ESM Express 7.0 Command Center Demo Script
- Pavan Raja
- Apr 8, 2025
- 41 min read
Summary:
The text outlines a comprehensive use case for IdentityView 2.0, which is designed to monitor user activity in applications and systems. Here are the key points summarized from the provided information:
1. **Purpose of IdentityView**: The primary purpose of IdentityView is to provide an archived report that tracks access to an application using a SystemUser account. This report is essential for compliance purposes, particularly for auditors who need proof of who accessed the system.
2. **Compliance and Reporting Requirements**: There is a requirement to show the archived report titled "MyLegacyApp Login" which includes information about sessions accessed by a Shared Account. The report should be accessible both ad-hoc and on a scheduled basis. IdentityView helps in tracking this activity back to accountable users.
3. **End of Sale for IdentityView**: Note that IdentityView is now considered end-of-sale, with User Behavior Analytics serving as an alternative and distinct product. This suggests a shift towards newer technologies for monitoring user behavior.
4. **Setup Instructions**: To utilize IdentityView: - Log in as an admin to the Command Center. - Acknowledge any existing notifications and clear cases from the admin’s dashboard. - Replay event files using the Demo Replay Connector, starting with IdentityView_v2.0.events at 50 events per minute, which can be adjusted to approximately 25 events per second if necessary.
5. **Dashboard Usage**: The tool generates two dashboards based on different criteria: department and employee type. These dashboards provide detailed information about user access patterns across departments and types within the organization. This data is invaluable for understanding system usage, assessing appropriate access rights, and making informed decisions regarding system administration.
6. **Reports Available**: Specific reports available under the "IdentityView v2.0" dashboard include: - All Activity for Department.pdf: Provides a detailed view of all activities organized by department based on archived data from ArcNet. - Activity Based Modeling by Department.pdf: Further analyzes and categorizes data related to specific departments using activity-based modeling. - Optionally, there are additional reports that can be shown: - All Activity for Employee Type.pdf: Covers all activities categorized according to different employee types. - All Activity for Role.pdf: Activities organized by role within the organization. - Activity Based Modeling by Employee Type.pdf: Tailored to different employee types. - Activity Based Modeling by Role.pdf: Applies activity-based modeling techniques to categorize activities according to roles.
7. **Legal Notice**: The text includes a legal notice regarding trademarks and registered marks belonging to Micro Focus International plc, along with details about its registration number and address. This is a standard disclaimer found in many technical or software documentation to clarify the ownership of certain intellectual property rights.
In summary, the use case for IdentityView 2.0 focuses on enhancing system security and compliance through detailed auditing of privileged users' activities using this tool, complemented by dashboards that provide actionable insights into application usage based on organizational structure.
Details:
This document is a guide for ArcSight ESM / ESM Express 7.0, Command Center, and related use cases. It includes various sections such as Overview, Security Use Case, Compliance Use Case, ArcSight Activate Threat Intelligence, NetFlow Use Cases, ArcSight Activate and Marketplace, Reputation Security Monitor Plus, Command Center, ArcSight Marketplace, and Privileged User Monitoring Use Case (Afterhours Activity) and Shared Accounts Use Case (Policy Violation). The content is dated April 20, 2018, and versioned as v2.
The document outlines a demonstration script for using Micro Focus's Extended Security Manager (ESM) / ESM Express with ArcSight Command Center, focusing on two specific security use cases: Shared Accounts and Privileged User Monitoring.
**Shared Accounts Use Case:**
1. **Setup:** Begin by logging into the Command Center as an administrator. Delete any existing notifications and cases from the admin's dashboard. Switch to the dark theme for better visibility during the demonstration.
2. **Demo Replay Connector Setup:** Select event files (demoexpress-SP1.events) and start replaying them at a rate of 50 events per minute.
3. **Synopsis:** This use case demonstrates how analysts can effectively utilize ESM/ESM Express for investigating suspicious or malicious activities. It highlights the efficiency and ease provided by ArcSight's correlation and analytics technologies. The investigation workflow involves: notification -> dashboard -> active channel -> report -> case.
4. **Action Talking Points:** Upon receiving an email and SMS notification about potential suspicious or malicious activity detected by ESM/ESM Express, click on "My Notifications" in the dashboard to view details.
**Privileged User Monitoring Use Case (Activity Monitoring and Modeling):**
1. **Setup:** Similar setup as above, including login as admin, clearing previous notifications and cases, and switching to dark theme.
2. **Demo Replay Connector Setup:** Same as for Shared Accounts but with different event files potentially used.
3. **Synopsis:** This use case focuses on monitoring privileged users through correlation and analytics capabilities of ESM/ESM Express. The investigation involves a similar workflow: notification -> dashboard -> active channel -> report -> case.
4. **Action Talking Points:** Receive notifications as above, then navigate to the dashboard to view details and initiate investigations related to privileged user activity.
Both use cases are designed to showcase how Micro Focus's ESM/ESM Express integrates with ArcSight Command Center for efficient security analysis and incident management.
This summary explains a process involving notifications in a system related to security events such as multiple login attempts to an account that is locked due to failed login attempts. The user (Windows Account: swright) accesses the Command Center and finds pending notifications, which are acknowledged through specific steps outlined in the text.
The notification provides details about correlated events indicated by red lightning bolts, showing how various factors led to the initial security alert. The user can select "Click on the Notification" to view more detailed information, including normalized base events that help contextualize and investigate the issue further. This is facilitated through a SmartConnector feature which automatically normalizes event data for easier use in analytics tools like ESM/ESM Express.
Additionally, the text highlights how categorization of events based on themes (e.g., Authentication/Verify) helps in understanding the nature of the alerts more efficiently and aids in decision-making processes related to security measures and response strategies.
Tegorization simplifies content creation by allowing for rules and reports to be written using categories rather than specific event IDs. This makes the content more portable as it is not tied to particular devices or vendors, adapting to changes in software versions. The approach provides a layer of abstraction that allows users to focus on higher-level concepts (e.g., operating systems) rather than low-level details (e.g., event IDs).
In terms of visualization and exploration:
1. **Topology View**: Users can explore the relationships and connections among different nodes or devices in a user activity map, selecting specific nodes to view detailed information about events and their interactions.
2. **Geo View**: This feature allows users to visualize where events are geographically occurring or targeted across the globe, providing insights into the global reach of company activities. In this instance, viewing European events from a California-based company is highlighted as unusual for business purposes.
3. **Dashboard Visualization**: Dynamic dashboards update in real-time with new events and can be interactively explored to drill down into specific details. This capability was demonstrated when transitioning from the main dashboard page to an investigation of user activity related to different operating systems like Microsoft Windows and network devices like Cisco VPN.
In this scenario, the author describes a procedure for investigating an incident involving multiple failed login attempts to a Windows account named "swright," which resulted in the account being locked. The steps outlined involve changing the stage of the case from Queued to Initial, adding a note about starting the investigation, and then conducting further analysis using various tools such as Dashboards and User Activity panes.
The author suggests that by creating a channel targeted at swright, they can visualize events related to this user in real-time. They select specific fields including Name fields, Target User Name, and Target Address from the All Field Sets/ArcSight/ArcSight Express field set, which allows them to see a visual representation of the selected event types and perform analysis on these events.
The author then traces swright's journey through the corporate network by examining the internal address assigned via VPN (10.0.110.34). This reveals that swright is likely using a remote VPN connection, which was subsequently infected with malware causing multiple failed login attempts. The investigation includes reviewing events such as FTP to malicious sites from the firewall and IDS logs, indicating potential unauthorized access or malware activity within the network.
Lastly, the author mentions extending the selection range to investigate other activities associated with the internally assigned IP address (10.0.110.34), which can be easily done by looking at events under this specific attacker address in the User Activity pane. The analysis highlights potential unauthorized access and malware infection within the network infrastructure, emphasizing the importance of real-time monitoring and incident response mechanisms.
This document describes a cybersecurity incident response process involving a SmartConnector system used for threat intelligence and event management. The author discusses investigating DNS communications to a malicious domain (dslzn11.badguy.net), which triggers various security tools such as firewalls, IDS/IPS systems, and threat intelligence software.
The data from these sources is normalized into a default scale of Very Low, Low, Medium, High, and Very High danger levels by ESM/ESM Express. The author continues to investigate the incident by adding the target DNS domain to their search criteria in the Active Channel. They then proceed to review details about correlated events and add them to an ongoing investigation case.
The Conditions Summary displays the filters defined for the Active Channel, allowing customization of fields or field sets as needed. The author selects and views details from the Threat Intelligence feed, which indicates communications to a malicious domain. These events are integrated into the case for further analysis.
Finally, if additional tools are required, they can be utilized through the Integration Command(s) feature for further research on specific IP addresses mentioned in the events. The document concludes with adding selected events to the case and continuing the investigation as part of a larger cybersecurity incident response effort.
This text describes how to use ArcSight Command Center for security monitoring, specifically focusing on a feature called "Active Channel." It explains that users can save searches, share them with others, drill down into specific areas of an investigation, create new or duplicate existing channels, and generate reports for validation purposes.
For example, the user can:
1. Save a search as a template by clicking "Save As..." if they want to run it again later or share it with colleagues.
2. Use "Active Channel" to track steps in an investigation simply by clicking on various elements like specific IP addresses or event types.
3. Create new Active Channels or duplicate existing ones through the interface.
4. Generate reports, such as those showing failed logins and threats detected using threat intelligence feeds, directly from ArcSight Command Center with specified parameters and formats (like PDF).
5. Download these reports to attach them to a case for further investigation, ensuring that all findings are documented and validated within the central case management framework of the ArcSight system.
The provided text outlines a process for incident management using ESM/ESM Express (ArcSight), focusing on a specific case involving compromised VPN access leading to malicious FTP activity from an external host. Here’s a summary of the key steps and actions described in the text:
1. **Incident Overview**: A user named swright was locked out due to multiple failed login attempts, indicating potential unauthorized access or suspicious activities. The investigation revealed that the VPN account associated with swright was compromised, allowing an external malicious host to gain entry into the network via FTP activity.
2. **Initial Actions and Reporting**:
Two reports were generated during the last 24 hours related to dangerous browsing activities and multiple login attempts. These reports are attached to the case for further analysis.
The VPN account of swright was disabled, and the infected host was taken offline to prevent further spread of malware or unauthorized access.
3. **Case Management and Workflow**:
Using ESM/ESM Express, some attributes of the case were adjusted based on findings during investigation.
The stage of the case was changed to "Follow-Up", reflecting ongoing actions and next steps in the incident handling process.
The operational impact was assessed as high priority (Level 3), emphasizing the urgency and criticality of the situation.
4. **Security and Compliance**:
The security classification of the case was reviewed, and changes were made to reflect findings from the investigation.
Configuration settings within ESM/ESM Express were noted as default but customizable based on specific organizational needs and procedures.
5. **Demo Replay Connector Setup**:
As part of a compliance use case setup, an admin logged into the Command Center and prepared for a demo replay connector by acknowledging notifications and clearing existing cases.
The demo express-SP1 events were selected for replaying at a rate of 50 events per minute to simulate real-time scenarios.
6. **Final Notes**:
The text concludes with an overview of how the incident management process was conducted using ESM/ESM Express, emphasizing its ease and efficiency in handling cases and investigations within an organization's IT infrastructure.
This summary captures the essential elements of the described incident response workflow, including initial actions, case management, forensic investigation steps, reporting, and compliance considerations as they pertain to utilizing a security information and event management (SIEM) tool like ArcSight ESM/ESM Express.
The summary of the text provided is focused on the use of ArcSight for tracking regulatory compliance, specifically regarding former employee access. Here's a breakdown of the key points:
1. **Importance of Regulatory Compliance**: Access should be revoked when an employee leaves the organization as per ISO 11.2.1 standards and many compliance regulations. This is not only an IT governance best practice but also crucial for regulatory compliance.
2. **Current Challenges in Tracking Compliance**: There are challenges in manually tracking who has access to systems after leaving, which can lead to non-compliance issues that may be overlooked or difficult to demonstrate during audits.
3. **Solution with ArcSight**: The text introduces ArcSight as a tool that automates log reviews and provides proactive alerts for compliance issues. It emphasizes how ArcSight simplifies the process of tracking regulatory compliance by automatically reviewing login activities of former employees without manual cross-referencing.
4. **ArcSight Features**:
**Automated Log Review**: ArcSight streamlines the review process, making it more efficient than manual methods.
**Proactive Alerts**: It proactively identifies problems and alerts users via a workflow system where notifications can be acknowledged or escalated based on response times.
**User Interface for Notifications**: Users can access their notifications through a user interface within ArcSight Command Center to manage acknowledgment processes and view details of compliance issues.
In summary, the text highlights how ArcSight can help organizations automate and effectively track regulatory compliance, particularly in managing former employee access rights, using automated log reviews and alert systems.
This document discusses a successful login to a system by an ex-employee (mhedberg) and how ArcSight processes this information.
ArcSight identifies former employees by checking the user names of incoming events against a preloaded list or dynamically populated based on environment activity such as account deletions in Active Directory, adding more names directly via text files if needed. The system also allows for correlation rules to be set up to automatically update this list when accounts are terminated.
Upon detecting a former employee login attempt (as part of the successful logon event), ArcSight provides a notification which leads to further actions:
1. Navigate to the Field Set under Security and select "ArcSight" then go to "/All Field Sets/ArcSight Foundation/ArcSight Express".
2. Click on the correlated event, "Former Employee User Account Access Attempt: mhedberg".
3. To view more details about this specific attempt, click on the base event, "Successful Logon", and a notification will appear displaying the current compliance status of ISO 27002 sections as per section 11 overview in the IT Governance dashboard.
4. In the case of Former Employee User Account Access Attempt: mhedberg, navigate to "/admin’s Cases" where you can click on Lock followed by Attachments and save the report about this specific former employee account access attempt from ArcNet Archived Reports/IT Governance into your local file system for further use in the investigation process.
This detailed login tracking mechanism helps maintain security policies effectively and aids investigations related to ex-employee access even after they have left the organization, showcasing how automated systems can efficiently manage such situations.
This document outlines the setup for ArcSight Command Center (ACC) demonstration, focusing on threat intelligence features within the system. Here's a summary of the steps involved:
1. **Setup for Admin Account:**
**Login as admin** to the ArcSight Command Center with the default password "password".
Open specific dashboards and active channels related to threat intelligence, including:
Reputation Address Data Overview
Reputation Entity Data Overview
Suspicious Activities in Geo
Threat Intelligence Overview.
Access the main channel for active investigations.
2. **Setup for Demo
A SOC Manager is responsible for triaging incident reports and assigning them to SOC analysts, much like a dispatcher in emergency services. They play a crucial role in managing the response to incidents within their organization's digital network defenses. The Dark theme environment simulates a Level 1 SOC analyst tasked with investigating an incident on a system infected by malware that communicates with a command and control server. This scenario is part of a demonstration involving various use cases, each identified by rule names in the Main Channel.
The main use case revolves around a system in the DMZ (demilitarized zone) that has been compromised due to its infection with malware not detected by antivirus software but rather through Sysmon on Windows, which collects file hashes of running programs. This method of detection highlights several features of the demonstration:
1. The Activate package is versatile and can trigger based on any event sent to ESM (Extended Security Management), making it product and vendor agnostic.
2. It leverages multiple threat intelligence sources such as STIX/TAXII, Collective Intelligence Framework (CIF), Ransomware data feeds, and HIDDEN COBRA data feeds to populate the Threat Model.
3. This information is used to enhance and enrich event details, allowing for better understanding of threats; for instance, identifying an IP address as a botnet or malware site based on threat intelligence sources.
4. Level 2 content provides additional contextual information by expanding on the Threat Model with network and asset specifics, aiding in prioritization and focusing efforts on critical assets.
5. The demonstration uses file hashes as indicators of compromise (IOC) instead of traditional IOCs like IP addresses or domains.
The provided text outlines a demonstration using Microsoft Sysmon to collect process and filehash information, with a focus on utilizing ArcSight FlexConnector along with Windows Native SmartConnector. It also discusses event replay features within the ArcSight Activate platform, particularly in the context of threat intelligence packages.
### Key Points:
1. **Data Collection:**
Sysmon is employed to gather process and file hash information efficiently. Other host monitoring tools like Microsoft AppLocker can be integrated as well.
A specific focus on using ArcSight FlexConnector (from the ArcSight Marketplace) with a Windows Native SmartConnector due to parsing limitations of the latter.
2. **Event Replay Features:**
The text describes how the Active List tracks IP addresses and entities triggering rules, with a TTL of 8 hours for these entries.
For event replays within an 8-hour period, it is recommended to clear entries from the Active List to avoid interference with the main channel's active status.
3. **Threat Intelligence Packages:**
Two levels of threat intelligence packages (Level 1 and Level 2) are mentioned, focusing on their use in populating a Threat Model through heterogeneous intelligence feeds.
The L1 package maintains three Active Lists: Suspicious Addresses, Suspicious IPv6, and Suspicious Entity, which track potential suspicious and malicious activities based on various indicators like IP addresses, URLs, host names, file hashes, and user information.
### Action Talking Points:
**Dashboard Discussion:** When showing the ArcSight Activate dashboard in the admin ACC with the default theme, discuss how Level 1 and Level 2 Threat Intelligence packages provide a Reputation Address Data Overview and Entity Data Overview, utilizing threat model data to detect suspicious and malicious activities.
This summary highlights key aspects of log collection, analysis tools usage, and specific functionalities within the ArcSight platform for handling potential threats based on contextualized indicators from various sources.
This document describes a system for analyzing and visualizing threat intelligence data, including information from sources such as STIX and TAXII, CIF, ransomware data feeds, and HIDDEN COBRA data feeds. The system comprises two main dashboards that provide insights into potential threats: the Address dashboard and the Entity dashboard.
The Address dashboard breaks down suspicious activities by indicator type, score range, and source to identify malicious indicators such as IP addresses associated with known bot or command and control servers. Scores are assigned based on reliability, ranging from 0 to 100, with internal intelligence having higher scores than proprietary and open-source intelligence.
The Entity dashboard offers the same breakdown but also includes counts by signature type, identifying potential malicious entities such as URLs, fully qualified domain names (FQDNs), suspicious file hashes (md5/sha1/sha256), user names, or email addresses. The system is vendor-agnostic due to normalization provided by the SmartConnector, which enables it to detect indicators of compromise and malicious activities from any device that has these fields populated.
The Threat Intelligence Overview dashboard provides a global view of detected malicious activity, showing where suspicious activities are occurring around the world, with information displayed through GeoIP. The system aims to provide an overall understanding of potential threats and facilitate effective threat intelligence analysis.
The provided text outlines a scenario where an SOC manager and a Level 1 SOC analyst are using two different instances of a software application (ACC) with different themes to manage security incidents. They are simulating roles typically found in Security Operations Centers, including triaging alerts from Activate Threat Intelligence related to dangerous browsing, outbound command and control communication, suspicious file hash activity, and more.
The SOC manager logs into the default theme ACC as an admin, while the Level 1 SOC analyst uses a dark theme ACC set up as a demo account. The manager investigates correlated events involving hosts named fwhq05.hq.arcnet.com, which are flagged by Activate Threat Intelligence as potentially dangerous. These include browsing activities that lead to a botnet IP address categorized by spamhaus.org.
The SOC manager finds details about these incidents under the 'Annotate' option and changes the incident stage for further investigation by the Level 1 analyst through the main channel, which is used when an analyst is actively engaged in personal investigation as per the scenario setup.
This document describes an incident response process involving suspicious activity detected by a SOC (Security Operations Center) analyst. The steps include monitoring correlated events in different channels and analyzing them for further investigation. Initially, the events are displayed in the Main Channel Active Channel but later move to the Personal Investigating Channel once assigned to a specific Level 1 SOC analyst.
The analysis involves checking suspicious file hashes from internal Windows systems which were monitored using Sysmon (a monitoring tool). The analyst is tasked with researching this activity and reviewing detailed event information through the View Details panel, where additional data such as threat intelligence models are utilized for better understanding of the malicious behavior. This process helps to identify dangerous browsing patterns and outbound communication linked to potential cyber threats, ultimately aiming to protect the system from further exploitation by malicious entities.
The summary of the provided text is as follows:
The ArcSight Marketplace, or cSight Marketplace, presents an opportunity to discuss how it identifies suspicious file hashes that are linked to potential threats through Activate Threat Intelligence package. File hash is considered an indicator of compromise similar to IP addresses and host names. When such events are identified by any product or vendor, the Activate system alerts and notifies about them. The intelligence in this case comes from a Windows event but can be applicable to various devices and vendors without restrictions.
Upon further examination of the Process Create base event within Device fields, it is noted that the file involved was likely delivered via email (as indicated by the Microsoft Outlook temporary directory) which suggests possible malicious intent. The attacker's host resides in the hq-arcnet-dmz zone, a network segment defined by Activate Threat Intelligence package due to its criticality and connected with the Suspicious Filehash Activity correlated event. This setup is designed to leverage both threat model and asset criticality for more accurate and relevant security alerts.
To address this issue, actions were taken such as contacting the remediation team to quarantine the infected host and conduct a forensic investigation. The incident was closed using Change Stage Event Annotation with annotations stating that a DMZ host was found to be infected and communicating with malicious external hosts.
The provided text discusses several cybersecurity-related topics, primarily focused on malware detection and network analysis using tools like Microsoft Office and ArcSight. Here's a summary of the key points:
1. Malware Detection: It mentions that malware was loaded through Microsoft Office, indicating a possible phishing attack or compromised email attachment. The system hosting this malware has been quarantined for further investigation and remediation.
2. SOC (Security Operations Center) Reporting: As a SOC manager, it is crucial to regularly report to management on the activities seen in the security operations center. This involves running reports such as Threat Intelligence Alerts, Suspicious Activities by Attack Category, Inbound Activities by Attack, and Outbound Activities by Target from the ArcSight Activate package.
3. Default Reports: The text lists some default reports included with the ArcSight Activate package, such as Threat Intelligence Alerts, Suspicious Activities by Attack Category, Inbound Activities by Attack, and Outbound Activities by Target. These can be found under Reports -> Archives -> /All.
4. NetFlow Use Cases Setup: This section outlines how to set up and use NetFlow for network analysis using the ArcSight Command Center. Steps include logging in as an admin, selecting specific event files for demo replay, setting a replaying speed of 50 events per minute, and viewing various dashboards that provide insights into bandwidth usage by identity/country, top ports and bandwidth usage, and source and target country distribution.
In summary, the text is focused on using cybersecurity tools to detect malware, report findings to management, and analyze network traffic for better security posture.
The document outlines the process of monitoring Microsoft SQL Server traffic in an organization's network, specifically targeting port 1433 traffic within the DMZ segment (Target Zone Name: sj-arcnet-dmz) and observing it being routed to the desktops segment (Target Zone Name: sj-arcnet-desktops). This setup is part of a corporate security policy that mandates any Microsoft SQL Servers should be deployed in the designated DMZ.
The document details how to use specific dashboard features within ArcNet for identifying unusual traffic patterns and potential unauthorized deployments of Microsoft SQL Servers. It suggests setting up correlation rules and notifications to alert when such out-of-policy activities occur. Additionally, it instructs on accessing and reviewing reports related to bandwidth usage by port (showing a PDF report) and top bandwidth hosts (also showing a PDF report).
To further investigate the suspected unauthorized host (192.168.6.101), detailed traffic analysis is recommended using another specific ArcNet report, which provides more in-depth information about this particular host's network activity.
Finally, the document transitions to discuss setting up ArcSight Activate and Marketplace within the organization:
1. Admin login to the Command Center.
2. Start a Demo Replay Connector with predefined event files for replay at 50 events per minute.
3. Open specified Active Channels including ArcNet Active Channels for both Main Channel and Personal Investigating Channel.
4. Install specific Activate packages: Malware Monitoring (including L1-Malware Monitoring, L2-Network Monitoring, and PMcAfeeEpoVirusScan) and Network.
The text provides an overview of L1 and L2 network monitoring using PSnort, as well as information about the product package PSnort. It also includes instructions for accessing specific websites related to ArcSight Activate content, including details on its purpose and benefits. Here's a summary of the key points:
1. **L1-Network Monitoring - Indicators and Warnings**: This involves monitoring network traffic using tools like PSnort to detect indicators and issue warnings when suspicious activities are detected.
2. **L2-Malware Monitoring - Situational Awareness**: This refers to the use of malware monitoring tools, such as PSnort, to gain a better understanding of the situation by detecting and analyzing potential threats in real-time.
3. **Product Package: PSnort**: PSnort is a product used for network traffic analysis and can be utilized both for L1 (indicators and warnings) and L2 (malware monitoring - situational awareness) to enhance security measures.
4. **Use Case Demo Instructions**: The instructions provide guidance on how to activate content, including using the PSnort tool, but also mention that there are Snort events in an events file which is not directly used in the demo scenario.
5. **Websites for Further Information**: Users are directed to several websites to gain more knowledge about ArcSight Activate:
**ArcSight Marketplace** (https://marketplace.microfocus.com/arcsight)
**L1 Malware Monitoring** page (https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/L1MalwareMonitoring)
**L2 Malware Monitoring** page (https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/L2MalwareMonitoring)
**P-McAfee ePO Virus Scan** page (https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/PMcAfeeEpoVirusScan)
6. **ArcSight Activate Information**: This includes detailed information about the ArcSight Activate wiki, such as its purpose and benefits:
**Wiki Home** (https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/WebHome)
**Why Activate** page (https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/WhyActivate)
**Problems Solved by Activate** page (https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/WhyProblemsActivateSolves)
**Packages Overview** page (https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/Packages)
7. **Action Talking Points**: The text highlights that ArcSight Activate is a modular content development methodology and collection of reusable components designed to facilitate quick deployment and development of actionable use cases, with the ability to customize packaged use cases and develop new ones using reusable components. It also emphasizes its comprehensive framework and growing list of packages which support continuous improvement and adaptation in security implementations.
ArcSight Activate is a platform that organizes its security content into various types of packages, which can be categorized as base, level 1 (L1), level 2 (L2), product, or specific to certain releases and versions. The base package provides resources such as filters, global variables, or active lists for all other packages. L1 packages consume indicators from multiple event sources and normalize the information to maintain consistency within the framework, while also enriching events with device-specific data. L2 packages contextualize events using internal ArcSight models including network, asset, actor, threat intelligence models, among others. Product packages are tailored for specific releases or versions and usually include L1 content, sometimes incorporating FlexConnectors or parser overrides. These packages can be accessed through the ArcSight Marketplace, which serves as a platform for security professionals to share, download, and manage security resources such as best practices, guidelines, use cases guides, flex connectors, content, utilities and tools, and partner integrations.
The text discusses ArcSight Activate, a platform that provides content and best practices for various security use cases, including malware monitoring. It explains how Activate is modular and extensible, allowing it to support additional products and vendors by modifying filters. The article then details the specific packages available for malware monitoring at L1 and L2 levels within the ArcSight Marketplace. These include L1-Malware Monitoring (L1) and L2-Malware Monitoring (L2), with a particular focus on the Activate Product Package for McAfee ePO VirusScan, which is an antivirus vendor and product that has been deployed by the organization.
The text also mentions that ArcSight Activate provides documentation and best practices to support its content related to malware monitoring. It encourages exploring this guidance through the Activate wiki, specifically focusing on the L1 Malware Monitoring package. Here, users can find information about supported log sources and use cases for the package, as well as additional options such as thresholds that expand the functionality of the package in a modular and extensible manner.
The provided text discusses a software package called L2 Malware Monitoring, which enhances security measures by providing deeper context on what has been detected using an L1 package. The L2 package builds upon the initial L1 capabilities by utilizing the Network and Asset Model to offer more specific information about assets affected during malware or worm outbreaks. This is crucial for prioritizing response efforts based on asset criticality, where higher-value assets such as servers in a DMZ are deemed more important than workstations.
The package supports various use cases including virus and worm monitoring, with additional flexibility to extend its functionality into other security monitoring areas like entity monitoring. For instance, the McAfee ePO VirusScan product package not only addresses malware monitoring but also encompasses entity monitoring capabilities. To ensure proper implementation and content functionality, there is a test plan available that includes test events for verification.
Finally, the text mentions having installed both L1 and L2 Malware Monitoring packages along with the McAfee ePO VirusScan product package in the Command Center. It highlights the main channel of Activate, which displays all correlated events triggered by the use case content, demonstrating its ability to integrate seamlessly into existing security monitoring infrastructure.
In a simulated environment for a Security Operations Center (SOC), the system demonstrates how incidents are managed and assigned based on subject matter expertise and availability of analysts. The Main Channel represents what the SOC manager sees during triage, where incidents are assigned to analysts with relevant skills. When an analyst accesses the "Personal Investigating Channel," they see only the incidents assigned to them, tailored according to their specific ESM login. This channel is currently empty for Steve, indicating no active cases.
Switching back to the Main Channel reveals various types of activity including malware and IDS alerts. Focusing on a correlated malware event affecting multiple assets in the DMZ network area, details are provided regarding the antivirus products involved (McAfee ePO VirusScan) and the affected host IP address 172.17.1.1. The Level 2 package offers more detailed information about critical assets impacted by the malware outbreak, utilizing the ESM Network and Asset model for precise identification.
The description provided outlines a series of steps to be followed by a SOC manager when dealing with an incident related to an asset on a system named arcnet-dmz. Here's a summary of these steps:
1. **Incident Triage**: The SOC manager has already triaged the incident and will use event annotation in ESM (a tool) for further handling.
2. **Event Annotation**: The manager is to select one of the correlated events, specifically an IP address 172.17.1.1, and annotate it. This involves using annotations as a workflow tracking tool to flag or assign related events.
3. **Assigning Events**: The SOC manager assigns this event to Steve, a Level 1 analyst. They can then move the assigned event through various stages defined in their organization's workflow, which include SOC (Security Operations Center) stages that can be customized according to specific needs and procedures.
4. **Transition of Event Display**: After assigning the event to Steve, it will disappear from the main channel but appear in Steve's personal investigating channel. This transition is facilitated by switching to Steve’s Personal Investigating Channel within the system.
5. **Reviewing Details**: The SOC manager can view detailed information about the annotated event and review annotations when needed.
This process helps in tracking and managing incidents efficiently, ensuring that each step of the investigation is clearly documented and handled by the appropriate personnel according to the established workflow.
The article discusses the usage and advantages of event annotations in ESM (Extended System Management) within the context of cybersecurity. It states that event annotations are a part of the ESM event schema, which can be integrated into various aspects such as filters, dashboards, and reports. One specific use case mentioned is the activation of active channels, where annotations help track metrics like cases by status, monthly cases by severity or category, closure reasons, time to resolution (TTR) by severity, and events per analyst hour.
The article then provides a detailed example of how event annotations can be applied in practice: closing an event with specific malware activity tracked through annotations. The process involves selecting the correlated event, clicking on "Annotate," which will then disappear from personal investigating channels. A concrete scenario is given where a host infected with W32/SQLSlammer.worm was detected multiple times, and actions taken included updating antivirus definitions, removing malware, running a full scan, and confirming that the system was clean.
The article also introduces ArcSight Activate, which features a dashboard displaying data monitors related to malware activity, including infection rates within the organization and in the DMZ area, utilizing the Network and Asset Model for context. It highlights several benefits of using ArcSight Activate, such as its ease of deployment, extensibility, content development advantages like reuse and standardization, and quicker learning curves for new developers.
The provided summary discusses a method for quicker onboarding of skilled content developers due to their familiarity with the Activate methodology. It also highlights the separation of testing, QA (Quality Assurance), and production implementations of new content. Additionally, it provides an overview of the Reputation Security Monitor Plus (RepSM+) setup process and functionality:
1. **Setup Process**:
As an admin, log in to the Command Center.
Start the Demo Replay Connector by selecting event files (`repsm_demo.events`) and replaying them at a rate of 50 events per minute.
2. **Dashboard Descriptions**:
**Reputation Domain Database Overview**: Displays the number of domains being monitored with threat intelligence feed, using stripped-down lists for demonstration purposes (in reality, these could contain hundreds of thousands to millions of entries). The dashboard shows exploit types, reputation scores, and potential security risks based on current threat intelligence.
**Reputation IP Database Overview**: Similar to the domain dashboard but specifically showing IP addresses monitored for threats such as malware, botnet infections, spyware, spam, etc.
**RepSM Overview**: Utilizes threat intelligence to detect various cyber threats including malware infections, zero-day attacks, and dangerous browsing practices on users' systems.
3. **Exploit Types and Reputation Scores**:
Exploit types indicate the type of threat attributed to a malicious host (e.g., malware, botnet, spyware, spam).
The reputation score ranges from 0 to 100, where higher scores represent greater potential for risk. Scores below 40 are undesirable but not necessarily malicious, while those below 20 pose little threat. Entities with a score of 0 have no identified threat and are maintained in the database as candidates for future malicious activity.
Overall, the summary provides an overview of how RepSM+ leverages familiarity with the Activate methodology to enhance onboarding efficiency and separation of duties during content development, while also detailing its use of threat intelligence to monitor domains, IP addresses, and detect various cyber threats.
The provided text describes a process for monitoring and investigating network security issues using a dashboard within a Reputation Security Monitor tool. Here's a summary of the steps outlined in the text:
1. **Overview**: The dashboard provides an overview of various activities, including internal infections, dangerous browsing, and contact with malicious entities on the network.
2. **Investigation Start**: If there are internal infected assets detected (such as 10.0.20.21|macmini), right-click on this asset in the Internal Infected Assets panel to access more details.
3. **Identifying Malicious Activity**: The text mentions that among internal assets, there is contact with a botnet source mystreamvideo.rr.nu, which has a high reputation score indicating potential risk. Further investigation reveals that this activity is linked to the Flashback Trojan and involves infected Mac users within the network.
4. **Offline Investigation**: If internet access is unavailable, screenshots or saved images can be used for analysis. Right-click on an image in the dashboard and select 'Save as Picture...'.
5. **Investigating Malicious Communications**: By hovering over Events and clicking Active Channels, more detailed information about events related to malicious communication can be accessed. This helps in understanding the network's active channels of potential threats.
6. **Active Channel Analysis**: To focus on specific suspicious activity, create an Active Channel filtered by the attacker host name (e.g., macmini). Once loaded, pause the channel and review Priority Stats to assess danger levels according to a normalized scale from Very Low to Very High.
7. **Detailed Investigation**: View detailed event information by clicking on the base event. This allows for a closer examination of suspicious activities related to the infected asset (macmini).
Overall, these steps provide a structured approach to monitoring and investigating potential security threats within a network using a Reputation Security Monitor tool, with specific focus on identifying and addressing malicious infections like the Flashback Trojan.
The provided text outlines a series of steps and actions for analyzing an event using a hypothetical tool or system, likely part of a security operations platform such as ArcSight. Here's a summary of the key points:
1. **Event Details**: The user is looking at specific details from an event where "mystreamvideo.rr.nu" was targeted via HTTP on port 80, and this communication occurred in China.
2. **Visualization and Selection**: Using ArcSight Foundation or Express, the user visualizes events by selecting fields like Name, Target Host Name, and Target Address to gain a detailed view of interactions involving "mystreamvideo.rr.nu".
3. **Filtering Events**: The active channel is refined to focus only on events related to "macmini" and "mystreamvideo.rr.nu". Further analysis can be performed by clicking into specific details of "mystreamvideo.rr.nu".
4. **Condition Summary**: A summary of conditions defined for the active channel displays filter settings, allowing users to see how specific criteria are being applied in their investigation.
5. **Reporting and Archiving**: The user generates reports on assets that have been infected by malware and records interactions with malicious entities. Additionally, a report showing interactions with malicious entities over the last 24 hours is accessed.
6. **Demo Replay Connector Setup**: For demonstration purposes, the system setup includes:
Logging in as admin to the Command Center.
Setting up a demo replay connector to re-enact events from two event files (IdentityView_v2.0.events and NetFlow_IdentityView_v2.0.events), at a rate of 50 events per minute.
Note that this setup does not discuss notifications or cases directly, but these may be generated during the replay process if requested by the user.
7. **Action Talking Points**: The purpose and usage of the Command Center for analysts and managers to monitor and analyze security events are highlighted as key aspects of this procedure.
The article discusses the use of a Command Center for visualizing and investigating network issues. It starts with a scenario where complaints from users indicate slow network performance, prompting an investigation using Cisco routers and switches that feed NetFlow events into ArcSight.
To begin the investigation, the user brings up a dashboard showing top port and bandwidth usage, specifically highlighting activity on port 1433 which is used by Microsoft SQL Server. From this high-level view, the user performs a detailed search for relevant Cisco NetFlow events by entering a free-form search term "netflow" in the Event Search section of the Command Center. This search returns all events containing the word "netflow", with event details displayed at the bottom part of the interface.
The histogram view in the middle part of the Command Center provides a visual representation of the scanned number of events, matching query results, and time taken for the search. Clicking on one of the bars in the histogram allows drilling down to specific time-period events, providing a more detailed analysis. Additionally, users can perform advanced searches by clicking 'Advanced Search' to narrow down the displayed traffic based on destination or other criteria.
The provided text outlines a method for conducting an advanced search within a network monitoring tool using Microsoft SQL Server and specific port details. Here's a summarized breakdown of the steps described:
1. **Identify Search Parameters**: Start by identifying the key parameters such as "nation port 1433" which refers to the Microsoft SQL Server port, and "destinationPort".
2. **Using Advanced Search Functionality**: Utilize the advanced search feature in your network monitoring tool. This involves adding logical operators (e.g., AND) and conditions (e.g., destinationPort = 1433).
3. **Building a Search Query**: Navigate to the "Advanced Search" dialog box, select the field for "destinationPort", enter the value "1433", and click Go! to execute the search. This will display results related to SQL Server traffic on port 1433.
4. **Visualizing Results**: The results are visualized in a list format where you can expand each item to view detailed information about events captured during this search.
5. **Customizing Fieldset**: To enhance the detail of your findings, customize the fieldset by adding "destinationPort" and arranging it next to "destinationAddress". This step allows for more granular analysis in subsequent investigations.
6. **Refining Search Results**: If aiming to identify key participants (top talkers) on port 1433, refine your search query with additional operators such as netflow AND destinationPort = 1433 | top, automatically sorting the results by sourceAddress. The default display can be adjusted to show more or fewer entries using parameters like | top 5 sourceAddress if needed.
This process demonstrates how to leverage specific port numbers within a network monitoring tool for targeted investigations and advanced search functionalities.
To summarize the process described above, follow these steps:
1. **Customize Chart Display**:
Navigate to "Chart Settings."
Click on "Chart Type" to select a different chart type or modify display settings.
Choose from options like bar chart, line chart, pie chart, area chart, stacked column, or stacked bar.
Set the desired parameters such as chart type and limit (e.g., selecting pie chart and setting display limit to 20).
Click "Apply" to update the visual representation of your data.
2. **Visualize Data**:
Upon applying, view the results in a pie chart format.
Hover over individual slices of the pie chart to see details including IP address, number of events, and percentage represented.
Click on any IP address within the pie chart to drill down further, which will add this selection to your search criteria and return relevant results.
3. **Adjust Search Query**:
If you want to focus on less common occurrences (e.g., "bottom talkers" on port 1433), modify your search query by changing terms like "top" to "rare." This adjusts the search to highlight less frequent events.
4. **Generate and Review Reports**:
Access reports related to bandwidth usage by specific ports in your network.
Navigate to "/All Reports/ArcNet Reports/NetFlow" to run a report on bandwidth usage by port, using default parameters or customizing them as needed.
Open the generated report in Adobe Acrobat for detailed analysis and documentation of the data.
5. **Explore Dashboards**:
Mouse over "Dashboards," then click "Navigator."
Access a geographic event graph dashboard that enhances and enriches event and log data from devices, systems, and applications. This helps in understanding the geographical distribution of events like attacks or threats.
This process demonstrates how to customize visual representations of data through charts and dashboards, adjust search queries for more focused analysis, generate detailed reports, and utilize dashboard tools to gain deeper insights into network activity.
This passage describes a dashboard system designed for monitoring events, logs, and activity within an environment, specifically aimed at analysts and managers who will use it for investigations and understanding the situation. The dashboard includes several visualizations such as event graphs that can display geo-location information physically (country, region, latitude, and longitude) and logically (zone name, DMZ or internal network). It allows users to filter events by priority and change visualization formats from a graph to a pie chart. This tool helps in understanding the significance of activities visually through nodes indicating activity levels, with larger nodes representing more significant activity. The passage concludes by providing instructions for setting up the demo replay connection as an admin within ArcSight Marketplace Command Center.
To summarize the provided text, it outlines a series of steps for using ArcSight Marketplace to find relevant security content related to Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). Here's a breakdown of the process:
1. **Selecting Event Files:** The user is instructed to select specific event files such as `demo.events`.
2. **Starting Replay:** These events are set to be replayed at a rate of 50 events per minute.
3. **Opening Browser Tab:** A new tab in the web browser is opened, directed to the ArcSight Marketplace website: https://marketplace.microfocus.com/arcsight. It is recommended to sign up for an account on both ArcSight Marketplace and Protect724.
4. **Navigating to ArcSight Marketplace:** The user is advised to switch to the ArcSight Marketplace tab in their browser. This platform allows security professionals to share, download, and utilize various resources including packages, use cases, best practices, etc., to manage security more effectively.
5. **Browsing Marketplace:** Users can explore different sections like Legacy Packages, In Marketplace (which contains resources such as product documentation, best practices, guidelines), Resource Center, and Partner Integrations. These are organized into categories like packages, resources, utilities, tools, and partner integrations.
6. **Searching for Content:** Under the "Search" bar, the user types 'ids' to find relevant content related to IDS and IPS monitoring using SmartConnectors.
7. **Accessing Specific Package:** The search results show an IDS IPS Monitoring Package. Clicking on it provides a description, screenshot, and details about SmartConnectors that activate this content. This is exactly what the user needs, so they proceed to download and install the package.
8. **Reviewing Installed Content:** After installation, users can find various resources such as dashboards, Active Channels, reports, supporting resources like Filters, Field Sets, Queries, and Data Monitors within the installed content. The Event Sources panel confirms that this content will work with their IDS and IPS products in the ArcSight environment.
This summary captures the main steps and actions required to utilize the ArcSight Marketplace for obtaining relevant security content related to monitoring of IDS and IPS devices.
The provided text is a summary of a user interface for monitoring network intrusion detection and prevention systems (IDS/IPS) using ArcSight software. Here's a breakdown of the key steps and features mentioned:
1. **Accessing the Dashboard:**
Navigate to the "Command Center" tab.
On this dashboard, visual representations of activities on deployed IDS/IPS devices are displayed.
The user can view top attackers and targets, as well as important alerts and their counts.
2. **Detailed Event Viewing:**
To delve deeper into specific events, the user can access an "Active Channel" where all detailed information is available, including both normalized and categorized fields.
Clicking on any event in the Active Channel provides a detailed view with options to view more details.
3. **Generating Reports:**
Default reports are provided within the system, which show alert counts by attacker and target among other metrics of interest.
Archived reports can be run at any time, utilizing data from previous days or periods as needed.
These archived reports include alerts based on specific conditions like those with a priority higher than 4.
4. **ArcSight Marketplace:**
The interface highlights the value of ArcSight Marketplace, which serves as a platform for exploring additional ArcSight apps, documentation, community sharing, and best practices in SIEM (Security Information and Event Management).
5. **Use Case Demonstration:**
A demonstration is provided to showcase how to set up privileged user monitoring use case using the IdentityView feature, which is now deprecated as of a specific date. It advises that User Behavior Analytics should be used instead for similar purposes.
6. **Setup Instructions:**
To begin this process as an admin, acknowledge and clear any existing notifications or cases.
Start the "Demo Replay Connector" by selecting relevant event files to replay data from IDS/IPS devices.
The text provides a guide on how to navigate through ArcSight software for monitoring network security measures effectively, using both live alerts and historical reports.
The text discusses using ew_v2.0.events for replay and its implications within an organizational context involving user activity tracking via ArcSight ESM and IdentityView. It emphasizes that starting with a replaying speed of 50 events per minute, adjusting to approximately 25 events per second can be done after initial playback. This method ensures the sequence of Mario's first events on his Windows and Unix systems is accurately captured, which is crucial for understanding user context information and enhancing event correlation through integration with Active Directory or similar identity management systems.
The demonstration scenario showcases how IdentityView provides dashboards that give insights into the directory and identity management system, specifically focusing on an Actor Overview dashboard. This dashboard presents general statistics about the actor model (users) within the system, illustrating a challenge of complex user identification across multiple accounts per user due to different system or application interfaces used. The other panes in this dashboard summarize various attributes captured for each actor, offering detailed views into their status and activities.
The text discusses the use of Actors in managing user accounts within an organization's Active Directory. It explains how 36 actors consist of 33 active and 3 disabled accounts, which are used to track activity from disabled accounts for compliance purposes. An overview dashboard is mentioned where roles based on group membership can be viewed through IdentityView, providing insights into the structure and composition of groups or roles within Active Directory. The text highlights that while many organizations may have a large number of groups and users in those groups, IdentityView allows for an assessment of this structure to improve control and compliance. It concludes with a policy example related to authorization, suggesting how the Actors model can be applied to organizational policies.
In order to summarize the provided text, let's break down the key points and organize them into a coherent narrative:
1. **Access Control**: The user (presumably an administrator or IT specialist) should not allow unprivileged users to access data centers outside regular business hours. These unauthorized accesses can lead to compliance violations, insider threats, and misconfiguration of badge reader authentication systems.
2. **Notification System**: When such unauthorized access occurs, the system should immediately notify the user (via email, text message, or pager) through ArcSight. The first action upon receiving this notification is to acknowledge it within the ArcSight system.
3. **Investigation Process**: Upon acknowledging the notification, the user can begin an investigation. This involves reviewing details of the incident and taking appropriate actions such as confirming unauthorized access by a specific employee (Mario Rossi).
4. **Escalation Levels**: If not acknowledged promptly, the notification could escalate through levels reaching the manager. To prevent this, the user acknowledges the notification quickly to keep the process at a manageable level for investigation.
5. **Detailed Notification View**: The notification provides details of the event (in this case, Mario Rossi accessing the server room after hours), which aids in identifying and resolving unauthorized access issues.
6. **System Actions**: Key actions within the system include acknowledging notifications to prevent escalation and reviewing detailed logs for any potential security breaches or misconfigurations.
This summary captures the essence of managing unauthorized access through a notification and acknowledgment process, highlighting the importance of immediate action in maintaining data center security and compliance.
This passage describes an event detected by an ArcSight system that involves a user (Mario Rossi) entering a data center after hours, which is unusual. The system triggers a correlation alert based on three components being linked together: the employee badging action into the server room, the role of the user (not part of data center operations or an administrator), and the time of day. This type of event requires identity correlation to translate the cryptic user name into information about the actual person, in this case Mario Rossi, by matching it with details stored in the Actor model such as full name and department. The system's purpose is to ensure security and access policies are followed, providing a mechanism for identifying unauthorized or inappropriate access during non-business hours.
When I open up cases related to events like an employee badge into a restricted server room, ArcSight automatically creates a case with details including correlated and base triggering events. To investigate further, I can lock the case for privacy and use Active Channels in IdentityView to see all activities by the user Mario Rossi across different systems without manually searching logs. This tool simplifies the process by using a filter that shows everything Mario did, pulling back necessary information and activity efficiently.
The story revolves around the digital forensic investigation of Mario Rossi's computer activity during work hours. Through session correlation and event details, it is established that Mario logged into his desktop workstation, DESKTOP3, using the account ARCNET.COM\MROSSI during regular business hours. This was confirmed by a Microsoft Windows login event.
From this point, further investigation involved examining network traffic originating from the printserver01 Unix machine linked to Mario's account. Here, it became apparent that while accessing his personal email accounts was blocked due to suspicious activity being monitored, he tried to hide these actions by attempting an SSH connection to another Unix machine and engaging in more suspicious activities online.
The investigation involved a Blue Coat proxy which revealed that the user (Mario) was visiting job-hunting websites like careerbuilder.com, monster.com, and hotjobs.com. These sites are indicative of someone possibly dissatisfied with their current position and actively searching for a new job or preparing to leave the company. Additionally, Cisco NetFlow Event data from printserver01 showed that Mario accessed multiple anonymous foreign sites, adding to suspicions of hidden activities during work hours.
The text describes an investigation into potential insider threats using ArcSight, a cybersecurity tool used for event management and analysis in China. The scenario involves a user possibly engaged in intellectual property theft by downloading hacking tools from a website; this could be via anonymous proxies to avoid detection.
To escalate the issue, the investigator selects relevant events such as name, target host name, and address from the hacking activity for visualization and further analysis within the ArcSight system. These selected fields are used in an investigation case named "Employee Badged Into Server Room After Hours – Mario Rossi". The user is suspected of accessing privileged information on various systems including Cisco NetFlow, Microsoft Windows, Blue Coat, and Unix.
The investigator then visualizes these events, adds them to a case management system, and performs further analysis using the ArcSight tool's reporting feature. An example report titled "All Activity for Specific Actor – Mario Rossi" is generated, which summarizes all activities associated with the user over a specified time period. This includes graphical representation of accessed applications and detailed tables about specific actions taken by Mario Rossi during his unauthorized access.
In conclusion, this text outlines how an organization can use security tools like ArcSight to detect potential insider threats by carefully selecting and analyzing relevant event data from hacking activities, integrating this evidence into a case management system for further investigation, and utilizing reporting features for strategic decision-making based on the gathered information.
This document discusses the use of a system called IdentityView in detecting shared account usage, which is considered a policy violation. The author mentions that they have set up a demo replay connector using specific event files and are replaying them at a fast speed to simulate real-time events. The purpose of this setup is to detect if shared accounts are being used on servers within a restricted network segment (sj-arcnet-desktops), which is against corporate policy. If such usage is detected, the system should attribute it back to an individual user.
The process involves logging into the Command Center as an admin, acknowledging and deleting any existing cases, setting up the demo replay connector with specific event files, starting the replaying at a fast speed, and eventually adjusting the speed if needed. The goal is to ensure that notifications are received immediately when shared accounts are used on restricted servers, so appropriate action can be taken according to corporate policy.
The document also includes some talking points about the importance of not encouraging but also not prohibiting the use of shared accounts in general, emphasizing the need for immediate notification and attribution of activity in case of violations within specific network segments.
The summary is about a notification system alerting an employee, David West, to a potential violation involving shared accounts on a server in the sj-arcnet-serverfarm segment. When he clicks into the Command Center and sees the notification, he acknowledges it by marking it as such. In the notification details, it shows correlated events with a lightning bolt icon and base events that triggered these correlations. The specific activity involves David West from IT using a shared account to log in to a server on the sj-arcnet-serverfarm segment, which has been identified through an active channel investigation within the IdentityView v2.0 system. This dashboard displays all shared account activities including source and target addresses, applications used, and highlights the activity linked back to David West from IT.
The text discusses using IdentityView v2.0 to attribute events back to David West based on username information from Field Set. It mentions the use of Cisco NetFlow Event with no username but still being attributed to David West by IdentityView due to its IP address and other details. The process involves normalizing event ratings into a scale of Very Low, Low, Medium, High, and Very High during data normalization in SmartConnector. Visual representation of selected fields like Name, Device Product, and Target Address is shown using the Visualize Events feature. Lastly, it discusses default reports in ArcSight that summarize shared account activity (Shared Accounts – Summary.pdf) and provide detailed information about this activity (Shared Accounts – Details.pdf), including zone information.
The text discusses the use of a human-readable name, "sj-arcnet-desktops," for identifying an IP subnet within a network. It emphasizes that humans are more comfortable with names and words compared to numbers, making it easier to understand what subnet specific activities relate to without delving into complex network diagrams or spreadsheets. The text also highlights the benefit of using this human-readable name across various content types such as notifications, reports, rules, and cases within the environment.
Additionally, the final default report provides a comprehensive view of all SU (System User) and SUDO (Superuser Do) activities in the environment.
The text then introduces a use case for managing shared accounts used by legacy applications. It mentions that IdentityView is being utilized to address this issue but also notes that IdentityView is now considered end-of-sale, with User Behavior Analytics serving as an alternative and distinct product.
The setup instructions for this use case include:
1. Logging into the Command Center as an admin.
2. Acknowledging and clearing any existing notifications or cases from the admin's Cases.
3. Starting the Demo Replay Connector by selecting specific event files, starting with IdentityView_v2.0.events and replaying them at a rate of 50 events per minute. The speed can be adjusted to approximately 25 events per second after an initial period.
The action talking points discuss visualizing the dashboard for "MyLegacyApp Login" sessions within the shared account use case, highlighting that this proprietary application lacks user access control capabilities and everyone uses a single shared account with full administrative privileges. IdentityView is used to track and attribute login activities of users under this shared account for compliance purposes.
The provided text outlines a use case for IdentityView 2.0, which is a tool designed to monitor user activity in applications and systems. Key points include:
1. **Purpose**: The primary purpose of this use case is to provide an archived report that tracks access to the application using a SystemUser account. This report is crucial for compliance reasons, particularly for auditors who need proof of who accessed the system.
2. **Compliance and Reporting**: There is a requirement to show the archived report titled "MyLegacyApp Login" which includes information about sessions accessed by a Shared Account. The report should be accessible both ad-hoc and on a scheduled basis. Without IdentityView, it would be difficult to track this activity back to accountable users.
3. **End of Sale**: Note that IdentityView is still supported but has reached the end of its sale period. A new product, User Behavior Analytics, which functions independently, should be considered for future use.
4. **Setup and Use**: To utilize IdentityView:
Log in as an admin to the Command Center.
Acknowledge any existing notifications and clear cases from the admin’s dashboard.
Replay event files using the Demo Replay Connector, starting with IdentityView_v2.0.events at 50 events per minute, which can be adjusted to approximately 25 events per second if necessary.
5. **Dashboard Usage**: The tool generates two dashboards based on different criteria: department and employee type. These dashboards provide detailed information about user access patterns across departments and types within the organization. This data is invaluable for understanding system usage, assessing appropriate access rights, and making informed decisions regarding system administration.
6. **Product Discontinuation**: The text notes that IdentityView is being phased out, with User Behavior Analytics serving as its replacement. This suggests a shift in focus towards real-time or near-real-time user behavior monitoring and analysis.
In summary, the use case focuses on enhancing system security and compliance through detailed auditing of privileged users' activities using IdentityView 2.0, which is complemented by dashboards that provide actionable insights into application usage based on organizational structure.
This information provides a detailed overview of the archived reports available within the context of the "IdentityView v2.0" dashboard under the "Privileged User Monitoring/Modeling" section in the "/All Dashboards/ArcNet" directory. The specific reports listed are as follows:
1. Show the Archived Report: All Activity for Department.pdf - This report provides a detailed view of all activities organized by department, based on archived data from the ArcNet system.
2. Show the Archived Report: Activity Based Modeling by Department.pdf - This report uses activity-based modeling to further analyze and categorize data related to specific departments as outlined in the first report.
3. Optionally show additional reports:
a. All Activity for Employee Type.pdf - An optional report that covers all activities categorized according to different employee types, using archived information from ArcNet.
b. All Activity for Role.pdf - Another optional report, this one focusing on activities organized by role within the organization, derived from data in the ArcNet archives.
c. Activity Based Modeling by Employee Type.pdf - An advanced version of activity-based modeling specifically tailored to different employee types based on archived reports.
d. Activity Based Modeling by Role.pdf - A detailed report that applies activity-based modeling techniques to categorize activities according to the roles within the organization, utilizing archived data from ArcNet.
The provided information also includes a legal notice regarding trademarks and registered marks belonging to Micro Focus International plc, along with details about its registration number and address.
Comments