top of page
Search

ESM Express 7.0 Console Demo Script

  • Writer: Pavan Raja
    Pavan Raja
  • Apr 8, 2025
  • 45 min read

Summary:

Based on the provided information, here's a summary of the key features and tools overview for managing shared account activities using ArcSight ESM/Express and IdentityView: ### Key Features Explained: 1. **Dashboard View**: Users can monitor all activities related to the SystemUser account through dashboards provided by ArcSight ESM/Express and IdentityView, enabling real-time tracking of user access. 2. **Event Details**: Detailed event information is accessible by double-clicking on any activity logs, providing comprehensive support for logged actions. 3. **Identity Mapping**: IdentityView helps map shared account activities to specific users or identities, enhancing accountability and compliance monitoring. 4. **Correlation Options**: Right-clicking on correlated events allows for in-depth analysis and correlation options that trace activities back to accountable users. 5. **Reporting**: Compliance reports can be generated showing who has accessed the application using SystemUser, crucial for auditing purposes and scheduled reporting. ### Tools Overview: - **ArcSight ESM/Express**: Monitors shared account activities through its event management capabilities. - **IdentityView**: Enhances monitoring by providing detailed identity mapping to track actions taken with SystemUser back to specific users. ### Steps for Managing Pending Notifications and Cases: 1. Log into the ArcSight Console as an admin. 2. Acknowledge or delete any pending notifications under "Admin" settings. 3. Navigate to "Cases" in the admin console, view associated cases, and delete them if necessary. ### Steps for Opening Specific Dashboards: 1. Access the ArcSight Console and navigate to "Dashboards." 2. Open "ArcNet Dashboards/IdentityView v2.0." 3. Select and open specific dashboards such as "Login Activity by Department" and "Login Activity by Employee Type." ### Steps for Reviewing Archived Reports: 1. Use the Navigator to access the "/ArcNet Archived Reports" group, specifically the "IdentityView v2.0" section. 2. Open the Report Archives tab and review PDF reports including: - All Activity for Department.pdf - Activity Based Modeling by Department.pdf (optional) - All Activity for Employee Type.pdf - Activity Based Modeling by Employee Type.pdf - All Activity for Role.pdf - Activity Based Modeling by Role.pdf ### Steps for Starting the Demo Replay Connector: 1. Access the ArcSight Console and go to "Connectors." 2. Start the Demo Replay Connector for IdentityView_v2.0.events, initially set at 50 events per minute, then adjust as needed (~25 events/sec). ### Demonstration of Dashboards: 1. Show access patterns for different departments and employee types on the dashboards, highlighting their importance in system and application usage analysis and access rights management. This summary provides a clear guide on how to effectively use ArcSight ESM/Express and IdentityView for monitoring shared account activities, from managing notifications and cases to reviewing reports and starting demo replays. The demonstration of the dashboards should highlight their utility in understanding user behavior and compliance with access controls.

Details:

ArcSight ESM / ESM Express 7.0 is a software tool that comes with the Console and demonstrates various use cases through a script version 2 dated April 20, 2018. The document outlines several security-related use cases including Compliance Use Case, ArcSight Activate Threat Intelligence, NetFlow Use Cases, ArcSight Activate and Marketplace, Reputation Security Monitor Plus, Worm Outbreak Use Case, and ArcSight Marketplace. Additionally, it covers Privileged User Monitoring Use Case (Afterhours Activity) and Shared Accounts Use Case (Policy Violation). Each use case provides detailed information on how to implement the technology for specific security applications such as compliance with regulations or enhancing network protection against threats. The provided text is a demonstration script for using Micro Focus's Enterprise Security Manager (ESM) or ESM Express with ArcSight Console, detailing how to set up and interact with it for security use cases. It includes steps on logging in, setting up the demo replay connector, starting event replaying, and interacting with notifications and cases within the system. The script outlines a specific use case where an analyst uses ESM/ESM Express to investigate suspicious or malicious activities detected by the system. The workflow involves:

  • Logging into ArcSight Console as admin.

  • Deleting existing notifications and cases.

  • Setting up the demo replay connector with specified event files, starting at 50 events per minute.

  • Interacting with notifications in a dashboard view to select and acknowledge alerts related to suspicious activities detected by ESM/ESM Express.

The script emphasizes the ease of use and efficiency of ArcSight for conducting investigations using its correlation and analytics capabilities. It mentions that after receiving notification emails and SMSes about potential malicious activity, an analyst can interact with notifications in a dashboard view, select specific cases to investigate further, and ultimately document their findings in a case file within ESM/ESM Express. The passage describes a process in which someone logs into the ArcSight Console after receiving a notification about multiple failed login attempts to a locked Microsoft Windows account (Windows Account: swright). Upon logging in, they acknowledge the pending notification within a specified time interval; if no acknowledgment is received, it escalates to the next level. The user then views details about the associated events using a viewer panel, which shows a correlated event indicated by a red lightning bolt and normalized base events that triggered it. The correlation helps in understanding the sequence of actions leading up to the login attempt. In this process, important fields are filtered out based on relevance for the user's investigation (e.g., only showing fields relevant to authentication issues). Additionally, normalization of raw event data is performed automatically by SmartConnector, which categorizes events such as Category Behavior = /Authentication/Verify and Category Device Group = /Operating System. This categorization simplifies understanding of the event meaning and provides various benefits due to easier interpretation and analysis. Tegorization in this context refers to a method of organizing content such as rules and reports using categories rather than specific event IDs. This approach ensures that changes in event IDs with new device versions do not require rewriting content, and also allows for flexibility by separating the content from any particular device or vendor. For instance, categorizing devices under an operating system category like Category Device Group = /Operating System can trigger on events from various systems (e.g., Windows, Unix, Linux). In this process, utilizing a categorization method provides abstraction and portability for the written content, making it adaptable to changes in technology without needing extensive modifications. The use of categories shields the content from being restricted by specific devices or vendors, providing a more versatile toolset that can be applied across multiple platforms. This strategy simplifies maintenance and scalability within IT management systems and is particularly beneficial when dealing with dynamic environments where device types and versions may vary. To summarize this information, we'll break down the steps and actions taken in a cybersecurity investigation using a hypothetical scenario where swright is investigated for potential security threats within a corporate network. 1. **Investigation Initiation**:

  • A user named swright was identified as a target of interest.

  • Right-click on "swright" in the Target User Name column and select "Select Investigate, Create Channel ".

2. **Channel Creation**:

  • A new channel is created focusing on swright's activity.

  • Once loaded, pause the Active Channel for detailed analysis.

3. **VPN Usage Analysis**:

  • It was discovered that swright uses a remote VPN connection assigned an IP address of 10.0.110.34.

  • Select "Select Investigate, Create Channel " to investigate the activity from this specific internal IP address.

  • Upon loading the channel, pause it to review the data.

4. **Malware Detection**:

  • Reviewing the events in the Active Channel reveals that swright's activity includes failed logins and connections to malicious sites through FTP from a firewall and IDS perspective.

  • This indicates that the user might be using a compromised mobile device tunneling into the corporate network.

5. **DNS Investigation**:

  • Focusing on suspicious DNS domain dslzn11.badguy.net, right-click in the Target DNS Domain column and select "Select Investigate, Add to Channel".

  • Once loaded, pause the channel for further analysis.

6. **Normalization Process**:

  • During this process in the Active Channel with SmartConnector, data about event danger levels is collected and standardized into a scale of Very Low, Low, Medium, High, and Very High based on various event-rating scales from ESM/ESM Express.

7. **Dynamic Field Adjustments**:

  • The user can adjust the field set being used or add/remove/change fields to customize the display in the Active Channel for better visibility during analysis.

This summary outlines a structured approach to investigating potential cybersecurity threats by leveraging network monitoring and forensic tools, ensuring a thorough examination of all relevant data points associated with swright's account and activities. This summary discusses using a Threat Intelligence feed to detect malicious activities such as dangerous browsing, outbound communications to a malicious domain (dslzn11.badguy.net), and unauthorized access attempts to locked Windows accounts. The user is working with a Cisco Pix firewall and IBM ISS RealSecure IDS/IPS system that have detected these threats. They can add these events to an investigation case for further analysis, which will serve as the central point of this investigation. The process involves selecting specific correlated events from the Active Channel, adding them to the case, and using features like breadcrumbs to easily navigate back to previous steps in the investigation without starting from scratch. The user can also generate reports, such as a report on failed logins, to validate findings and confirm the presence of threats. The task described involves creating two reports in ArcSight ESM/ESM Express related to a specific incident. Here's a summary of the steps involved: 1. **Generate a Report on Failed Logins by Destination Address:**

  • Open the report named "Failed Logins by Destination Address".

  • Set the timeframe to the last 24 hours (from $Now - 1d to $Now).

  • Choose PDF as the format for presentation and save it.

2. **Generate a Report on Dangerous Browsing Activities:**

  • Open the report "Dangerous Browsing Activities During the Last 24 Hours - Short Form" using the default parameters.

  • Save the generated PDF and open it in the Navigator Panel.

3. **Attach Reports to the Case:**

  • In the case related to this incident, attach both reports as PDFs.

4. **Add Notes to the Case:**

  • Add notes about the actions taken (e.g., disabled VPN account used by swright) and recommended follow-up actions.

  • For example: "Investigation found compromised VPN account used to gain access to the network. FTP activity then seen to a malicious external host/domain."

  • Follow up actions include disabling the VPN account, taking the infected host offline, and performing a forensic investigation on the connected infected host.

By following these steps, you ensure that all relevant details of the incident are documented in the case for further analysis and reference by other analysts involved in the investigation. The summary focuses on the use of a software tool, likely ArcSight or ESM/ESM Express, for managing incidents and investigations related to compliance cases such as IT governance and security. It details how an analyst would navigate through various settings and functionalities within this system, customizing it according to specific organizational processes and integrating with existing case management systems like ticketing tools. The setup process involves logging into the ArcSight Console, accessing a dashboard for IT Governance 3.0, acknowledging notifications, reviewing archived reports, and familiarizing oneself with standard compliance use cases. The scenario involves discussing compliance best practices as outlined in ISO standards (e.g., ISO 27002), demonstrating how an analyst interacts with the system to manually review login details of former employees and automated violations detected by ArcSight. The tool is capable of automatically tracking regulatory compliance, including maintaining a list of users whose Active Directory accounts have been disabled but still managed in SAP, indicating potential access issues that need further investigation. The summary concludes with a note on how ArcSight can be used to start a replay agent for event analysis and discuss its capabilities in managing compliance cases efficiently. The text discusses the importance of adhering to best practices and compliance regulations, specifically in IT governance with reference to ISO 27002 standards. It highlights the challenge of ensuring that all aspects are covered when revoking access for former employees, which can be tedious and prone to errors without effective tools. The author introduces ArcSight as a solution that automates log reviews and alerts to ensure compliance, using specific examples from the ISO 11.2.1 section related to best practices about access control after an employee leaves the organization. The text also briefly describes how to use the ArcSight Console for managing these issues, including acknowledging alerts and reviewing compliance status across various sections of the standard. The article discusses how ArcSight identifies former employees by correlating access attempts with a list of former employee accounts. It explains that ArcSight keeps this list in memory, which allows for fast checking against incoming events. The system can dynamically update this list by adding user names from deleted accounts or through direct text file imports. Additionally, it mentions the rule and conditions setup within ArcSight to handle deleted account events, removing them from a privilege list and moving them to a deleted employees list. The article concludes with highlighting how advanced correlation rules, along with notification and case management features, allow organizations to quickly spot and address security incidents or potential threats that were previously difficult to detect. It also mentions ArcSight's comprehensive automated reporting solution for visibility into the organization's security and compliance status. This document outlines a demonstration involving two consoles running simultaneously, each under different themes and user accounts. The goal is to showcase the use of Event Annotation to assign an Activate incident to a Level 1 SOC analyst. Here's the summary of steps: **Step 1:**

  • Open specific Dashboards in one console logged in as admin (default theme):

1. /All Active Channels/ArcNet Dashboards/ArcSight Activate/Threat Intelligence/Reputation Address Data Overview 2. /All Active Channels/ArcNet Dashboards/ArcSight Activate/Threat Intelligence/Reputation Entity Data Overview 3. /All Active Channels/ArcNet Dashboards/ArcSight Activate/Threat Intelligence/Suspicious Activities in Geo 4. /All Active Channels/ArcNet Dashboards/ArcSight Activate/Threat Intelligence/Threat Intelligence Overview

  • Open a specific Active Channel:

  • /All Active Channels/ArcNet Active Channels/ArcSight Activate/Main Channel

**Step 2:**

  • Log in to another instance of the ArcSight Console as demo (dark theme) and open:

  • /All Active Channels/ArcNet Active Channels/ArcSight Activate/Personal Investigating Channel

**Step 3:**

  • Start the Demo Replay Connector by selecting specific event files and replaying them at a rate of 50 events per minute. The selected event files are:

  • activate_threat_intelligence_50epm.events

**Notes:** 1. There will be two consoles, each with its own theme (default for admin and dark for demo) simulating different roles in the SOC process: a. Console with Default theme (admin): Simulates a SOC manager watching the Main Channel. b. Console with Dark theme (demo): Simulates a Level 1 SOC analyst investigating an incident. 2. Use Cases focus on a DMZ system infected and communicating with a command and control server, detected through outbound traffic to known bad systems and malware detection. This setup is intended to demonstrate how Event Annotation can be used to assign incidents to appropriate analysts based on their role and the console theme they are using. The provided text discusses a system using Sysmon on Windows to collect file hashes of running programs, without anti-virus software. The demo covers various use cases and highlights several key points: 1. **Product and Vendor Agnostic**: The Activate package is independent of specific products or vendors and can trigger on any events sent to ESM (Extended Security Management). 2. **Threat Model Population**: It utilizes multiple methods such as STIX/TAXII, CIF, ransomware data feeds, and HIDDEN COBRA data feeds to populate the Threat Model. 3. **Information Enhancement**: This information is used to enhance and enrich events, providing details like botnet status of an IP address, source of threat intelligence, and confidence levels. 4. **Contextual Information**: Level 2 content provides contextual insights based on both the Threat Model and Network & Asset Model, helping prioritize incidents and focus on critical assets. 5. **Indicator of Compromise (IOC)**: The demo uses file hashes as an IOC instead of traditional IP addresses and FQDNs. Microsoft Sysmon is used to collect this information efficiently, with optional use of Microsoft AppLocker or other host monitoring products. 6. **Event Replay**: It includes an Active List that tracks entities triggering rules based on IP addresses. The text mentions a TTL for the Active List but does not provide full details. The summary outlines a procedure in the ArcSight Activate Level 1 and Level 2 Threat Intelligence packages regarding the management of Active Lists, specifically related to Suspicious Addresses and Suspicious Entities. To maintain efficiency within an 8-hour time frame for replaying events, it is recommended that entries in the Active List be cleared periodically. This involves accessing the ArcSight Console under the Default theme and navigating through specific menus: 1. **Accessing the ArcSight Activate Level 1 and Level 2 Threat Intelligence Packages:** These packages are designed to populate a Threat Model which is then used by the Level 2 package for detecting suspicious and malicious activities. The L1 package retrieves data from various intelligence feeds such as STIX, TAXII, Collective Intelligence Framework (CIF), Ransomware data feeds, and HIDDEN COBRA data feeds. 2. **Active Lists Composition:** The Threat Model consists of three Active Lists - Suspicious Addresses, Suspicious IPv6, and Suspicious Entities. Suspicious Addresses include IP4v addresses, while Suspicious Entities can be URLs, host names, suspicious file hashes, user names, or email addresses. 3. **Primary Use Case:** The primary function of these packages is to populate the Active Lists with indicators that are derived from multiple heterogeneous intelligence sources. This helps in identifying and contextualizing potential malicious activities. 4. **Visual Summaries via Dashboards:** Two dashboards within the ArcSight Console provide visual summaries of the Threat Intelligence Active Lists, broken down by Indicator Type (for Addresses) and by Entities. These dashboards display information such as indicator type, score range, and source to facilitate easier identification and analysis of potential malicious activities. 5. **Periodic List Clearing:** To ensure optimal event replay within an 8-hour period without clogging the Active Lists, it is advised that entries be cleared periodically. This maintenance task involves accessing the relevant menus in the ArcSight Console under the Default theme to clear out old or unnecessary entries from the Suspicious Addresses and Suspicious Entities lists. Overall, this summary provides a structured approach for managing and maintaining the Threat Intelligence Active Lists within the ArcSight Activate system, ensuring efficient operation and readiness for potential threats and suspicious activities. The provided text describes a system for analyzing and visualizing threat intelligence data related to potential bot or command and control (C2) servers, including indicators of compromise (IoCs). These include suspicious entities such as URLs, fully qualified domain names (FQDNs), file hashes (MD5/SHA1/SHA256), user names, and email addresses. The system uses a score ranging from 0 to 100 to assess the reliability and accuracy of intelligence data, with proprietary intelligence typically having a higher score than open source intelligence, which itself has a higher score than internal intelligence. The dashboard in question provides information on suspicious entities contacted and visualizes geolocation-based malicious activities globally. It includes detailed visualizations such as GeoIP information and counts by signature type to help identify where and what types of suspicious or malicious activity are occurring. The Threat Intelligence Overview dashboard gives an overall view of the malicious activity detected by the package, categorized into reconnaissance, dangerous browsing, and ransomware, among others. Additional features include top alerts based on score and top internal target addresses, providing further insights for detailed analysis when specific entries (like IP Addresses) are double-clicked. In this scenario, you are simulating the roles of both a SOC manager and a Level 1 SOC analyst using two different consoles with distinct themes. The purpose is to demonstrate how a SOC manager can triage and activate incidents by following a workflow process that assigns them to a Level 1 analyst for further investigation. The incident involves correlated events from a suspicious host named fwhq05.hq.arcnet.com, which has been identified through Activate Threat Intelligence as follows:

  • Dangerous Browsing: A browsing pattern indicating potentially malicious activity.

  • Outbound Command and Control Communication: Indicates communication to an IP address associated with botnet activities, detected by spamhaus.org.

  • Suspicious Filehash Activity in Critical Host: Points to potential malware or suspicious file interactions on a critical system.

The SOC manager accesses the Activate Threat Intelligence feature within ArcSight Console to view detailed information about the incident. This includes additional contextual data such as the source of threat intelligence, attack category (Dangerous Browsing and Outbound Command and Control Communication), and an accuracy score indicating the reliability of the intelligence. The system provides a link for further details which redirects to spamhaus.org for more in-depth information on the malicious IP address detected. As a Level 1 SOC analyst, you would typically monitor your Personal Investigating Channel within the ArcSight Console with the dark theme. Here, you would continue to investigate and analyze the incident, potentially using additional tools or data sources available within the platform to validate or refine the threat model. In summary, this demonstration showcases how a SOC manager can leverage Activate Threat Intelligence features in the console to initiate an investigation and efficiently delegate tasks to lower-level analysts based on assigned roles and workflows. To summarize, this document describes a process for investigating suspicious and malicious activity using an ArcSight console. Here's a brief overview of the steps involved: 1. **Accessing the Investigating Interface**: The user accesses their Personal Investigating Channel to view any assigned tasks. Currently, there are no items in the queue, so they switch back to the admin ArcSight Console and select the appropriate channel. 2. **Identifying Correlated Events**: In the Main Channel Active Channel, the user finds three correlated events related to suspicious and malicious activity flagged by a source named fwhq05.hq.arcnet.com in the Source Host Name field. 3. **Annotating Events**: The user right-clicks on these events and selects "Annotate Events." They then change the stage, assigning one of their Level 1 SOC analysts (in this case, the demo user) to investigate them. 4. **Event Assignment**: Once assigned, the correlated events disappear from the Main Channel Active Channel, indicating that they are no longer in need of further triage as they have been taken over by an analyst. 5. **Reviewing Assigned Events**: The demo user switches back to their Personal Investigating Channel and notices that the previously unassigned events now appear there, having been assigned to them. 6. **Inspecting Assigned Events**: The user double-clicks on the correlated events in the Personal Investigating Channel, bringing up the Inspect/Edit panel where they can further investigate alongside their base events. 7. **Enhanced Investigation with Threat Intelligence**: During this investigation, additional details are pulled from threat models and cyber threat intelligence sources to better understand the malicious activity. For example, the activities appear related to dangerous browsing habits and outbound command and control, targeting known malicious sites through firewall traffic. 8. **Reviewing Filehash Activity**: The user specifically examines a Suspicious Filehash Activity event in the Viewer panel. This involves looking at the file's hash and using threat intelligence data to understand its potential malicious nature. 9. **Dynamic Threat Intelligence Data**: It is noted that threat intelligence data is dynamic, meaning lists can change, and an entry might be present today but absent tomorrow. This expected behavior is acknowledged in the document. 10. **Reviewing Additional Details**: The user reviews more details about the event in the Inspect/Edit panel, including custom fields such as Device information. Attempts to visit URLs mentioned in the reference field may result in errors indicating that the entries are not found, which aligns with the dynamic nature of threat intelligence data. Overall, this process outlines a structured approach to investigating suspicious activities using an ArcSight console and integrating threat intelligence for enhanced understanding and action. To summarize the provided text, it appears that the user has configured Sysmon for process monitoring on their Windows systems and utilizes a tool called ArcSight Marketplace to enhance security by adding capabilities such as collecting event data from Sysmon logs. The main focus of this setup is to monitor suspicious file hashes using Activate Threat Intelligence package. The user mentions setting up Sysmon through the Windows Native SmartConnector or using a third-party solution like ArcSight FlexConnector available on the ArcSight Marketplace. This connector helps in collecting and analyzing events related to process creation, which includes recording the hashes of all processes run on these systems. These file hashes are monitored against a watchlist provided by Activate Threat Intelligence for identifying any potential threats or indicators of compromise. In the Inspect/Edit panel of the Sysmon configuration, one can access detailed information about each event including Device fields and Attacker fields to get more context about what processes are running on the systems. The Device field indicates that the process name appears to be a file delivered through email (from Microsoft Outlook's temporary directory), while the Attacker field shows that the host is located in a specific network zone known as hq-arcnet-dmz. This setup helps in enhancing security by notifying users about any suspicious activity or threats detected based on pre-defined watchlists and threat intelligence feeds, making it useful for organizations to take necessary actions against potential cyber threats. The intelligence package has analyzed and correlated two events in your network - one being Suspicious Filehash Activity on a critical host, which is also known as the base event. This analysis considers both the threat model and the importance of your assets within the network. To further investigate this issue, you can inspect or edit the panel to search for similar executable file hashes across other hosts in your network. In this case, you discover that a host named printserver01 has a malicious file associated with the same hash value. Despite not being identified as critical, the Activate 19 Threat Intelligence Level 2 content helps prioritize and focus investigations on more significant assets. You can then take specific actions within your network to address this issue: 1. Quarantine the infected host to prevent further spread of malware. 2. Conduct a forensic investigation into how the malicious file was introduced, potentially through Microsoft Office applications. 3. Close the incident by selecting all three correlated events and annotating them appropriately as closed incidents with comments about the actions taken (host quarantine, contact with remediation team). As a SOC manager, it's important to regularly run reports to monitor network security and adjust your management strategies based on the intelligence provided by tools like Activate. The text provides a set of instructions for setting up and reviewing default reports within the ArcSight Console as part of the Activate Threat Intelligence package, specifically focusing on NetFlow data. Here's a summary of the steps outlined: 1. **Login to the ArcSight Console**: As an administrator, access the system using the appropriate credentials. 2. **Open Notifications and Cases**: Navigate to the Notifications tab and address any pending alerts by acknowledging them, then clear associated cases under your admin’s profile. 3. **Configure Dashboards**:

  • Open the NetFlow-specific dashboard located at `/ArcNet Dashboards/NetFlow/`.

  • Adjust the layout of the Microsoft SQL Server Monitoring dashboard to circular if necessary.

4. **Access Reports and Archives**:

  • In the Navigator, go to the Reports resource and expand the entire tree under `/ArcNet Archived Reports/` then `/NetFlow/`.

  • Review the generated NetFlow reports in PDF format within the Report Archives.

5. **Adjust Interface Panels**: Hide unnecessary panels (Navigator, Inspect, Edit) to focus on the main interface for effective report inspection. 6. **Setup Demo Replay Connector**:

  • Load and replay event files: `NetFlow_IdentityView_v2.0.events`.

  • Initiate replay at 50 events per minute initially, adjusting speed as necessary after a few minutes of playback (~25 events/sec).

**Action Talking Points**:

  • Highlight the "Top Bandwidth by Actor" dashboard to demonstrate how it visually represents bandwidth usage across identities and countries. This dashboard can be adapted for broader device or vendor use if needed.

  • Display the "Top Port and Bandwidth Usage" dashboard, which illustrates port utilization categorized into well-known ports (0-1023) versus registered and dynamic ports (1024-65535), along with bandwidth usage per these ports.

These instructions are intended to help users effectively utilize the provided tools within ArcSight for monitoring network traffic, identifying potential threats, and visualizing data across various devices and identities in a company's environment. This summary provides an overview of a Microsoft SQL Server traffic monitoring dashboard used to track and analyze network traffic from and to specific countries, focusing on port 1433 traffic for potential unauthorized installations. The dashboard identifies that traffic is being routed to the "sj-arcnet-desktops" segment, suggesting possible policy violations or unauthorized deployments. It also includes an option to investigate event details by double-clicking on the target zone name and provides reports such as Bandwidth Usage by Port and Detailed Traffic by Host showing top bandwidth hosts and detailed traffic analysis for specific hosts like 192.168.6.101. The summary then outlines steps for setting up ArcSight for Event Replay, including login credentials, event files selection, replay setup, and opening necessary active channels and dashboards to monitor the "ArcSight Activate" scenario. This document provides instructions for setting up an ArcSight system with specific packages installed. It begins by stating that data monitors will take approximately 5 minutes to populate after installation. The setup includes several packages such as Malware Monitoring, Network Monitoring, and more. Some of these features include L1-Malware Monitoring, L2-Network Monitoring, and a Product package: PMcAfeeEpoVirusScan. It notes that this content is not used in the demo but mentions Snort events in an event file. The document then directs users to open several sites in their web browser for further information: these include links to ArcSight Marketplace, specific wiki pages for L1 and L2 Malware Monitoring, and a page about P-McAfee ePO Virus Scan. These resources are intended to provide more knowledge on the Activate content and its benefits. Lastly, it briefly mentions ArcSight Activate as a modular development methodology with reusable components designed for quick deployment of actionable use cases, empowering users to develop custom use cases using a library of reusable components. The provided text outlines a comprehensive framework called "Activate," developed by Micro Focus for ArcSight implementations. This framework is designed to facilitate quick value delivery in new implementations and continuous adaptation and improvement for more mature sites. Activate organizes its content into various packages, each serving specific purposes and containing resources like filters, global variables, active lists, indicators, and device-specific data. Key features of the Activate framework include: 1. Comprehensive framework with a growing list of packages tailored to different needs. 2. Packages are organized by type, including Base, L1 Situational Awareness, L2 Situational Awareness, and Product packages. 3. The ArcSight Marketplace, available at https://marketplace.microfocus.com/arcsight, serves as a platform for sharing and downloading security packages, use cases, best practices, and more, allowing access to cutting-edge security information on par with large companies' management capabilities. The text provided primarily discusses a product offering by HPE (now part of Hewlett Packard Enterprise) called ArcSight Activate. This service provides security monitoring solutions across various technologies including perimeter and network monitoring, application monitoring for web services, physical security, host monitoring, malware monitoring, data security monitoring, and threat intelligence monitoring. ArcSight Activate offers two main types of packages: L1 and L2. The L1 packages are focused on "indicators and warnings," which detect and report potential malicious activity. These alerts can be triggered by various events such as network anomalies or unauthorized access attempts. The L2 packages, on the other hand, provide situational awareness and context to the L1 indicators. They help users understand what is happening in their environment based on the alerts provided by L1 packages. ArcSight Activate supports a wide range of vendors and products through its modular architecture, which allows for easy integration with additional devices that are compatible with ArcSight SmartConnectors, FlexConnectors for internal applications, or those that integrate with ArcSight as part of the Security Technology Alliances Partner Program. When searching within the Marketplace for specific content related to malware monitoring, users can find L1 and L2 packages tailored for this purpose. For instance, there is an Activate Product Package available for McAfee ePO - VirusScan, which supports both L1 and L2 Malware Monitoring. This package helps in detecting and responding to malicious software activities by providing antivirus protection against malware threats. In addition to the product offerings, ArcSight Activate also provides documentation and best practices within its wiki section that support the use of these packages for effective malware monitoring. The modular nature of Activate ensures flexibility and ease of integration with different security technologies, enabling a comprehensive approach to malware detection and response in complex IT environments. The document discusses ArcSight's L1 and L2 Malware Monitoring packages, which extend its capabilities for detecting and managing malware threats in an organization's network. The L2 package builds upon the L1 by providing additional context through the Network and Asset Model, allowing users to prioritize responses based on asset criticality (e.g., servers vs. workstations). The document also highlights that ArcSight is modular, supporting various security monitoring use cases beyond malware detection. For example, a McAfee product package not only monitors for malware but also entities, showcasing cross-use case applicability within the Activate platform. The extensibility of the system allows additional vendors to be supported by editing filters and adjusting thresholds to better fit an organization's specific environment. Moreover, the document mentions that ArcSight provides a test plan for implementing these use cases, which includes test events to ensure proper functionality of the content within the package. This comprehensive approach ensures effective deployment and continuous improvement in malware detection capabilities. In the provided text, we are discussing the Activate Main Channel and its functionalities within the ArcSight platform. The main channel serves to display all correlated events triggered by the Activate use case, which is designed for incident triage and assignment to analysts based on their subject matter expertise and availability. This setup simulates how a SOC (Security Operations Center) manager would monitor and manage incidents. The text also introduces the Activate Personal Investigating Channel, tailored specifically for analysts. Each analyst's dashboard in this channel is personalized according to their ESM (Enterprise Security Management) login, allowing them to focus on assigned cases only. This setup simulates an analyst named Steve who might be idle currently, as there are no incidents assigned to him at the moment. The discussion then shifts to malware activity and IDS alerts detected by Activate, with a specific focus on one event related to IP address 172.17.1.1. This particular incident is linked to the Level 1 Malware Monitoring content from various products including McAfee ePO VirusScan. The content in this setup is designed to be vendor agnostic, applicable for any antivirus solution, not limited to specific vendors like McAfee. The provided text describes a process for incident management in an enterprise network using SolarWinds Event Based Management (ESM). Specifically, it outlines the steps taken by a SOC manager to triage an malware outbreak incident involving the SQLSlammer worm variant. Here's a summary of the key points: 1. **Incident Identification**: The malware has infected multiple assets in the DMZ, including a PCI system named arcnet-dmz. This is identified using the ESM Network and Asset model. 2. **DMZ Correlation**: The incident involves an asset (arcnet-dmz) that is part of the DMZ network. This context is crucial for understanding where the malware is located within the organization's infrastructure. 3. **ESM Network and Asset Model**: By using this model, critical assets affected by the malware are identified and correlated with events related to the incident. 4. **Annotating Events**: The SOC manager uses ESM features to annotate events for Steve, a Level 1 analyst. Annotations in ESM allow for tracking and escalation of events through the workflow process. These annotations can be used as light-weight workflow tools to flag or assign specific events for follow-up. 5. **Stage Assignment**: Events are assigned to stages that represent different investigation levels, such as Level 1 Investigating Stages. This collaborative workflow helps in managing and assigning tasks to relevant security operations personnel. 6. **Customizable Workflow**: The SOC Stages can be customized according to the organization's specific workflow needs, allowing for flexibility in how events are tracked and managed. In summary, this text outlines a structured approach to malware outbreak management within an enterprise network using SolarWinds ESM. It involves detailed correlation of affected assets, annotation of related events, assignment to appropriate stages, and customization of the workflow according to organizational needs. The text discusses a process where a correlated event is initially investigated by Level 1 analyst Steve, who will then see this event in his Personal Investigating Channel within the system. This channel allows for further investigation through annotations and editing features. Event annotations are utilized to track specific metrics such as cases by status, monthly cases by severity, event category, closure reasons, time to resolution (TTR), and events per analyst hour. In this particular example, a correlated event involving malware is closed after updating antivirus definitions, removing the malware, and running a full system scan, indicating that the system was clean. The process concludes with viewing the data on a dedicated Malware Monitoring Dashboard within ArcSight Activate, which provides visual representations of malware activity in the organization and its DMZ through Moving Average Data Monitors. The benefits of using ArcSight Activate are highlighted throughout the text, emphasizing its versatility and effectiveness for managing and monitoring cybersecurity events efficiently. The provided text is a summary of various aspects related to use cases, content development benefits, and the setup process for the ArcSight Reputation Security Monitor Plus (RepSM+) solution. Here's an overview of each section: **Use Cases:**

  • **Easily Deployed and Extensible Use Cases**: The use cases are designed to be quickly deployed and can be easily copied or expanded to cover similar requirements, thanks to their flexible nature.

  • **Extensive Library on ArcSight Marketplace and Protect724**: A vast library of pre-built use cases is available for deployment across various platforms like the ArcSight Marketplace and Protect724, ensuring a wide array of functionalities are accessible out-of-the-box.

**Content Development Benefits:**

  • **Reuse of Content**: There is a strong emphasis on reusing content between different use cases to save time and resources, adhering to best practices for standardized development processes.

  • **Enforced Best Practices**: Content developers must follow strict guidelines that promote consistency, reliability, and effectiveness in the deployed solutions.

  • **Sharing Between Clients and ArcSight Professional Services**: The developed content is designed to be easily shared with clients and ArcSight Professional Services, facilitating a quicker learning curve for new developers and smoother onboarding experiences for skilled ones.

  • **Separation of Testing, QA, and Production Implementations**: This ensures that the new content undergoes rigorous testing before being deployed in real environments, enhancing overall quality and reliability.

**Reputation Security Monitor Plus Setup:** 1. As an admin, log into the ArcSight Console. 2. Delete any existing cases related to the Reputation Security Monitor 1.0 module for internal infected assets. 3. Configure the Demo Replay Connector with the provided event file (RepSM_demo.events) and set replay speed at 50 events per minute. 4. Access the Active Channel and open specified dashboards:

  • The main dashboard is /ArcSight Solutions/Reputation Security Monitor, which includes a detailed overview section and reputation data analysis on malicious entities.

5. Navigate to the Lists module to view entries of malicious domains and IP addresses. **Action Talking Points:**

  • Start with the basic Viewer panel displaying essential information about internal infections, dangerous browsing, and interactions with malicious entities detected by RepSM+.

  • The dashboard titled "ArcSight Reputation Security Monitor Plus" provides a comprehensive overview of the system's activities, allowing users to drill down into specific details related to internal infections.

This summary highlights how the RepSM+ solution leverages threat intelligence to monitor malware, zero day attacks, and dangerous online behaviors in real-time, providing actionable insights through its intuitive dashboards and management tools. The text describes an experience with a dashboard for monitoring internal assets that have contacted botnet sites. Specifically, it mentions interacting with a "Internal Infected Assets Dashboard" which displays data about infected assets contacting malicious domains like mystreamvideo.rr.nu. When investigating these incidents, each case is opened in ArcSight's case management system. The trend shown at the bottom of the panel reveals activity towards this one specific malicious domain over time. The user notes that they can investigate further by right-clicking on the entry for mystreamvideo.rr.nu in the "Malicious Entity" column, which confirms it as a Flashback Trojan infection affecting Mac users internally. If internet access is unavailable, an image of the dashboard with specific IP addresses (like 10.0.20.21) can be saved and double-clicked for detailed investigation within the same dashboard system. For each infected asset, such as 10.0.20.21, there's a drilldown option that provides an overview of all activity related to it over the last 24 hours, including attempts at SQL injections and internal logins. For malicious domain entries like mystreamvideo.rr.nu, right-clicking shows event details such as source IP, destination IP, attacker, and target, with ArcSight automatically geo-locating these based on IP addresses found in the events. In summary, the document outlines the use of ArcSight in monitoring and protecting networks against malicious entities. It involves regularly checking logged events against a list of known malicious IP addresses and domains to detect threats in real-time. The information is sourced from the RepSM+ database, which is updated by white hat researchers, providing insights into botnet, malware, peer-to-peer, and other malicious sites with threat scores. ArcSight has an integration connector that updates this list every two hours. The dashboard in the Viewer panel offers various tabs including Malicious IP Addresses, Malicious Domains, Reputation IP Database Overview, and RepSM Overview Dashboard. The Internal Infected Assets panel allows for containment actions such as quarantine by selecting affected assets from which further cascading menu options lead to integration with ArcSight Threat Response Manager (TRM) virtual appliance for additional security measures like port blocking or MAC filtering. The text provided outlines a process for managing an incident involving an infected asset (macmini) within the ArcSight system. Here's a summarized version of the steps mentioned: 1. **Opening the Case**:

  • Navigate to the Navigator panel, select "Cases" from the dropdown menu.

  • Open a case specifically for the infected asset (macmini), which is expanded under the category of ArcSight Botnet in the Solutions/Reputation Security Monitor/Internal section.

2. **Case Management**:

  • Integrate cases with other management systems like Remedy.

  • Double-click on the specific case to open it in the Inspect/Edit panel where you can:

  • Assign the case to other users of ArcSight.

  • Track, report, and notify progress of your cases through predefined stages.

  • Close the case after completing the necessary actions, noting actions like "Quarantined host macmini, follow up actions" or "remediated host."

  • Annotate in the Actions Taken field to record details about the incident.

  • The Events tab provides a log of events involved in the case for reference.

3. **Dashboard and Reporting**:

  • Return to the RepSM Overview dashboard tab in the Viewer panel, where you can see all interactions with dangerous destinations.

  • Double-click on the Access to Dangerous Destinations By Exploit Types panel to view detailed logs against a reputation database.

  • The system checks every log event against the reputation database and presents this information in real time.

  • You will notice additional activity, such as contacts with spyware, misuse/abuse, and spam sites along with the botnet activity shown earlier.

4. **Closure**:

  • Once all actions are completed and noted, close the case by choosing "OK" at the bottom of the Inspect/Edit window.

  • Review the dashboard to confirm that the macmini is now fixed.

This process effectively outlines how to handle and manage an incident involving a compromised asset using ArcSight's case management tools and reporting features. ArcSight Reputation Security Monitor is a tool that monitors and reports on dangerous browsing activities by analyzing real-time data from various sources. The Assets panel of the dashboard shows the status of each item, which changes to "Fixed" when an issue is resolved. To access detailed reports, navigate through subfolders in the /ArcSight Solutions/Reputation Security Monitor section, where you can find numerous reports on activities like dangerous browsing. These reports offer both graphical and tabular outputs, allowing users to view event details or long-term trends. Users have the option to run custom reports with various output options and time spans. Additionally, RepSM+ includes correlation rules that automatically check all activity against a reputation database for malicious content. These rules can notify users of any suspicious activity via email notifications, and some rules even offer automatic remediation actions such as quarantine. The tool's flexibility allows for the creation of additional rules based on user needs, providing a comprehensive solution to monitor and manage dangerous online activities. The demonstration focused on using ArcSight, a software for security information and event management (SIEM), to analyze a worm outbreak scenario. The steps included starting the replay agent to simulate the worm's progression at 200 events per minute (EPM) and initiating the ArcSight Console Interface. The user was instructed to close all dashboards except the "Worm Outbreak dashboard," which highlighted data related to host propagation, zone distribution of infection, and infected systems. The interface displayed that as the worm spread, more hosts became infected. A switch to the "Worm Propagation by Host" monitor showed how the worm propagated among various hosts, while the "Worm Propagation by Zone" provided insights into where the worm originated (from the Internet) and its potential targets or zones it was attempting to infect. Next, the demonstration moved to the "Worm Infected Systems" data monitor, which identified infected systems that required remediation. The statistical data monitor highlighted increased event volumes for certain hosts using statistical mechanisms employed by ArcSight to detect worm outbreaks. The user then engaged with notifications displayed on the top of the console, explaining how alerts escalate based on their criticality and discussing different notification mechanisms available in ArcSight. Finally, upon double-clicking a notification, users entered the event inspector where they could explore the rule chain, review event content details, and discuss how statistical correlations were applied through this tool. The demonstration provided an overview of key features and functionalities within ArcSight's interface for managing and responding to sophisticated security threats like worm outbreaks, showcasing its capabilities in monitoring, detection, and response across various aspects of a cyber-attack scenario. This is a description of how to set up and use the ArcSight ESM/Express system, which helps organizations detect security incidents and manage compliance more efficiently than before. It involves using advanced correlation rules that combine data from both rule-generated events and statistical data monitors. These combined actions can lead to quicker detection and response times for security threats like zero day attacks. Additionally, ArcSight provides comprehensive automated reporting to keep track of the organization's security and compliance status. ArcSight ESM/Express also includes access to the ArcSight Marketplace, where users can find and download additional resources such as use cases, best practices, and more. This marketplace allows sharing and downloading of security packages that help in managing and enhancing security measures for organizations. To set up the ArcSight Marketplace: 1. Log into the ArcSight Console as an admin. 2. Start the Demo Replay Connector by selecting event files to replay at a specific rate. 3. Open the Network Monitoring use case, specifically the IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) monitoring section. 4. In the web browser, go to https://marketplace.microfocus.com/arcsight and consider signing up for an account on both ArcSight Marketplace and Protect724 if you don't already have one. 5. On the main ArcSight Marketplace page, navigate through categories like Legacy Packages, Activate Device Packages, Utilities and Tools, Product Documentation, Best Practices, Guidelines, Resource Center, and Partner Integrations to find content relevant to your IDS and IPS monitoring needs. The provided text describes a process for utilizing a device in an ArcSight environment to monitor events from network IDS (Intrusion Detection Systems) and IPS (Intrusion Prevention Systems) devices. Here's a summary of the steps outlined: 1. **Entering Search Criteria**: Use the search function within the system by entering specific IDs related to the devices you wish to monitor. 2. **Reviewing Search Results**: In the results, click on "IDS IPS Monitoring SmartConnectors" or "Package" as per the interface available in the ArcSight environment. This will display detailed information about the content including description, screenshot, and details of triggers for these connectors. 3. **Downloading and Installing Content**: If needed, download and install the package from the Marketplace if it is not already installed. The text states that the package is already installed in this context, so no further action on installation is required. 4. **Navigating to Resources**: Switch to the ArcSight Console where you will find various resources related to the installed content such as a dashboard, active channel, viewer panel, and reports. 5. **Using the Dashboard**: Access the "IDS – IPS Overview Dashboard" which visually represents data from your IDS/IPS devices showing top attackers, targets, alerts, and counts. 6. **Inspecting Alerts**: Drill down into specific parts of the dashboard by double-clicking on slices or events in the Active Channel to view detailed normalized fields and categorized information. 7. **Generating Reports**: Review default reports available with the Marketplace content which include alert counts by attacker and target, among others. Use the Navigator Panel to access reports and archives for this purpose. 8. **Reviewing Reported Data**: View pre-set reports that are automatically generated based on previously replayed events from the IDS/IPS devices. This process outlines how to utilize a system's interface to monitor, visualize, and analyze data from network security devices using ArcSight capabilities. The provided text outlines a demonstration of ArcSight Marketplace and its integration within the system, focusing on Privileged User Monitoring Use Case (Afterhours Activity) using IdentityView. Key points include: 1. **Introduction to ArcSight Marketplace**: It serves as a platform for exploring ArcSight applications, documentation, community sharing, and SIEM best practices related to security content and SIEM solutions. 2. **Use Case Description**: The use case involves monitoring privileged users during off-hours using IdentityView, which is now deprecated but still supported. Users should consider User Behavior Analytics as a replacement for IdentityView. 3. **Setup Steps**:

  • Log in to the ArcSight Console as an admin.

  • Handle notifications by acknowledging or resolving them under the Notifications tab.

  • Delete any associated cases under admin’s Cases.

  • Access and review specific dashboards:

  • Actor Management (Actor Overview, Actor Roles Overview) from /Shared/All Dashboards.

  • Privileged User Monitoring sections for Identity Investigation (Top Bandwidth by Actor), Modeling (Login Activity by Department) from /ArcNet Dashboards.

  • Open the Active Channel for specific investigations.

  • Navigate to the Reports resource under the Archives tab, exploring previously generated and archived reports in PDF format within the /IdentityView v2.0 section.

  • Configure Event Graph options in the ArcSight Console: set visibility of nodes, specify identifiers (source/target node details), and choose a graph layout.

This summary captures the primary objectives and steps related to using IdentityView for monitoring privileged users post-hours within an organizational context, utilizing tools available through ArcSight Marketplace. The provided text discusses a method for using an ArcSight system to analyze user activity through event replay. Here's a summarized breakdown of the steps outlined in the text: 1. **Organic Layout**: It is recommended to hide the Navigator Panel, Inspect/Edit Panel, and leave the Console open while conducting this demonstration. 2. **Starting the Demo Replay Connector**:

  • Select event files for replay including "IdentityView_v2.0.events".

  • Start replaying these files at a rate of 50 events per minute (initially). After about 2-3 minutes, adjust the speed to approximately 25 events per second if necessary.

  • This setup is crucial for ensuring that the first three events related to Mario are played in sequence, which includes:

  • Mario logging on to his Windows system with a Microsoft Successful Logon event.

  • Mario connecting to a Unix system, indicated by two Unix session opened events.

3. **Action Talking Points**: The demonstration begins with only the Viewer Panel displayed. The focus is on enriching user context within the ArcSight system for better identity correlation and visualization of actors (users) in the system. This includes:

  • Opening the Viewer Panel to display the Dashboard.

  • Introducing the Actor Overview by opening the Navigator Panel, selecting a model, and expanding the ARCNET.COM identity management system.

  • The Actor model is created through integration with Active Directory, pulling in all user information from the ARCNET.COM domain. This integration automatically groups users by their Organizational Unit (OU) within Active Directory, showing different accounts under each OU.

In summary, this text provides a step-by-step guide for using an ArcSight system to replay and analyze events related to user activity, emphasizing the importance of context enrichment through actor models derived from directory services like Active Directory. The text describes an interface for managing user accounts, including administrative roles such as contractors, employees, vendors, and service accounts represented through an "Actor model." When you open a specific user account, the system displays detailed information including full name, employee type (e.g., full-time), status (active), department (e.g., Marketing), and other attributes from Active Directory. Additionally, it shows all account identifiers used for accessing various systems and applications on the network, as well as roles assigned based on group membership in Active Directory or similar role assignment mechanisms in more advanced identity management systems. The interface supports visualizing user details through dashboards like the Actor Overview, which provides general statistics about the actor model and its integration with the Active Directory system. The dashboard provides an overview of actor roles in an Active Directory environment using the Actor model. It contains information about Actors and their associated account IDs, revealing an average of 3-4 accounts per user across 36 actors and 130 different account IDs. This suggests a need to understand how users interact with various systems or applications due to multiple identifiers. The dashboard also highlights specific attributes like status (with 33 active and 3 disabled Actors), enabling tracking of terminated employees' activity through disabled accounts. Additionally, it breaks down actors by Organizational Unit (OU) and department, showing that the Information Technology department has the most users, followed by Marketing. The dashboard also offers insights into roles via group membership:

  • There are 95 groups in Active Directory.

  • Users can be identified based on the number of groups they belong to; for example, Erika Mustermann is a member of 6 groups.

  • The top right panel provides details on groups containing the most users.

This dashboard provides interesting insights into an organization's Active Directory system. It reveals that many groups and user memberships exist within the system, with tens of thousands of users belonging to numerous groups, which presents challenges for controlling access from a least-privileged perspective due to compliance concerns. The dashboard shows "Top Bandwidth by Actor," focusing on user perspective rather than IP addresses, allowing better correlation content and policy-based analysis. Additionally, it displays "Login Activity by Department," enabling the visualization of user access patterns across systems and applications within different departments. These features help in building more meaningful data correlations based on user behavior and policy compliance. In the context of managing data centers and access permissions within an organization, there are specific policies in place to ensure only authorized personnel have access during off-hours. These policies aim to prevent compliance violations, potential insider threats, and misconfigurations in badge reader authentication systems. When unauthorized individuals gain access, it triggers notifications through the ArcSight system, alerting designated personnel. Upon receiving a notification, the first step is to acknowledge it by accessing the ArcSight system's dashboard where all pending notifications are displayed. This acknowledgment helps prevent automatic escalation of issues that might otherwise involve higher management if not promptly addressed. The process involves clicking an 'acknowledge' button which moves the notification from a pending queue to an acknowledged queue, allowing for immediate investigation into how and why unauthorized access occurred. The summary of the provided text revolves around a process where an employee (Mario Rossi) badges into a server room after hours, which triggers a correlated event and results in a violation alert due to unauthorized access during non-business hours. Here's a breakdown of key points mentioned: 1. **Triggering Event**: An employee (in this case, Mario Rossi) badges into the server room after business hours, initiating a badge event that serves as the base trigger for the correlation process. 2. **Correlated Event**: The badge event is correlated with two other components - the role of the user and the time of day. These correlations help in understanding the nature of the violation more clearly:

  • **Role of the User**: Mario Rossi, despite having no involvement in data center operations or being an IT administrator, triggered the event due to his unauthorized access during non-business hours. His role within the organization is highlighted as not aligned with accessing the restricted area.

  • **Time of Day**: The correlation emphasizes that the violation becomes significant when considering the time of entry – typically business hours are for authorized personnel only, and after-hours access without a valid business reason constitutes a security breach.

3. **Correlation Alert**: This alert is not just about the badge event itself but involves three elements: the badge event (the act of badging), the role of the user (Mario Rossi's unauthorized involvement), and the timing (non-business hours). These components collectively form a violation alert indicating an unauthorized access attempt. 4. **Human Language Interpretation**: The text uses simple language to explain the correlation process, making it accessible for non-technical users. It clarifies that although the badge event might seem like a straightforward action, its correlation with other elements (role and time) provides deeper insights into why the violation occurred. 5. **User Identification**: Despite initial cryptic identification in the badge event details (a number that lacks direct meaning), the final alert identifies the user as Mario Rossi through the correlated process, ensuring proper attribution of the action. This summary underscores the importance of understanding and interpreting system alerts effectively to detect unauthorized activities and align them with organizational policies, even when initial indications might be unclear or ambiguous. In the given text, an ArcSight system analyzes a user name, tracing it back to the Actor model to identify which actor (in this case, Mario Rossi) owns that username. The system then enriches the event with information from the Actor model, such as the user's full name and department (Marketing). The question arises about why a Marketing department employee is accessing the data center during non-business hours. Next, the text describes how to investigate further by examining all activities conducted by Mario Rossi over the past few days using an Active Channel. Instead of manually searching through logs from DHCP and Active Directory, the system automatically pulls together all actions performed by Mario Rossi with a single filter command. Additionally, the text discusses session correlation when looking at events such as successful logons or Cisco NetFlow events that lack a user name field. By finding the first event in this window which is a Microsoft login on Mario's desktop workstation (IP address 192.168.6.103), it can be established that this activity belongs to Mario Rossi, confirming through session correlation. Overall, the text presents an example of how an ArcSight system uses user information and correlative analysis for investigating network activities. The text describes a scenario where Mario Rossi logs onto various devices using different accounts but is consistently identified through identity correlation as the same individual. Initially, he establishes a session on a Unix machine at IP address 10.0.111.254, engaging in potentially suspicious network and web browsing activities that originate from countries such as China and Brazil. To analyze these activities more effectively, it is suggested to use ArcSight's Event Graph feature, which provides a visual representation of the events and helps in understanding the sequence and nature of Mario's actions. The text specifically highlights the following key points: 1. Mario logs into different accounts but consistently identified as Mario Rossi through identity correlation. 2. He establishes a session on a Unix machine at IP address 10.0.111.254, engaging in suspicious network and web browsing activities from countries like China and Brazil. 3. The text suggests using ArcSight's Event Graph to visualize these activities for better understanding. 4. From the Blue Coat proxy, it is observed that Mario attempted to access his personal email accounts but was denied access due to monitoring activity. 5. In an attempt to conceal his tracks, Mario uses SSH to connect to a Unix machine and continues engaging in more suspicious activities. 6. The text indicates the use of ArcSight's Event Graph feature for visualizing network traffic and web browsing events related to Mario's activities. The text discusses a scenario involving an employee potentially seeking to leave their current job by searching for new opportunities on various job hunting websites such as builder.com, monster.com, and hotjobs.com. It suggests that if someone is actively looking for another job, they may be unhappy in their current position. Furthermore, it mentions the Cisco NetFlow Event which indicates unusual activity from a printserver01 to multiple anonymous foreign sites and a known hacking website in China. This could suggest data theft or intellectual property transfer using anonymous proxies. The employee might also be downloading 51hacking tools for potential sabotage activities after leaving the company. The text then details how to handle such an issue within ArcSight: leveraging the case management system to escalate the situation to human resources. It explains that once a case is opened due to badge access to the server room, various attributes like stages, impact, severity can be set, and users assigned for tracking. The events tab in the case shows both correlated alerts and original base events triggering the alarm. In summary, the text discusses an employee's potential dissatisfaction with their job leading to unauthorized actions such as searching for new jobs online and potentially transferring company data or using sabotage tools upon leaving. It provides a method of handling this within the organization by utilizing ArcSight's case management system to manage and escalate the situation appropriately. The Actor Investigation - Mario Rossi Active is a method for adding additional evidence from an event channel, such as network traffic or system logs, into a digital forensics case. To implement this method, follow these steps: 1. **Lock the Case for Editing**: Begin by locking the current case to prevent any modifications while you add more evidence. 2. **Select Add to Case from Active Channel**: Right-click on each of the relevant events in the active channel and select 'Add to Case'. This will allow you to include these events into your ongoing investigation. 3. **Expand and Show Events**: In the case editor, expand the 'Other selected Event(s)' under the 'Events' tab to display all added events. You can verify their addition by right-clicking on them again and selecting 'Add'. Click 'Apply' to finalize these changes in your case. 4. **View the Event Graph**: Open the Event Graph view from the Navigator Panel, which provides a visual representation of the activity. Right-click and select 'Add Graph as Part of this Case', which will attach a JPEG image of the graph to the case file for easy reference and sharing. 5. **Manage Attachments**: Go to the 'Attachments' tab in your case editor to ensure that all relevant evidence has been added, confirming that you have consolidated all additional information into one organized platform. 6. **Generate a Report**: Transition from the Inspector/Editor Panel to the Navigator and select the 'Reports' resource. From here, choose 'Archived Report All Activity for Specific Actor – Mario Rossi'. Optionally, run a complete report on all activity of this specific actor (Mario Rossi) with a time frame set as $Now - 1h. 7. **Package Evidence**: The final step is to package the entire investigation into one organized document that can be easily shared with HR or legal teams for further review and action, ensuring transparency in the investigative process through detailed justification. By following these steps, you effectively integrate additional evidence from various sources into a unified case file, facilitating clearer communication and analysis of digital forensics data related to the Mario Rossi case. The passage provides an overview of how ArcSight, a security information and event management (SIEM) tool, can be used to efficiently compile evidence for investigations related to specific users. It explains that by accessing all activity for a particular user over a specified time period, the system automatically pulls together relevant data such as building accesses and physical access reports, system events, etc. The report includes a graph view summarizing different applications accessed and a table with detailed information about traffic sources and destinations. Despite some limitations in user name information, session correlation helps identify the user accurately. The ability to save and attach the report to a case ensures continuity and ease of access for subsequent reviews. Additionally, the passage introduces the concept of using ArcSight Console features like slide show mode to present evidence clearly and efficiently. It mentions that users can customize transition intervals in slide shows for better presentation flow. Overall, the tool allows for quick compilation of investigation materials into a case, which can then be handed off to appropriate authorities or teams. The summarized text discusses a series of steps related to managing notifications and cases using the ArcSight Console. Here’s an overview of each point mentioned: 1. **Edge any pending Notifications**: This involves acknowledging and starting investigations for any unaddressed alerts or incidents that have been received but are still pending. 2. **Delete any associated Cases under admin’s Cases**: It is important to review and potentially close out any cases related to the notifications, ensuring that all necessary actions have been taken and documented. 3. **Open the Dashboards**:

  • Navigate to specific ArcNet dashboards: `/ArcNet Dashboards/IdentityView v2.0/Shared Accounts/`.

  • Within this dashboard, open `Shared Account Logins` for a visual overview of shared account activities.

4. **Open the Navigator and browse to the Reports resource**:

  • Go to `/ArcNet Archived Reports/Reports, Archives tab` and expand the tree structure under `/ArcNet Archived Reports`.

  • Locate reports related to IdentityView v2.0, specifically found under `/IdentityView v2.0`.

5. **Hide the Navigator and Inspect/Edit panels**: These interfaces are useful for detailed inspection but may not be necessary during demonstration of specific features or troubleshooting. 6. **Start the Demo Replay Connector**:

  • Select event files: `IdentityView_v2.0.events`.

  • Begin replaying these files at a rate of 50 events per minute initially, adjusting to approximately 25 events per second if needed after an initial review.

**Action Talking Points**:

  • The user describes receiving an email alert from ArcSight on their phone and acknowledges the notification through the ArcSight Console.

  • They explain how notifications lead to case escalation processes within the system, which also generate reports that can be reviewed in the dashboard setup.

  • In the Inspect/Edit panel, they change the field set to `/ArcNet/IdentityView v2.0/Actor Field Set` to tailor the view for specific incident details related to shared account usage on a server segment.

  • They discuss how the system might alert users to policy violations such as using shared accounts in restricted network segments and demonstrate adjusting views to review detailed notification information.

The document appears to be a guide or explanation related to a security monitoring tool or system, possibly related to IT network management or cybersecurity. It discusses several features and components within the software, including event monitoring, network models, dashboard displays, and drill-down capabilities. Here's a summary of what is discussed in the text: 1. **Event Monitoring**: The document mentions "session opened" events that have a target user name of 'root'. This suggests that there is a rule or mechanism set up within this software to monitor specific behaviors, particularly around network access with root privileges, which can be indicative of significant access and control in the network environment. 2. **Network Model**: The document refers to how certain behavior is being monitored only in particular segments of the network. This implies that there might be a focused effort within this system to monitor specific sub-networks or zones for potential threats based on predefined criteria related to root user access. 3. **Dashboard and Drill-Down Features**: It introduces a custom dashboard called "Shared Account Logins". This dashboard displays shared account activities, showing details such as source and target addresses, applications used, and the accounts being accessed. The document notes that this dashboard uses data monitors for drill-down capabilities rather than traditional query viewers found in default dashboards. It explains how to use right-click options for investigation within this dashboard and emphasizes the importance of identity linkage through a field named "IdentityView". 4. **Reports**: Finally, the document touches on opening reports related to shared account activities. While specific details about what kind of reports are available or what they specifically show aren't detailed here, it does suggest that there is reporting capability within this system for monitoring and analyzing network activity based on user interactions with shared accounts. Overall, the text provides a general overview of how certain aspects of security management and auditing might be performed using this software, focusing on features like event handling, targeted network zones, interactive dashboards, and drill-down capabilities. The final part of my investigation involved reviewing an archived report titled "Logins to Known Shared Accounts" using ArcSight ESM/Express. This report allows me to view a summary and details of shared account activity in my environment, providing information on attacker and target zone details as well as the benefits of the network model. The default report provides insights into all SU and SUDO activities within the environment, while also offering attribution by either name or IP through the two different columns available. The customer might inquire about these columns to understand how IdentityView can attribute actions based on names or IPs. Additionally, this use case notes that although IdentityView is still supported but nearing its end of sale, User Behavior Analytics (UBA) should be considered as a separate and distinct product for future applications. To proceed with the investigation, I logged into the ArcSight Console as an admin, acknowledged any pending notifications, deleted associated cases, opened the relevant dashboard, and accessed the report archives from the Navigator. The reports were available in PDF format within the Report Archives under the /ArcNet Archived Reports group, specifically within the IdentityView v2.0 section. The provided information outlines a scenario where users access a proprietary application without user access control capabilities, using a shared account named SystemUser with full administrative privileges. To address compliance issues related to tracking who logs into this application, two tools, ArcSight ESM/Express and IdentityView, are recommended for monitoring the activity of this shared account. **Key Features Explained:** 1. **Dashboard View**: Users can view all activities in the application using the SystemUser account through a dashboard provided by ArcSight ESM/Express and IdentityView. This allows real-time tracking of who is accessing the system. 2. **Event Details**: By double-clicking on any activity, users can access detailed event information supporting the logged actions. 3. **Identity Mapping**: The value of IdentityView is highlighted as a means to map this shared account activity back to an identifiable user or identity. 4. **Correlation Options**: Right-clicking on correlated events allows for in-depth analysis and correlation options, providing a detailed chain of activities tied to the accountable user. 5. **Reporting**: For compliance purposes, users can generate reports showing who has accessed the application using the SystemUser account. These reports are crucial for auditing purposes and can be run both ad-hoc and on a scheduled basis. **Tools Overview:**

  • **ArcSight ESM/Express**: Facilitates monitoring of shared account activities through its event management capabilities.

  • **IdentityView**: Enhances this monitoring by providing detailed identity mapping to track the actions taken using the SystemUser account back to specific users.

This use case effectively demonstrates how IdentityView aids in privileged user monitoring, even after the end of sale for IdentityView and it suggests transitioning to User Behavior Analytics as a replacement tool. The setup involves logging into the ArcSight Console as an admin, accessing the relevant tools (ArcSight ESM/Express or IdentityView), configuring settings, and utilizing features like dashboard views, event details, identity mapping, correlation options, and report generation for compliance and auditing needs. The task is to manage pending notifications, delete associated cases under admin's cases, open specific dashboards, review archived reports, start a demo replay connector for event files, and show various dashboard views as well as archived reports. Key points include: 1. Manage notifications by acknowledging or deleting them. 2. Navigate to ArcNet Dashboards/IdentityView v2.0 and open specific dashboards: Login Activity by Department and Login Activity by Employee Type. 3. Access the Reports resource in the Navigator, opening the Reports, Archives tab under /ArcNet Archived Reports and /IdentityView v2.0. Review PDF reports: All Activity for Department.pdf, Activity Based Modeling by Department.pdf (optional), All Activity for Employee Type.pdf, Activity Based Modeling by Employee Type.pdf, All Activity for Role.pdf, and Activity Based Modeling by Role.pdf. 4. Start the Demo Replay Connector to replay IdentityView_v2.0.events at 50 events per minute initially, then adjust speed as needed (~25 events/sec). 5. Provide a demonstration of the dashboards showing access patterns for departments and employee types, highlighting their importance in system and application usage analysis and access rights management. To summarize the provided information about Micro Focus International plc: Company Name: Micro Focus International plc Registration Details: Incorporated in England and Wales with registration number 5134647. The registered office address is located at The Lawn, 22-30 Old Bath Road, Berkshire, RG14 1Q.

Disclaimer:
The content in this post is for informational and educational purposes only. It may reference technologies, configurations, or products that are outdated or no longer supported. If there are any comments or feedback, kindly leave a message and will be responded.

Recent Posts

See All
Zeus Bot Use Case

Summary: "Zeus Bot Version 5.0" is a document detailing ArcSight's enhancements to its Zeus botnet detection capabilities within the...

 
 
 
Windows Unified Connector

Summary: The document "iServe_Demo_System_Usage_for_HP_ESP_Canada_Solution_Architects_v1.1" outlines specific deployment guidelines for...

 
 
 

Comments

@2021 Copyrights reserved.

bottom of page