the analyst opens it in an inspection panel where details about the malware (specifically W32/SQLSlammer.worm) are displayed. This level of detail is useful for understanding the nature and extent of the threat. 5. **Network Asset Impact**: The incident involves a PCI system in the DMZ named arcnet-dmz, which has been infected multiple times by the same malware. Using network asset information from the ESM (Enterprise Security Manager), the analyst identifies that this specific zone is affected and potentially others are too. This helps in targeting remediation efforts to critical assets only. 6. **Visualizing Network Assets**: The "Target Zone Resource" field within the incident details visualizes the DMZ area, showing how it includes other assets like arcnet-dmz, which is a PCI system. This mapping aids in understanding where and what has been affected by the malware outbreak. 7. **Resource Clickthroughs**: To further investigate, the analyst clicks through to see detailed asset information categorized as "Assets" within the DMZ area, providing more context about the scope of the problem. This summary captures how an analyst uses software tools and specific functionalities (like double-clicking events for inspection) to effectively manage malware incidents, identify affected assets, and prioritize response efforts based on network architecture and asset details provided by the ESM. The passage describes how a SOC manager uses annotations within Event and Situational Awareness (ESM) tool to track an incident involving IP address 172.17.1.1 which has been infected multiple times on a DMZ host. As the SOC manager, the user right-clicks one of the correlated events for annotation, selects "Annotate Events," and then assigns it to Steve, a Level 1 analyst. Annotations are described as a flexible tool that can be used in various ways depending on the workflow setup. They allow users to track every event passing through ESM's correlation engine or use them as a triage tool before escalating an incident. Annotations enable stages such as SOC Stages, which can be customized according to the organization's workflow environment. Once assigned to Steve, the correlated events will move from the Main Channel to Steve's Personal Investigating Channel within ESM. The article discusses the application of event annotations in a system called ArcSight Activate. This tool is used to track and monitor various metrics related to malware incidents, such as cases by status (stage), monthly cases by severity, event category, closure reasons, time to resolution, and events per analyst hour. Event annotations are particularly useful for this purpose, allowing users to annotate specific details about the incident, such as the stage of a case, comments from analysts, or information about malware activity on different hosts. For example, in the article, an analyst is closing a case related to multiple infections by the same malware type (W32/SQLSlammer.worm) on a DMZ host (172.17.1.1). The stage of the case is set as "Closed," and comments are added about actions taken such as updating antivirus definitions, removing the malware, and running a full system scan, indicating that the system was cleaned. ArcSight Activate also includes specific features for monitoring malware activity, with dashboards like those in the Level 2 Malware Monitoring package which visualizes data through Moving Average Data Monitors showing infection rates across the organization and within the DMZ. This dashboard is accessible via the ArcNet /All Dashboards/ArcSight Activate /Malware Outbreak Statistics Dashboard. The article also highlights the benefits of using ArcSight Activate, including its ease of deployment, extensibility for different use cases, reuse of content across various applications and services, standardized development practices, and efficient sharing between clients and professional services. These features are designed to streamline learning curves for new developers, enhance onboarding processes, and improve overall malware monitoring capabilities. The text provides a summary of how to set up and use the ArcSight Reputation Security Monitor Plus (RepSM+) solution, which uses internet threat intelligence to detect malware infection, zero-day attacks, and dangerous browsing on networks. Here's a step-by-step guide: 1. Log in as admin to the ArcSight Console. 2. Delete any Cases under /ArcSight Solutions/Reputation Security Monitor 1.0/Internal Infected Assets. 3. Start the Demo Replay Connector by selecting RepSM_demo.events and replaying it at 50 events per minute. 4. Open the Active Channel /ArcNet Active Channels/Demo Live and navigate to the following Dashboards:

• /ArcSight Solutions/Reputation Security Monitor, specifically the RepSM Overview dashboard.

• /Reputation Data Analysis/Reputation IP Database Overview.

5. Navigate to Lists in the ArcSight Console and open /ArcSight Solutions/Reputation Security Monitor. Right-click on Malicious Domains and Malicious IP Addresses, then choose Show Entries. This will display more details in another dashboard, specifically the Internal Infected Assets Dashboard panel. 6. The overview dashboard provides an overall view of internal infections, dangerous browsing, and contact with malicious entities. Drilling down into specific entries (e.g., 10.0.20.21|macmini) will open a case in ArcSight’s case management system, showing monthly trends of the activity. 7. Investigate further if needed by accessing more details directly from the dashboard if there's internet access available. The search may indicate that this activity is indeed malicious, attributed to the Flashback Trojan. 8. Review the provided action talking points for a concise summary and key information about using the RepSM+ solution effectively. The text describes a series of actions taken to investigate an internal infection suspected of being caused by a Trojan horse malware. Here’s a summarized breakdown of the steps involved: 1. **Identifying the Infection**: The user notices an entry in the "Malicious Entity" column of the "Summary of Infected Assets Dashboard" panel, specifically mentioning "mystreamvideo.rr.nu". This suggests that there is suspicion of malware presence based on network activity involving this specific domain. 2. **Contacting Malicious Entries**: The user right-clicks on the entry in the "Malicious Entity" column and selects an option to investigate further, presumably through a security tool like ArcSight. 3. **Drilldown for Detail**: The user double-clicks on the IP address "10.0.20.21" mentioned under "mystreamvideo.rr.nu". This action provides a more detailed view of the asset's activity, likely showing network interactions and suspicious activities related to the infection. 4. **Investigating Specific Events**: The user right-clicks on one of the events listed under this IP address (10.0.20.21) and selects "Drilldown" or a similar option to expand the investigation. This step likely leads to a more detailed view of specific events involving the infected asset, such as attempted SQL injections and internal logins. 5. **Geo-location and Threat Analysis**: Using ArcSight, the user can geo-locate sources and destinations based on IP addresses in the events collected. This helps identify potential malicious activity from or towards China (as indicated by "10.0.20.21" being hosted there). The tool also checks every logged event against a list of known malicious addresses to detect suspicious activities. 6. **Reporting and Correlation**: ArcSight correlates, alerts, and reports based on activity against these malicious IP addresses. This includes real-time checking and updating the list of malicious entities according to detected exploits and threat scores. In summary, the process involves identifying suspected malware through network logs, using a security tool (ArcSight) for detailed investigation, performing geo-location analysis, and setting up alerts based on suspicious activity patterns identified during these investigations. The text discusses ArcSight's integration capabilities and how it updates a list of malicious domains every two hours through its special connector. This list includes information about botnet, malware, peer-to-peer, and other malicious sites. ArcSight also has an IP reputation database that covers various types of malicious activities and provides a score distribution for the affected sites. Additionally, the text highlights how ArcSight can be integrated with threat response management (TRM) virtual appliances to perform actions such as quarantining nodes or filtering downloads. The integration capabilities extend further, including integration with TippingPoint SMS for quarantine actions and filter downloads. ArcSight also uses case management and workflow systems like Remedy, allowing for better collaboration between different security tools and systems. The provided text outlines a user's interaction with ArcSight Reputation Security Monitor (RepSM) software for handling security cases and monitoring activities involving dangerous destinations. Here’s a summary of the main points: 1. **Opening and Closing Cases**: Users can navigate through predefined stages in the Inspect/Edit panel to manage cases. They can assign cases, track progress, notify on status changes, and close cases by changing their stage from Queued to Closed. This process includes entering annotations about actions taken under the Follow-up tab. 2. **Case Management**: The Events tab serves as a record of events involved in the case. Users can review the details of these events and use this information for further action, such as noting that a host has been remediated or is fixed. 3. **Dashboard Interaction**: Upon closing a case, users are directed to the RepSM Overview dashboard where they find annotations about the status changes within the Internal Infected Assets panel. They can also view interactions with dangerous destinations on the Access to Dangerous Destinations tab. 4. **Real-Time Monitoring**: The system provides real-time views of activities involving contacts with harmful websites and servers, including botnet activity and communications with sites hosting spyware, misuse/abuse, and spam content. 5. **Reporting Features**: RepSM offers comprehensive reporting capabilities, allowing users to generate reports on event details or broader trends related to the monitored activities. These reports can be accessed through the Navigator panel under specific solutions. 6. **Status Updates**: The status of assets such as IP addresses or hostnames is automatically updated within the system when cases are closed, reflecting that they have been resolved or managed appropriately. This software solution not only facilitates efficient management and tracking of security incidents but also provides valuable insights through detailed reporting and real-time monitoring capabilities. This text discusses the use of ArcSight for monitoring dangerous browsing activities, generating reports, and implementing correlation rules to detect malicious behavior. The process involves running predefined or custom reports from a cascading menu with options like report format, email options, and custom time spans. A graphical interface allows users to easily modify these reports as needed. Additionally, the text describes how ArcSight can be used for monitoring worm outbreaks in an enterprise environment. This is demonstrated using the ArcSight Console Interface, where users start a replay agent to re-enact the outbreak events at 200 EPM (events per minute). The interface helps explain different items in the data monitor and provides insights into how worms propagate and infect more hosts within the network. In summary, this text highlights the capabilities of ArcSight for both regular monitoring activities like dangerous browsing reports and specialized use cases such as simulating worm outbreaks to understand their spread and impact on a network. This summary talks about using the ArcSight software to monitor and detect worms in a network. It explains how to switch between different views like Worm propagation by Zone data and Worm Infected Systems data monitor. The statistical data monitor shows increased event volumes for some hosts, which helps identify infected systems. Notifications can be set up to alert IT staff when there are issues. Double-clicking on notifications brings up the Event Inspector where you can see more details about what's happening. With advanced correlation rules and automated actions like notification and case management, ArcSight ESM/Express allows organizations to quickly spot and address security incidents, even those that haven't been seen before (zero day attacks). It also provides complete and automatic reporting. The provided text outlines a process for setting up and utilizing ArcSight Marketplace as a tool to enhance visibility into an organization's security and compliance status. Here’s a summarized breakdown of the steps involved: 1. **Log In**: Begin by logging into the ArcSight Console using admin credentials. 2. **Setup Demo Replay Connector**:

• Select demo event files such as `demo.events`.

• Start replaying these events at a rate of 50 events per minute.

3. **Open Use Case**:

• Navigate to `/All Use Cases/Downloads/Network Monitoring` and select the IDS (Intrusion Detection System) - IPS (Intrusion Prevention System) Monitoring use case.

4. **Access ArcSight Marketplace**:

• Open a web browser and go to `https://marketplace.microfocus.com/arcsight`.

• Sign up for an account on both ArcSight Marketplace and Protect724 if you don’t already have one.

5. **Browse and Search**:

• On the main ArcSight Marketplace page, navigate through sections like Activate Device Packages, Utilities and Tools, Resource Center, etc.

• Use the search function to enter "ids" under the "Search" section.

6. **Select IDS IPS Monitoring Package**:

• In the search results, click on the "IDS IPS Monitoring Package". This package contains specific content related to your deployed IDS and IPS products. It includes a description, screenshots, and details about SmartConnectors that can trigger this content.

7. **Download and Install**:

• Click through to install or download the package as it is already available for installation in your ArcSight environment.

8. **Use the Installed Content**:

• Utilize the provided content to enhance visibility into the security and compliance status of your organization by monitoring IDS and IPS products effectively.

This process allows users to leverage pre-built use cases, best practices, and other resources available in ArcSight Marketplace to better manage their security posture through improved visibility. The provided text outlines the functionality and features available when using IDS (Intrusion Detection System) - IPS (Intrusion Prevention System) Monitoring Use Case in a software environment, likely ArcSight by HP Enterprise. Here's a summary of key points from the content: 1. **Resource Availability**: Several resources are installed from the Marketplace, including dashboards, channels, viewer panels, reports, and supporting resources such as filters, field sets, queries, and data monitors. These are designed to be triggered by network IDS/IPS devices. 2. **Dashboard Visualization**: The user can access a dashboard that provides an overview of events from deployed IDS and IPS devices. This includes visual representations of top attackers, targets, alerts, and their counts. 3. **Drill-Down Feature**: Users can double-click on specific parts of the dashboard to view detailed information about events, including normalized fields and categorized fields using the Inspect/Edit Panel. 4. **Report Generation**: The default reports are based on archived data since live event replay might not be available immediately. These include reports like alert counts by attacker and target, which can be accessed through the Navigator Panel under Reports and Archives. 5. **Marketplace Content**: The demonstration highlights how ArcSight Marketplace offers a variety of content, including apps, documentation, community sharing for security content and SIEM best practices. This showcases the value ArcSight Marketplace adds to customers by providing a platform to explore and utilize various tools and resources tailored for IDS/IPS monitoring and other security needs. 6. **End of Support for IdenityView**: A note is provided about the use case demonstrating IdenityView, which is still supported but has reached its end of sale. User Behavior Analytics (UBA) is mentioned as a separate offering that users might consider exploring further. To summarize, follow these steps when dealing with a distinct product from IdentityView: 1. Log into the ArcSight Console as an admin user. 2. Navigate to the Notifications tab and either acknowledge or resolve any pending or acknowledged notifications. Close the Notifications tab afterward. 3. Delete any related cases under the admin’s Cases section. 4. Access specific dashboards within the console:

• Go to /Shared/All Dashboards/ArcSight Solutions/IdentityView 2.0 and review Actor Management (Actor Overview, Actor Roles Overview).

• Navigate to /ArcNet Dashboards/IdentityView v2.0/Privileged User Monitoring/Identity Investigation for Top Bandwidth by Actor and Identity Investigation.

• Check out /ArcNet Dashboards/IdentityView v2.0/Privileged User Monitoring/Modeling for Login Activity by Department.

5. Open the Active Channel: /ArcNet Active Channels/IdentityView v2.0/Actor Investigation – Mario Rossi. 6. In the Navigator, go to the Reports resource and open the Reports, Archives tab under /ArcNet Archived Reports, expanding all items under this group. Look for IdentityView reports specifically under /IdentityView v2.0. 7. Access the Actors resource in the Navigator. 8. Configure ArcSight Console Event Graph options: Edit preferences to show event nodes once per unique source, set source/target nodes as simple nodes, and define identifiers like Attacker Host Name for sources and Target Host Name for targets. Set the graph layout to organic. 9. Hide the Navigator panel and inspect or edit the panels within the console. 10. Start the Demo Replay Connector by selecting IdentityView_v2.0.events, replaying at 50 events per minute initially, then adjust speed as needed (e.g., ~25 events/sec). Ensure Mario’s first three events are played in sequence during this process. This summary captures the main actions required to set up and interact with a distinct product from IdentityView within the ArcSight Console for demonstration or operational purposes. In this scenario, Mario Rossi is actively using his Windows system and connecting to Unix systems through an ArcSight system. The focus is on integrating user context from various systems, like Active Directory (ARCNET.COM), to enhance event correlation and visualization in the ArcSight platform. By expanding the Actors resource within ARCNET.COM identity management, a model is created that represents all users within the integrated system, automatically grouping them by Organizational Unit (OU) as defined in Active Directory. Mario's user context is represented through an Actor model which includes details such as full name and employee type from Active Directory. This integrated view allows for better identification of user activities across different systems, facilitating more comprehensive security monitoring and management. The demonstration highlights the capability to pull in all user information from a domain and automatically group users by OU, providing a detailed visual representation of organizational units within the system. The text describes the setup for an Actor model within a system, specifically focused on users in Active Directory. Users are considered "active" and their details such as department (Marketing) are pulled into a top panel. Below this, account identifiers used to access various systems and applications are listed. A lower panel displays role attributes which, in the case of Active Directory, is automatically populated based on group membership. The user is part of two groups: Account Managers and Internal Employees. The text then shifts focus to dashboards available for visualizing the Actor model within a system. It introduces the "Actor Overview" dashboard, designed to provide general statistics about the actors in the model, such as the total number of users (36) and the distribution of account IDs across these users (130 different accounts across 36 users, suggesting an average of 3-4 accounts per user). Overall, this setup aims to manage and visualize complex identities within a system, providing a framework for understanding user activity across multiple systems and applications. The dashboard provides an overview of actor roles within the organization's environment, specifically focusing on Active Directory integration. It includes detailed statistics and breakdowns for each Actor, such as their status (active or disabled), organizational unit (OU) distribution, and departmental affiliation. This allows for correlation rules to be applied in case of terminated employees whose accounts have been disabled. The dashboard also presents information about group membership within Active Directory, showing the number of groups (95 total), individual users' group memberships, and which groups contain the most members. It highlights how many users are part of numerous groups and emphasizes the efficiency implications for compliance and access control in managing such a large number of groups and user associations. The passage discusses how user context information within an organization's system can enhance visibility and improve policy enforcement by allowing the assessment of traffic and activity from a user perspective rather than solely relying on IP addresses. This shift in focus provides deeper insights into bandwidth utilization and login activities across various departments, enabling better correlation between policies and actual usage. The passage highlights how this approach enables organizations to reassess their Active Directory membership assignments more effectively by considering user roles and departmental affiliations. It also introduces a scenario where specific individuals are authorized to access data centers during off-hours for operations and administration tasks. Misuse of such access rights can pose significant security challenges for the organization, highlighting the importance of maintaining accurate user context in cybersecurity measures. This passage describes an incident where there was unauthorized access to a server room, which raises concerns about compliance violations and potential insider threats. The author mentions that the badge reader authentication system has a misconfiguration, allowing non-data center operations administrators to enter data centers. To address this issue, they need to acknowledge notifications from the ArcSight system for automatic escalation purposes. By acknowledging these notifications immediately, the author can investigate further without letting them escalate to higher levels where their manager would be notified. The passage also details how to access detailed information about the unauthorized access incident by double-clicking on a notification, which reveals correlated event details and provides an overview of what is being investigated. To summarize the text, we are discussing a situation where an employee (Mario Rossi) used a badge to enter the server room after hours. This action triggered a correlation alert in the ArcSight system because it involved three components being correlated: the badge event itself, the role of the user (which showed that Mario Rossi was not part of data center operations or an IT administrator), and the time of day when he accessed the server room during non-business hours. The ArcSight system uses identity correlation to determine who the employee is by looking at the username in the badge event, matching it back to the Actor model, which then provides additional information such as the user's full name (Mario Rossi) and their department (Marketing). The purpose of this correlation was to identify why a Marketing employee should have access to the data center during non-business hours. In summary, the text outlines how an employee's unauthorized entry into the server room after hours, as detected by the ArcSight system through badge usage, led to a correlation alert that revealed Mario Rossi's role and department, prompting further investigation into why such access was necessary or appropriate for his position during non-business hours. The text describes how to efficiently track all activities performed by someone named Mario Rossi on your network, using an "Active Channel" feature that simplifies the process beyond manual tracking. By entering "Show me everything that Mario Rossi did," the system automatically collects data from DHCP and Active Directory logs, including successful logon events and Cisco NetFlow events, without requiring individual user account details. The method involves leveraging session correlation to identify activities linked to Mario Rossi based on his logged-in Microsoft machine (desktop workstation) and subsequent sessions established using different accounts but identified through identity correlation as belonging to him. This approach allows tracking of network traffic and web browsing activity associated with Mario Rossi across multiple devices or systems within the network, even if those actions are performed under various account names. The passage describes an analysis of network traffic involving suspicious activity by an employee (Mario) from his desktop and subsequent actions on Unix machines, as observed through various tools like the Event Graph and NetFlow events. Initially, there's evidence of successful login to Mario's desktop, establishing a session for further activities. This is followed by blocked web browsing attempts towards personal email accounts and denied access, possibly indicating surveillance or restrictions being triggered. To visualize this activity more clearly, the passage recommends using ArcSight features such as Event Graph with Hierarchic Layout. By grouping specific events (like TCP_MISS from a Blue Coat proxy and Cisco NetFlow data from printserver01), the visual representation provides a clearer picture of what's happening:

• First, there is evidence of a successful initial login to Mario's desktop that sets up a session for further activities.

• Following this, blocked web browsing attempts towards personal email accounts are observed, possibly suggesting surveillance or restrictions being triggered.

• In an attempt to conceal his tracks, Mario logs into a Unix machine, revealing more nefarious activity. Through the Blue Coat proxy, it is revealed that he accesses job hunting websites like careerbuilder.com, monster.com, and hotjobs.com, which are indicative of dissatisfaction with current employment and active job search efforts.

• The Cisco NetFlow Event further reveals Mario's attempts to access anonymous foreign sites and a known hacking website in China. This activity raises concerns about potential security breaches or unauthorized data access.

In summary, the passage describes how network traffic analysis using ArcSight tools helps identify suspicious activities such as blocked web browsing, initial successful login events, and Unix machine accesses leading to further exploration of possible dissatisfaction with employment among employees, which could be indicative of internal threats or other concerns requiring deeper investigation. The text discusses a situation where an individual is suspected of using anonymous proxies to transfer potentially sensitive data from their company, possibly including intellectual property, which they might use in their new role. To address this concern, it is recommended that the matter be escalated to human resources and further investigated using ArcSight's case management system. Within the ArcSight system, a case was automatically opened when an unauthorized badge access event occurred after hours for Mario Rossi. The case includes various attributes such as stages, impact, severity, which can be set by the user or assigned to different users for tracking purposes. Additionally, this case contains events that triggered the alarm, both correlated and original base events. To add additional evidence to this case, the text suggests locking the case for editing from the Active Channel view where all relevant information has been found. The selected events are then right-clicked and added to the case using the Case Editor, with the Other selected Event(s) under the Events tab being expanded to show that these events have indeed been added. The passage describes how to present evidence in a case using an Event Graph, which is then attached to the case for easy visual understanding and sharing. It mentions adding the event graph directly to the case as a JPEG attachment, allowing others to see the visual representation of activities. The author also suggests using reporting tools like "Archived Report Activity for Specific Actor" or running "All Activity for Specific Actor" reports to summarize evidence and justify further investigations. These reports can provide a summarized view of user activity over time, showcasing access events and system interactions associated with a specific individual in the case. The text discusses the use of an ArcSight console to investigate a case involving shared account usage, specifically focusing on the IdentityView feature within the console. The process includes logging into the console as an admin, navigating through various tabs such as Notifications and Dashboards, and accessing reports related to shared accounts via the Reports and Archives tab. The setup steps are outlined as follows: 1. Log in as an admin user to the ArcSight Console. 2. In the Notifications tab, acknowledge any pending notifications and delete any associated cases under the admin’s cases. 3. Access the Dashboards by navigating to a specific IdentityView v2.0 dashboard which includes a section on Shared Account Logins. 4. Use the Navigator to browse through resources like Reports, expand them as necessary, and locate the saved reports in PDF format within the Report Archives or under the IdentityView v2.0 group. 5. Once all required reports are accessed, hide the Navigator and inspector/editor panels, leaving only the Console visible for further investigation. The text also mentions that this use case is related to a policy violation involving shared accounts and uses the example of Mario Rossi as an illustrative scenario. It highlights how ArcSight allows users to quickly compile evidence from various sources into a single case which can then be handed off to relevant authorities. The information provided does not specifically confirm or deny whether Mario Rossi was involved in the shared account usage, but implies that such cases are common and can be addressed with the use of the described tools and features within ArcSight. The provided text outlines a procedure for using a demo replay connector with specific event files to investigate an incident involving the use of a shared account on a server within a particular network segment. Here's a summarized version of the key points mentioned: 1. **Setting Up the Demo Replay Connector:**

• Select and load the event files "IdentityView_v2.0.events" for replay.

• Start replaying these files at a rate of 50 events per minute initially, which can be adjusted to approximately 25 events per second after a brief period.

2. **Alert Handling:**

• Receive an email alert on a phone related to notifications from ArcSight.

• Acknowledge the notification through the ArcSight Console and initiate the investigation workflow.

• The console indicates pending notifications assigned to you, which need to be viewed and acknowledged.

3. **Incident Viewing and Acknowledgment:**

• On the Alert Page, view and acknowledge the incident notification of "Logins to Known Shared Accounts."

• Quickly diagnose by reviewing detailed information about the incident in the Inspect/Edit panel.

• The incident shows an identity name, with 'root' as the target user name for session openings.

4. **Investigation Details:**

• Highlight that the rule is monitoring specific behavior and only applies to a particular segment of the network.

• Show how the incident and notification display the actor's full name and department within the Network Model, specifically targeting shared accounts on servers in this segment.

5. **Dashboard Visualization:**

• The "Shared Account Logins" dashboard provides an overview of all shared account activities across the environment.

This procedure emphasizes the use of ArcSight features to investigate security incidents effectively and efficiently using predefined workflows and visual tools like dashboards. The text describes a custom dashboard that has been developed for monitoring and analyzing data related to applications and shared accounts within an organization's environment. Unlike the default dashboard, which utilizes Query Viewers, this particular dashboard uses Data Monitors. This choice was made to enhance drill-down capabilities, allowing users to explore detailed event information by right-clicking on specific chart portions and selecting "Investigate." The dashboard does not support double-click drill-downs; instead, it relies on a filter with an inactive list condition. To conduct deeper analysis, users must perform the following steps: Right-click on an individual named David West in the "Top Known Shared Accounts" section of the dashboard and select "Investigate." This action will activate a channel related to that specific user. After creating this Active Channel, users can display fields within the set by selecting them from the dropdown menu available there. Tying back shared account activity to identities is facilitated through the IdentityView attribute in this field set. If additional event files, such as demoexpress-SP1.events or arcexpressdemo.events, are played, they will show events not tied directly to identities within the Active Channel and Field Set. Finally, the user can explore detailed information regarding shared account activity by opening the "Archived Report: Logins to Known Shared Accounts – Summary.pdf" and reviewing it in the Reports Navigator pane. This report provides a summary of all shared account logins across the organization's environment, highlighting key details like attacker and target zones, showcasing the utility of using ArcSight ESM/Express for such investigations. The provided text outlines a procedure for using the ArcSight Console to analyze user behavior related to legacy applications by employing the ArcSight IdentityView feature. Here's a summary of the steps and objectives: 1. **Understanding the Report Columns**: The customer may inquire about two report columns, "Actor by Name" and "Actor by IP," which indicate how IdentityView can attribute activities based on names or IPs. 2. **Accessing Archived Reports**: This default report will display all SU (System User) and SUDO (sudo) activities in the environment. The user needs to review these reports, possibly for compliance purposes related to legacy applications that lack access control features. 3. **Use Case Description**: The text introduces a "49Shared Accounts Use Case (Legacy Application)" which highlights the use of IdentityView to track login sessions of users who share an account (e.g., SystemUser) across proprietary applications without user access controls. This is relevant for compliance with administrative privileges and auditing purposes. 4. **Technical Steps**:

• Login as admin in the ArcSight Console.

• Navigate to Notifications, acknowledge/delete pending notifications, and clear associated cases.

• Access specific dashboard: /ArcNet Dashboards/IdentityView v2.0/Shared Accounts/MyLegacyApp Login Sessions.

• Explore reports within the Archives section of the Navigator under /ArcNet Archived Reports group, focusing on IdentityView v2.0 for relevant reports.

• Configure and start a Demo Replay Connector with specified event files to simulate user activities.

5. **Business Objectives**: The purpose is to demonstrate how ArcSight ESM/Express and IdentityView can help track login activities of users sharing accounts in legacy applications, which are crucial for compliance and security auditing. This process demonstrates the capability of ArcSight tools to support audit trails and user activity monitoring even in legacy systems lacking modern access control features. This summary provides an overview of how to set up and use a feature called "Privileged User Monitoring" within an application using ArcSight Console, specifically demonstrating its integration with IdentityView for tracking activity related to SystemUser accounts. The process involves logging into the ArcSight Console as an admin, navigating through notifications and cases, accessing specific dashboards, and generating reports on privileged user login activities. It also highlights the importance of compliance reporting by providing access records tied back to accountable users, using tools like IdentityView for better traceability in case of audits or security reviews. To summarize the provided information, here's a step-by-step guide on how to use IdentityView Reports for analyzing system and application usage by department or employee type. 1. Open the IdentityView software and navigate to the "Reports" section. 2. Hide unnecessary panels like Navigator and Inspect/Edit to focus on the Console where the reports are displayed. 3. Start the Demo Replay Connector: a. Select the event files "IdentityView_v2.0.events". b. Begin replaying these files at 50 events per minute, adjusting the speed to approximately 25 events per second after about two to three minutes if necessary. 4. Display the following dashboards:

• Login Activity by Department: This dashboard shows who is accessing systems and applications by department.

• Login Activity by Employee Type: Here you can see login activities categorized by employee type.

5. Show specific archived reports from the IdentityView Reports Navigator pane:

• All Activity for Department.pdf

• Activity Based Modeling by Department.pdf (optional)

• All Activity for Employee Type.pdf (optional)

• Activity Based Modeling by Employee Type.pdf (optional)

• All Activity for Role.pdf (optional)

• Activity Based Modeling by Role.pdf (optional)

6. Understand the value of these reports in determining appropriate access rights based on department, employee type, or role within your organization's system and applications. Please note that "MICRO FOCUS" and related logos are registered trademarks of Micro Focus International plc., and other marks indicated may be registered trademarks of their respective owners.