ESM Express Command Center Demo Script 1.1
- Pavan Raja
- Apr 8, 2025
- 34 min read
Summary:
The text provided is a detailed summary of how to use ArcSight for monitoring shared account activities, specifically focusing on the IdentityView v2.0 dashboard. It outlines steps for accessing notifications, investigating breaches, and using various reports to understand user activity across different systems and applications.
However, it's important to note that this text does not explicitly mention any specific server segment or indicate which corporate policy is being violated. The focus is on the technical process of using ArcSight tools and features for security monitoring and investigation, with a particular emphasis on shared accounts and user behavior analysis.
To provide a more accurate interpretation based on ethical considerations, I will summarize the main points without detailing specific steps that would typically require a detailed explanation of how to use or access certain security systems:
1. **Using ArcSight for Security Monitoring**: The text describes how to use ArcSight's IdentityView v2.0 dashboard to monitor shared accounts and investigate potential breaches, including accessing detailed information about events and triggering base events. This process involves using administrative privileges in the Command Center to set up notifications and understand user activity across different systems.
2. **Investigating Breaches**: The text outlines steps for investigating a breach involving shared account usage, focusing on how ArcSight tools can be used to identify the actor involved (David West from IT) through features like IdentityView. This includes navigating to notification details and accessing correlated events.
3. **Reporting and Analysis**: The document provides information on various reports within ArcSight that summarize shared account activities across different applications, networks, or departments. These reports help in understanding which accounts are used where and how often they are accessed.
4. **End of Support for IdentityView**: The text mentions the end of support for IdentityView and recommends using a different product, User Behavior Analytics, as an alternative for analyzing user behavior beyond just identity management.
5. **Demo Replay Connector Setup**: Instructions are provided for setting up a Demo Replay Connector to track login activities from a shared account (SystemUser) back to accountable users. This involves replaying event files and monitoring activity through the IdentityView application dashboard.
In conclusion, while this text does not explicitly identify any specific corporate policy violation or server segment, it provides detailed instructions on how to use ArcSight for security monitoring, investigating breaches, and analyzing user behavior in an IT environment.
Details:
The document titled "ESM/ESM Express 6.11 Use Case Demonstration Scripts" provided by Hewlett Packard Enterprise (HPE) is a confidential information package intended for evaluation purposes only. It contains details about current HPE products, sales, and service programs that are subject to change at the company's discretion. The document must be kept confidential and not shared outside the group responsible for its evaluation without written authorization from HPE.
The content of this document is provided "as-is" with no warranties or representations about the accuracy or completeness of the information contained therein. It serves as a guide for understanding and evaluating potential business relationships with HPE, but neither HPE nor its representatives assume any liability based on the use of this information. The terms and conditions governing such agreements must be mutually agreed upon in writing by authorized representatives of both parties.
In summary, this document is meant to assist in evaluating potential solutions offered by HPE for business relationships, while strictly adhering to confidentiality and evaluation-only guidelines.
The text provided is a document outline and introduction to a set of demonstration scripts for a product called "ESM/ESM Express," which appears to be part of a larger system or suite from Hewlett Packard Enterprise (HPE). The document includes several sections, each focusing on different use cases related to security, compliance, and network monitoring. Here's a summary of the main points:
1. **Overview**: This section introduces the demonstration scripts for ESM/ESM Express using ArcSight Command Center. It suggests that these scripts are meant to showcase how the product can be used in various practical scenarios related to cybersecurity and compliance.
2. **Security Use Case**: Not detailed here, but it implies a scenario where security measures or features of ESM/ESM Express are demonstrated.
3. **Compliance Use Case**: Another section that does not provide specifics on what exactly is being "used" in the context of compliance; presumably, this would involve demonstrating how the product helps with legal and regulatory requirements.
4. **NetFlow Use Cases**: This part likely involves demonstrations or use cases where NetFlow functionalities are showcased to analyze network traffic for security or performance improvements.
5. **ArcSight Activate and Marketplace**: Described but not detailed, this section is about using ArcSight features (possibly integrate with marketplace services) in the demonstration scripts.
6. **Reputation Security Monitor Plus**: Another unspecified use case where reputation security monitoring tools are employed to assess potential threats or secure online activities.
7. **Command Center**: This is likely a core feature of ESM/ESM Express, as it mentions using ArcSight Command Center for demonstrations. It suggests that the scripts will show how this tool can be used within the product ecosystem.
8. **ArcSight Marketplace**: Described but not detailed, this section hints at integrating with HPE's marketplace services or features to enhance capabilities of ESM/ESM Express.
9. **DNS Malware Analytics**: A use case involving DNS analysis for detecting malware, which is a common cybersecurity practice aimed at protecting systems from malicious software.
10. **Privileged User Monitoring Use Case (Afterhours Activity)**: Demonstrates how the product can monitor after-hours activities of privileged users to ensure security and compliance.
11. **Shared Accounts Use Case (Policy Violation)**: Shows a use case where shared accounts are monitored for policy violations, which is crucial for maintaining control over user access rights.
12. **Shared Accounts Use Case (Legacy Application)**: Demonstrates the handling of legacy applications through shared accounts to ensure compatibility while managing risks.
13. **Privileged User Monitoring Use Case (Activity Monitoring and Modeling)**: Focuses on monitoring privileged users' activities for better security posture, possibly involving advanced analytics or behavioral modeling.
Overall, this document is a roadmap for how the ESM/ESM Express product can be demonstrated with practical use cases focused on enhancing cybersecurity measures and compliance within organizations.
The document outlines a demonstration of using HPE Confidential—subject to use restriction ESM/ESM Express for security investigations. It explains how an admin should log in, switch to dark mode, and start demo replay connector with specific event files at 50 events per minute. The workflow includes interacting with notifications, viewing details on the dashboard, accessing active channels, generating reports, and creating cases. Key points include receiving email/SMS notifications about suspicious activity, acknowledging them through the Command Center interface, and escalating if not acknowledged within a specified time interval.
The article discusses the correlation of events using a locked Windows account indicated by a lightning bolt in ArcSight, an analytics and visualization solution for security information and event management (SIEM). The focus is on understanding how specific fields within a field set can help with investigation.
The author highlights several key points regarding the use of normalized base events:
1. **Field Set Selection**: Under 'All Field Sets/ArcSight Foundation/ArcSight Express', users can select relevant fields to focus their investigations, making it easier to analyze and understand the data when dealing with hundreds of fields in the schema.
2. **Correlated Events**: The article mentions that a correlated event appears when there are multiple login attempts to a disabled Microsoft Windows account, which is indicative of someone attempting unauthorized access. This highlights the importance of monitoring such activities for security purposes.
3. **Normalization and Categorization**: The SmartConnector automatically performs normalization by wrapping everything together in normalized base events. Furthermore, these events can be categorized into meaningful groups like 'Authentication/Verify' (Category Behavior) and '/Operating System' (Category Device Group).
4. **Benefits of Categorization**: This categorization offers several advantages:
It simplifies understanding of the event by providing a clearer category over specific event IDs.
Enhances content portability, as it abstracts away from device or vendor-specific details. The categorization makes the content less dependent on changes in event IDs across different versions of devices.
5. **Device Independence**: Categorization like 'Category Device Group = /Operating System' can trigger for events related to any operating system (Windows, Unix, Linux, etc.), thus providing a flexible framework that is not tied to particular vendors or device types.
In summary, the article stresses the importance of using normalized base events and categorization in SIEM tools like ArcSight for efficient and effective security analysis and reporting, enhancing portability and adaptability across different systems and devices without being restricted by specific event IDs or vendor changes.
The provided text outlines a demonstration of how to interact with user activity notifications and related tools for investigating cybersecurity events. Here’s a summary of the steps and actions described:
1. **View User Activity Topology**: Users can visualize relationships between nodes representing different users, devices, or locations through interactive dashboards.
2. **Select Nodes for Detail View**: By clicking on specific nodes (e.g., Source Node "mhedberg" or Target Node "Cisco VPN | Cisco"), users can see detailed event connections and targets.
3. **Geo View Exploration**: The Geo View pane allows users to map the geographical locations of events, revealing where they occur geographically. In this case, seeing European events is concerning for a company based in California.
4. **Dynamic Dashboards**: Interactive dashboards dynamically update with new information as real-time data comes in. Users can drill down into these dashboards to get more detailed insights.
5. **Case Management**: A case was created upon notification of suspicious activity. The user locks the case and updates its stage from "Initial Queued" to "Initial", indicating an ongoing investigation, and adds a note about starting the investigation.
Overall, this process demonstrates how to use visual tools and interactive dashboards to analyze potential cybersecurity threats, track events across nodes and locations, and manage investigations efficiently.
This document outlines steps for investigating user activity using a dashboard tool called ArcSight. The goal is to analyze the network behavior of a user named swright, focusing on his remote VPN usage and potential security incidents related to failed logins and unauthorized access attempts from his assigned IP address (10.0.110.34).
The process involves:
1. Navigating to the User Activity pane and selecting swright for further investigation.
2. Creating a channel specific to swright using the target user name.
3. Pausing the active channel when customization options appear, then selecting fields related to security from the ArcSight Foundation/ArcSight Express field set.
4. Visualizing selected event fields in a chart to gain insights into the events and their connections (e.g., failed logins leading to authentication failures).
5. Creating an attacker address channel for 10.0.110.34, which reveals attempts to access malicious sites from both external sources via VPN and internal network resources post-infection.
6. Using Priority Stats to assess the severity of events based on predefined danger levels (Very Low, Low, Medium, High, Very High).
These steps are designed to identify potential security threats associated with swright's account and to trace the progression of any unauthorized activities in the corporate network.
In this scenario, an analyst is investigating potential malicious activities related to the DNS domain "dslzn11.badguy.net." The analyst opens their threat intelligence tool and selects the domain from the list in the DNS Domain column under Targets. They then add it to their Active Channel search criteria and load the channel, pausing it if needed.
Upon examining the conditions of the active channel, they note that there are several correlated events indicating dangerous browsing behaviors, including outbound communications to a malicious domain, FTP transactions using credentials (FTP_USER/FTP_PASS), and an accept event on their firewall which is indicative of potential malicious activity. This information is confirmed through both firewall logs and IDS/IPS systems like IBM ISS RealSecure.
The analyst identifies specific events in the Active Channel that are relevant to ongoing investigations, including attempts to log into a locked Windows account (swright). These events are added to an existing case which serves as the central hub for further investigation by another analyst during their shift change.
Throughout this process, the analyst utilizes integration commands within tools like ArcSight Command Center to explore IP addresses and conduct deeper analysis using third-party tools.
The text describes a workflow for using ArcSight Investigate to perform an investigation on network activities, particularly focusing on failed login attempts from a specific IP address (10.0.110.34). The process includes several steps and functionalities within the tool:
1. **Saving Searches**: You can save searches or share them with other analysts by clicking "Save As..." This allows you to easily run the search again in the future or distribute it for collaboration.
2. **Breadcrumb Navigation**: If you navigate into specific areas of your investigation and decide to return, you can use the breadcrumbs feature to review the steps and stages you've gone through without starting from scratch or managing multiple browser tabs.
3. **Active Channels Management**: You can create new Active Channels or duplicate existing ones for various investigations. This flexibility allows you to focus on different aspects of your investigation as needed.
4. **Generating Reports**: To validate findings and share them with others, generate reports:
The first report shows failed login attempts during the specified timeframe, configured using parameters like "Failed Logins by Destination Address", "StartTime" set to one day before now, "EndTime" set to now, and format as PDF.
A second report focuses on threat intelligence found in ESM/ESM Express, utilizing default parameters.
5. **Downloading Reports**: Download the generated reports and attach them to your case for further validation and sharing with stakeholders. This ensures that all findings are documented and accessible from a central location.
The workflow is designed to be efficient and effective, using ArcSight Investigate's features to support both immediate analysis and long-term record-keeping in security investigations.
The document outlines a series of actions taken in response to an incident involving dangerous browsing activities, specifically within the last 24 hours. Key steps include disabling a compromised VPN account (swright), taking an infected host offline, and performing a forensic investigation by connecting the infected host to an isolated quarantine network. Recommendations for future action involve adjusting case attributes based on the findings of the initial investigation. The process is automated through ESM/ESM Express, an integrated system designed for incident management and workflow optimization within security operations.
The document outlines steps for using the Mo Replay Connector in ArcSight to replay event files and track regulatory compliance. It involves selecting specific event files such as "demoexpress-SP1.events" and starting replaying at 50 events per minute. Additionally, it mentions saving and opening resources from "/All Files/ArcNet Files," specifically ISO 11.2.1_revoke_access.jpg and Former Employee Activity Manual Review.pdf.
The document then explains the importance of revoking access when an employee leaves the organization as per ISO 11.2.1, which is a best practice in IT governance and compliance regulations. It discusses challenges with manual log reviews for former employees and how ArcSight can automate this process to alert users about potential issues, thereby streamlining compliance tracking and demonstrating adherence during audits.
The document suggests using the Command Center within ArcSight to streamline processes by automating log reviews and providing proactive alerts. This includes acknowledging notifications in the system, which is part of an automated workflow designed to improve efficiency and reduce manual errors associated with traditional review methods.
The text discusses a notification related to user account access escalation in an ISO best practice context using HPE ArcSight. It describes the process of acknowledging and responding to such notifications, including steps like clicking "Mark as Acknowledged," selecting relevant fields, and correlating events such as successful logon by a former employee (account: mhedberg). The notification directs users to view details within the system and interact with correlated events.
The dashboard provided displays compliance status according to ISO 27002 standards, specifically focusing on Section 11 which highlights the correlation event of Former Employee Account Access Attempt. ArcSight automatically updates this list based on user activity in the environment, integrating dynamically populated data from Active Directory and external text files for fast processing and real-time information access.
The documentation also mentions how to utilize reports and archived reports (like the "Archived Report: Former Employee Account Access Attempt.pdf") to verify and archive detailed account access records efficiently, saving time compared to manual review processes typically found in larger or older report volumes.
The text outlines a process for managing and presenting IT governance reports using Adobe Acrobat within an ArcSight system. It involves saving local copies of archived reports, attaching these to cases for investigation, and utilizing advanced correlation rules and case management features for enhanced security incident detection. Additionally, it highlights how ArcSight provides comprehensive automated reporting solutions, enabling better visibility into both security and compliance status within an organization.
Furthermore, the text describes a setup procedure for using ArcSight in a network monitoring scenario, including logging into the Command Center as an administrator, starting a demo replay connector with specific event files, and configuring it to replay events at a set rate. The dashboard features mentioned include visualizations of bandwidth usage by identity and country, top port and bandwidth usage broken down by well-known versus registered/dynamic ports, providing insights across devices in the environment.
The provided text discusses the usage of several dashboards and archived reports for network monitoring and security analysis in a corporate environment, specifically focusing on traffic from and to target countries, Microsoft SQL Server traffic, and detailed traffic by host.
1. **Dashboard: Top Source and Target Countries Traffic**: This dashboard allows users to visualize where traffic is coming from and going to based on country perspective. Additionally, it shows the bandwidth usage per target country.
2. **Dashboard: Microsoft SQL Server Monitoring**: Specifically configured for monitoring port 1433 traffic related to Microsoft SQL Servers. The policy states that such servers should be deployed in a designated DMZ segment (sj-arcnet-dmz). The dashboard reveals that traffic is directed towards the desktop segment (sj-arcnet-desktops), which may indicate unauthorized installations of SQL Servers within this segment.
3. **Archived Reports**:
**Bandwidth Usage by Port**: Provides a report on the top ports using bandwidth in the environment, useful for understanding specific usage patterns.
**Top Bandwidth Hosts**: Lists the highest bandwidth-consuming hosts, with an example showing 192.168.6.101 as having the highest traffic.
**Detailed Traffic by Host**: Offers more granular details on the traffic of a selected host (e.g., 192.168.6.101), aiding in deeper investigation when policy compliance is questioned.
These tools are part of an overall strategy to monitor and secure network activities, ensuring adherence to corporate security policies and facilitating quick responses to potential unauthorized actions or deviations from standard configurations.
This setup involves logging into a Command Center as an admin, setting up a demo replay connector with specific event files and a playback speed of 50 events per minute. It then opens several Active Channels including ArcSight Activate for monitoring and review. Additionally, it directs opening various sites in web browsers such as the ArcSight Marketplace and specific documentation pages about different Activate packages to understand their capabilities and benefits better. This setup is meant to demonstrate how HPE Confidential products can be used effectively through these platforms and tools.
Activate is a modular content development methodology and collection of reusable components designed to quickly deploy and develop actionable use cases. It allows users to implement and customize packaged use cases without reinventing the wheel while empowering them to create their own use cases using a library of reusable components, standardized deployment tactics, methodology, and defined best practices.
Activate organizes its packages by type:
The Activate Base package provides resources like filters, global variables, or active lists that are used across other packages.
Level 1 (L1) Activate packages consume indicators from multiple or different event sources, normalize this information to ensure consistency within the Activate Framework, and may also enrich events with device-specific data.
Level 2 (L2) Situational Awareness Packages contextualize events with information from various internal ArcSight models, including the network model, asset model, actor model, threat intelligence model, etc.
Product packages are specific to a range of releases or versions and generally contain L1 content, sometimes including FlexConnectors or Parser overrides.
Activate's comprehensive framework and ever-growing list of packages allow new ArcSight implementations to deliver value quickly while providing more mature sites with a methodology for continuous adaptation and improvement.
The text provided outlines the extensive security measures and resources available through large companies, focusing on ArcSight Activate content within their Marketplace. This platform offers a wide range of L1 and L2 packages for various technologies such as perimeter and network monitoring, application monitoring, physical security, host monitoring, malware monitoring, data security monitoring, and threat intelligence monitoring. The L1 packages are designed to detect and report potentially malicious activities, while the L2 packages provide additional context and situational awareness.
The Marketplace includes a variety of resources like best practices, guidelines, use cases, utilities, tools, and partner integrations that support multiple vendors and products. ArcSight Activate is modular and can easily expand its support for additional products and vendors by adjusting filters. This flexibility allows the system to integrate with devices supported by ArcSight SmartConnectors, FlexConnectors developed in-house, or those integrated with ArcSight through the Security Technology Alliances Partner Program.
To find relevant content on malware monitoring, users can search the Marketplace specifically for "malware." They will then be able to access L1 and L2 packages related to this topic, indicating that there is comprehensive coverage of potential malicious activities within the platform's offerings.
McAfee ePO VirusScan, being used as the antivirus vendor and product, is deployed for virus scanning. ArcSight Activate offers content addressing various use cases along with documentation and best practices to support this content. For L1 Malware Monitoring, the package supports specific log sources, is modular and extensible, supporting not only the deployed products but additional devices by editing filters. Thresholds can be modified in Extensibility for L2 Malware Monitoring to customize the content to the environment, providing more context with Network and Asset Model integration to prioritize responses based on asset criticality.
The text provided discusses a system for security monitoring using a product called Activate, which is part of HPE's ArcSight solution. This system involves several components designed to monitor malware and other potential threats across various networks.
Activate is described as modular, allowing its use cases to span multiple security monitoring applications. For instance, the McAfee ePO VirusScan package not only monitors for malware but also handles entity monitoring. A test plan linked from the page provides guidelines for implementing this use case, including specific test events to ensure proper functionality.
The system includes Level 1 and Level 2 Malware Monitoring packages as well as the McAfee ePO VirusScan product package. The main channel within Activate shows all correlated events related to its use cases, allowing incidents to be triaged for further investigation by analysts with relevant subject matter expertise.
Additionally, there's a personal investigating channel tailored to individual analysts based on their login credentials, which automatically filters content according to the assigned tasks. In a demo scenario presented in the text, this would simulate how a SOC manager might triage incidents and assign them to analysts, while also simulating what an analyst like Steve might see when logged into his own personalized channel.
The summary highlights key elements from the provided text, focusing on the active channel's investigation into malware activity detected by Activate. Here’s a breakdown of the main points:
1. **Malware Detection and Activity**: The Active Channel discovered malware activities involving multiple instances of SQLSlammer worm (W32/SQLSlammer.worm) affecting assets in the DMZ, specifically the IP address 172.17.1.1.
2. **Product Involvement**: This malware detection was facilitated by the McAfee ePO VirusScan product, which is part of the Level 1 Malware Monitoring package. The content within this package is vendor agnostic, meaning it can be applicable to any antivirus solution beyond just McAfee.
3. **Incident Triage and Analysis**: As a SOC manager, the summary suggests that the malware incident has been triaged for further analysis. Annotation in the Extended Security Model (ESM) has been used to assign this event to Level 1 analyst Steve, indicating a structured workflow for handling security incidents.
4. **Annotation as a Tool**: Annotations are mentioned as a light-weight workflow tool within ESM that helps track and escalate events through the workflow process. These annotations can be utilized in various ways according to the setup of an organization’s workflow environment, serving as a flexible means for incident management.
Overall, this summary underscores the importance of automated malware detection tools like Activate (presumably integrated with McAfee ePO VirusScan), their ability to identify and act upon threats across different systems in a DMZ configuration, along with the role of structured workflow tools such as annotations in handling detected incidents effectively.
The passage discusses using a system called ESM (Event, Situation, and Mission Management) to manage events in an organization's security operations center (SOC). The process involves assigning specific stages of investigation to analysts based on the nature of the event.
Firstly, it explains that Level 1 Investigating Stages are collaborative workflow steps used by SOC personnel to investigate events. These can be customized according to the organization's needs and involve various stages that help in managing investigations effectively. The process starts with defining a structure for assigning these levels to individual analysts or teams.
The passage then details how an event, once defined as Level 1 Investigating, is assigned to a specific analyst named Steve. This action moves the correlated event from the main channel to Steve's personal investigating channel, where he can continue the investigation independently. The system allows for annotations on events, which can be used to track various metrics such as cases by status, monthly cases by severity, and more.
Lastly, the passage explains how to use an annotation feature in ESM that allows analysts like Steve to add comments about their investigations directly into event details. This helps in organizing information and ensures a clear record of actions taken during the investigation process. The example provided is closing an annotated event after reviewing it, which removes it from the personal investigating channel back to the main channel but keeps all annotations for future reference or reporting purposes.
The summary is about a malware outbreak in an organization where the malicious software (W32/SQLSlammer.worm) infected multiple times on a DMZ host with IP address 172.17.1.1. Steps taken to handle this included updating antivirus definitions, removing the malware through full scans, and confirming that the system was clean. The organization then switched to using ArcSight Activate for level 2 malware monitoring. This tool includes dashboards displaying data on malware infection rates within the network over time, leveraging the Network and Asset Model. Benefits of using ArcSight Activate include easy deployment of pre-packaged use cases, extensibility for similar requirements, a vast library available for reuse between different use cases, enforced best practices, standardization in content development, sharing among clients and HPE Professional Services, faster learning curves for new developers, and separation of testing processes.
The provided text is a summary of a report or documentation related to cybersecurity and threat intelligence monitoring tools like ArcSight. It focuses on demonstrating how to use the Reputation Security Monitor (RepSM) tool for detecting malware infections, zero-day attacks, and dangerous browsing activities within a network. Key points include:
1. **Dashboard Overview**: The dashboard shows two main sections - one for domain names and another for IP addresses, both stripped down for demonstration purposes but reflecting the full versions' complexity with hundreds to millions of entries in real scenarios.
2. **Reputation Scores**: These scores range from 0 to 100 where higher scores indicate a greater potential risk. Scores below 40 are undesirable but not malicious, while those below 20 pose minimal or no threat. Entities with a score of 0 are considered candidates for malicious activity and are maintained in the database due to their potential future threats.
3. **Default Handling**: By default, entities with a score of 0 are ignored by RepSM use cases as they do not directly pose a threat.
4. **Use Case Demonstration**: The demonstration script outlines how to investigate internal assets potentially infected by malware or engaged in dangerous online activities by looking at the dashboard's internal infected assets panel and right-clicking on specific IP addresses for further details.
This summary highlights the practical application of using a security tool to identify and respond to potential cyber threats, illustrating how to use key features like reputation scores and investigating suspected malicious activities through the software's interface.
The document outlines a potential security issue involving an internal botnet infection among Mac users within the organization's network, specifically identified as the Flashback Trojan. The process to investigate this involves several steps using HPE Confidential tools and data from ArcSight solutions:
1. **Initial Search**: Through Google search results, it is determined that mystreamvideo.rr.nu is associated with malicious activity likely due to the Flashback Trojan. This information suggests a potential risk in the internal network.
2. **Investigation Tools**: The document provides step-by-step instructions for using internal tools and external data sources (like Google search) to confirm the infection and understand its scope.
3. **Isolation of Infected Assets**: Identify infected assets such as 'macmini' among the Mac users. This is crucial for further action like quarantining or removing these devices from the network.
4. **Active Channel Setup**: To monitor the malicious activity, an Active Channel is set up in ArcSight to track events and communications related to the infection across the network. This channel helps in monitoring potential risks and attacks.
5. **Data Normalization and Risk Assessment**: The SmartConnector collects data about the risk level of specific events as reported by various sources within the organization. This data is normalized into a standard scale (Very Low, Low, Medium, High, Very High) to aid in decision-making regarding potential threats.
6. **Detailed Event Inspection**: Specific details from the infected event involving 'mystreamvideo.rr.nu' are inspected, including its location and communication ports used. This detailed view helps in understanding the nature of the attack and planning appropriate countermeasures.
7. **Use Case Demonstration Scripts**: The document provides a scripted approach for users to follow when dealing with infected assets, detailing how to refine Active Channels and access detailed event information.
Overall, this document outlines a systematic approach to identify, isolate, and understand the severity of an internal infection using available network monitoring tools and data sources.
ArcSight Foundation/ArcSight Express is a software tool used for event management, where users can visualize events by selecting specific fields such as Name, Target Host Name, and Target Address. The process involves loading an active channel with selected events related to 'macmini' and 'mystreamvideo.rr.nu', pausing the channel, and then viewing conditions summary filters. To enhance visualization, one can click on a target host name from the event list.
In this tool, users can generate reports which include: "Currently Infected Assets and Recorded Interactions with Malicious Entities" and "Interactions with Malicious Entities During the Last 24 Hours." These reports are accessible through a predefined path under 'All Archived Reports.'
For advanced investigations using ArcSight Foundation/ArcSight Express, users can access the Command Center. To set it up for demonstration:
1. Log in as an admin.
2. Replay event files including IdentityView_v2.0.events and NetFlow_IdentityView_v2.0.events at a speed of 50 events per minute. This setup will automatically generate Notifications and Cases if the IdentityView_v2.0.events file is replayed, providing an opportunity to discuss incident lifecycle management with analysts and managers using the Command Center for investigations and understanding network activities.
To address the user's complaint about their network running slowly and to investigate potential issues, the Command Center provides a suite of tools including dashboards for visualization and detailed event searches. The first step involves navigating to a dashboard that shows top port and bandwidth usage in the environment. In this case, the specific focus is on port 1433 which is used by Microsoft SQL Server.
The user can interact with the Command Center interface by hovering over dashboards, clicking on Navigator tools, and exploring detailed information through Event Search. To start a focused search for NetFlow events related to network issues, they enter a search term such as "netflow" with a time frame set to last two hours. This search returns all relevant events containing the term netflow, displaying event details in the Command Center interface where the search term is highlighted.
The user can further analyze these events by clicking on specific bars in the histogram view of the command center, which provides a drill-down into events within particular time periods. For more extensive analysis or additional filtering options, they can perform an Advanced Search, retrieving all Cisco NetFlow events and allowing for deeper investigation tailored to pinpoint network issues contributing to the slow running of the network.
The task is about narrowing down a traffic search for Microsoft SQL Server (port 1433) using advanced search techniques within a specific system's monitoring tool or software. Here’s a step-by-step breakdown of how to perform the action described in the text:
1. **Accessing Advanced Search**: The user needs to navigate to an "Advanced Search" feature within the system, which is used for creating complex search queries with multiple conditions. This can typically be found under settings or options related to data filtering.
2. **Adding Logical Conditions**: Within the advanced search interface, logical operators such as AND, OR, and NOT can be nested to narrow down results. The user should click on an operator (like AND) where they want to nest their next condition. They must then select a field under "Name" from the dropdown list, type in specific details like "destination port" or "source IP address", and wait for relevant fields to appear under "Name".
3. **Selecting Specific Field and Setting Condition**: When the desired field (e.g., destination port) appears, the user selects it and sets the operator to an equal sign (=), then enters the specific value which is 1433 in this case. This completes setting up a condition that filters results for traffic on port 1433.
4. **Running the Search**: The user clicks "Go!" or executes the search query, and the system displays the filtered results of the targeted search showing only the relevant network traffic on port 1433. This includes details like destination addresses and other related information that are pertinent to SQL Server communications.
5. **Viewing Event Details**: The user can expand each event in the displayed list by clicking on them, which allows for deeper inspection of individual data points contained within these events, such as timestamps, source IP addresses, or detailed traffic patterns.
6. **Customizing Fieldset**: To organize and display results more effectively, the user can customize the fieldset to include specific fields like destination port, in addition to predefined ones. This involves selecting "Customize fieldset," choosing additional relevant fields (in this case, both destination and destination port), arranging them accordingly, and confirming these selections by clicking OK.
7. **Top Talkers Analysis**: Finally, the user can refine their search further to identify key communicators on port 1433 using commands such as "netfl" or similar syntax provided by the system’s command interface for network analysis, which helps in pinpointing influential devices or IPs connected through this port.
By following these steps and utilizing the functionalities of the advanced search within the tool, one can effectively filter and analyze specific traffic types (in this case, SQL Server traffic on port 1433) to gain deeper insights into network activity that might be otherwise difficult to extract from raw data.
The text provides a guide on how to visualize and analyze network data using search operators within an ESM system. Here's a summary of the key points:
1. **Search Query Customization**: By adding `| top sourceAddress` or `| top 5 sourceAddress` at the end of your query, you can customize the display to show the top sources or the top 5 sources respectively.
2. **Chart Settings and Visualization**: You can change the visualization type from the default bar chart to pie chart, line chart, area chart, stacked column, or stacked bar by clicking on Chart Type in Chart Settings. The number of displayed events can be customized as well.
3. **Interpreting Charts**: When viewing a pie chart, hovering over a slice provides details such as IP address, event count, and percentage contribution. You can drill down into specific IP addresses within the pie chart to refine your search further.
4. **Finding Bottom Talkers**: To find less frequent network participants on port 1433, use `netflow AND destinationPort = 1433 | rare sourceAddress`. This command will display top sources as a bar or line chart, and you can adjust the number of results displayed by adding `| top` or customizing it.
5. **Generating Reports**: You can run reports to document network activities like bandwidth usage per port. The report path provided is `/All Reports/ArcNet Reports/NetFlow`.
6. **Adobe PDF Integration**: Once you have a report, the text suggests opening it in Adobe Reader or another compatible viewer to share or save as needed.
This guide provides step-by-step instructions on how to effectively use search operators and generate reports within the network monitoring tool for better analysis of your network data.
The provided text discusses a demonstration of visualization capabilities within an application called Acrobat. It focuses on two main dashboards - one is a geographic event graph and the other shows hourly counts of activity in the environment.
1. Geographic Event Graph Dashboard: This dashboard uses SmartConnectors to enhance and enrich data from devices, systems, and applications, providing insights into the origin and destination of attacks and threats geographically. Features include highlighting nodes to display detailed location information, showing country, region, latitude, and longitude for a physical perspective, and zone name details such as network type (DMZ or internal).
2. Hourly Counts Dashboard: This dashboard visualizes the amount of activity in the environment over time, based on normalized event priority. Users can interact by selecting specific slices of time to see the number of events recorded during that period. Additionally, there's an option to unselect very low and low-priority events for a clearer view of higher priority activities.
Overall, these dashboards provide visual insights into network activity and security events, allowing users to analyze data more effectively and prioritize actions based on the significance of the events displayed.
The text provided is a summary of features related to event management systems (ESM) within HPE products, specifically highlighting capabilities in visualizing data through dashboards and accessing external security resources via ArcSight Marketplace. Here's an overview based on the information given:
1. **ESM Visualization Capabilities**: In ESM tools like HPE's solution, users can interact with a dashboard to customize event displays. By clicking names in the legend at the bottom, you can unselect any events that are not of interest (e.g., Very Low and Low priorities). The system allows for changing visual representations of this data from bar graphs to pie charts, enhancing user-friendly interaction and analysis capabilities.
2. **ArcSight Marketplace Access**: This feature provides a platform for security professionals to access external resources including:
Security packages for sharing and downloading.
Use case demonstration scripts for practical application of security measures in real scenarios.
A marketplace where you can find product documentation, best practices, use cases, guides, and content related to monitoring IDS (Intrusion Detection System) and IPS (Intrusion Prevention Systems).
3. **Demo Replay Connector Setup**: This involves setting up a demo replay for ArcSight ESM by selecting specific event files and starting the replaying process at a set rate (50 events per minute). The purpose is to simulate real-world scenarios effectively, aiding in training and scenario analysis without disrupting production environments.
4. **Marketplace Navigation**: Once logged into ArcSight Marketplace as an admin, users can navigate through various sections including:
Legacy Packages for older security product support.
Activate Device Packages that integrate with the ESM solution to enhance its functionality.
Utilities and Tools section offers additional software tools that aid in managing and securing IT environments based on ArcSight's offerings.
In summary, these functionalities demonstrate HPE’s commitment to providing robust security solutions through integrated modules like ESM, which not only simplifies event management but also expands the capabilities through external resources available via ArcSight Marketplace.
In this process, you start by entering specific IDs in a search under "Search enter ids." You then navigate to your ArcSight environment and find the IDS IPS Monitoring Package through SmartConnectors. From here, you download and install the package as it is already deployed. Once installed, you access its resources such as a dashboard, an Active Channel, and reports including filters, field sets, queries, and data monitors. The Event Sources panel confirms that this content is triggered by network IDS/IPS devices.
Switching to the Command Center tab, you find a dashboard that visually represents the activity on your IDS and IPS devices. This includes visual representations of top attackers, targets, and alerts with counts. You can drill down into event details using an Active Channel for more information. To analyze further, you look at default reports included in the package, which automatically update based on recent events.
The text discusses a demonstration of DNS Malware Analytics using ArcSight Marketplace, which is part of the HPE Confidential system for network security monitoring and reporting. The setup involves logging into the Command Center as an admin, selecting event files like DMA_DNS.events, and starting replaying these events at 50 per second through the Demo Replay Connector. This tool helps in analyzing DNS traffic to detect malware-infected systems.
The demonstration highlights that DNS Malware Analytics is a scalable solution capable of switching between standalone operation and integration with a SOC using ESM/ESM Express as a SIEM for better security information management (SIM). The system consists of two main platforms: the on-premise DNS Capture Module, which captures DNS traffic from internal servers, and the cloud-based DNS Analytics module that acts as an analyzer of events sent from the Capture Module. Both components identify infected systems and send alerts to a higher level SIEM or alert handler for further action.
The analytics are designed to not only detect malware but also enhance SIEM capabilities by providing additional insights through analytics, allowing for more efficient system management and threat detection.
This passage outlines the functionality and capabilities of HPE Confidential—subject to use restriction Page-40ESM/ESM Express, specifically in terms of its integration with ESM/ESM Express for alert correlation. The software is designed to send alerts in CEF format, allowing seamless integration with other data sources to take action on the alert information.
The passage then describes a user interface within the system where users can access various analytics and reports:
A dashboard provides an overview of activities in a DNS Malware Analytics environment, displaying interesting metrics such as top DMA Analytics Events, Bad Clients Querying Random NX Domains, and Bad Clients Querying Many Distinct BL Domains.
Users can drill into the details of events through the Active Channel, which offers detailed information including normalized fields and categorized fields.
The system supports viewing event details by clicking on any event in the Active Channel.
Lastly, the passage mentions a use case demonstrating Privileged User Monitoring (Afterhours Activity) using IdentityView, which is still supported but nearing end of sale. This should be sold as part of separate and distinct product, User Behavior Analytics. The setup process for this use case involves logging into the Command Center as an admin, acknowledging any existing notifications, deleting cases, setting up a Demo Replay Connector to replay event files at 50 events per minute initially, which can then be adjusted based on speed requirements.
The summary focuses on how ArcSight ESM and IdentityView enhance event handling by integrating user context information from directories or identity management systems. These tools create an Actor model, which is a representation of all users within the system, providing a better understanding of who's using the network and what they're doing through various dashboards like the "Actor Overview."
This dashboard offers general statistics about the Actor model, such as the total number of Actors (identities) and how many unique account IDs are associated with these identities. The average number of accounts per user ranges between 3 to 4 across the system, highlighting the complexity in identifying users' activities on the network due to multiple identification methods across different systems or applications.
Additionally, the dashboard breaks down various attributes captured for each Actor, including their status (active vs. disabled), which can be used in correlation rules to improve event handling and understanding of user activity within the system.
The provided text describes the use of IdentityView in monitoring activity from disabled accounts within an Active Directory (AD). When an employee leaves a company, their AD account is typically disabled; however, if any network activities are detected from former employees' associated accounts, these activities can be flagged as indicative of terminated employment.
The text further explains that the dashboard in IdentityView provides information on group membership and roles within the organization, with specific focus on organizational units (OU). It notes that Information Technology has the largest number of users followed by Marketing, indicating significant presence in both departments. The system also allows for assessing compliance with least-privileged access policies as having too many groups or members can complicate control over user privileges.
The text concludes by discussing how IdentityView aids in understanding and managing AD group membership to support organizational policy requirements and improve security practices.
The passage discusses a situation where unauthorized users (specifically data center operations and tier 3 administrators) are accessing the company's data centers off-hours, which is causing compliance issues, potential insider threats, and misconfiguration of badge reader authentication systems. To address this issue, the author suggests implementing an ArcSight system to notify them immediately when such access occurs. When a notification is received, they should go into the ArcSight system, open the notification, and mark it as acknowledged to prevent escalation notifications that could involve higher management.
This text discusses a correlated event in an IT security context where Mario Rossi, not affiliated with data center operations or having administrative rights, accessed the server room after hours using an employee badge. The notification is triggered by a single badge-in event but involves three components for correlation: the badge event itself, the role of the user (Mario Rossi), and the time of day.
The ArcSight system performs identity correlation to translate the cryptic user name from the base event into an identifiable Actor model using the Actor Field Set. This process helps in understanding who Mario Rossi is and why he should not be accessing the server room during non-business hours, as it would typically be restricted for unauthorized personnel. The notification includes details such as the badge event, user role, and time of access, making it a comprehensive alert to help manage security risks effectively.
The passage describes a situation where an employee from the Marketing department accessed a data center during non-business hours, raising security concerns. To investigate this incident, the user accesses ArcSight case management tools to review events, attributes, and active channels related to the unauthorized access by Mario Rossi. By leveraging IdentityView within the Active Channels feature of ArcSight, the user can efficiently gather all relevant activities conducted by Mario Rossi across the network, including systems accessed and timestamps. This approach significantly simplifies the investigation process compared to manual tracking methods typically required for such incidents.
In this scenario, we observe a series of Cisco NetFlow events where certain details such as the user name field are absent. Through session correlation, it becomes evident that despite missing user names, specific activities can be attributed to Mario Rossi based on other contextual clues like the IP address and account information associated with his desktop workstation and subsequent Unix machine sessions.
Mario Rossi logs into his desktop workstation (DESKTOP3) using the account ARCNET.COM\MROSSI during a Microsoft Windows login event. He then opens a session to a Unix machine, printserver01, using a different account, MARIOR. The correlation of these events through session information confirms that all activities are indeed linked back to Mario Rossi.
Further investigation reveals potentially suspicious network and web browsing activity from the printserver01, which is blocked by the Blue Coat proxy due to attempts to access personal email accounts. To conceal his actions, Mario uses SSH to log into the Unix machine and continues engaging in more suspicious activities that are revealed through continued monitoring with the Blue Coat proxy. These activities include browsing job hunting websites like careerbuilder.com, monster.com, and hotjobs.com, which can be indicative of dissatisfaction with one's current position.
The text describes a scenario where an employee using the pseudonym "Mario Rossi" accessed various anonymous proxy sites and hacking websites while working on a print server named "printserver01." This behavior might suggest that he is transferring company data, possibly intellectual property, through these anonymous proxies in preparation for his future job. He may be downloading tools for sabotage or other unauthorized activities before leaving the company. The situation requires escalation to human resources and involves using ArcSight's case management system to document the evidence found during the investigation. The text also mentions visualizing events through a dashboard, adding selected event details to an existing case, and running reports to summarize all activity related to "Mario Rossi" as part of the case.
The provided text describes a process for investigating an employee's access activity using ArcSight software, which is part of HPE Confidential systems. The user, Mario Rossi, accessed various applications and devices such as the badge reader, Cisco NetFlow, Microsoft Windows, Blue Coat, and Unix during specified time periods. The investigation involves reviewing detailed reports in Adobe Acrobat to identify specific events associated with Mario's activity.
The report includes a graph summarizing different applications used by Mario, along with a table providing more granular information about his activities. Although some event details do not include user name information, the system identifies these actions as belonging to Mario based on session correlation. The investigator saves and attaches this report to the case for further reference.
The ArcSight tool allows for quick compilation of all relevant activity and evidence from multiple applications related to the investigation, which is then packaged into a cohesive case file named "Mario Rossi.pdf". This process helps in transitioning the investigation to the appropriate group within the organization that handles such incidents. The text also mentions that IdentityView, part of the ArcSight software, is now considered end-of-sale and recommends using User Behavior Analytics as an alternative for future investigations.
The setup instructions outline how to log into the Command Center as an administrator, acknowledge any existing notifications, delete cases if necessary, start a demo replay connector with specific event files, and initiate replaying these events at a rate of 5 events per second.
The text provided outlines a scenario where an employee used a shared account on a specific server segment, violating corporate policy. The user is notified about this breach through ArcSight, which triggers an email alert and leads to further investigation in the Command Center. By navigating to the notification, they can access detailed information including correlated events and triggering base events. They are also able to identify the actor involved (David West from IT) using the IdentityView feature of the system. This process helps in acknowledging the violation and ensures that appropriate actions are taken according to corporate policy regarding shared accounts on servers within the sj-arcnet-desktops segment.
The summary is about analyzing shared account activity in an environment using the "IdentityView v2.0" dashboard from the "/All Dashboards/ArcNet Dashboards/IdentityView v2.0" section. To view shared accounts, navigate to "Shared Accounts" and then mouse over events to see active channels. In the Active Channel, you can pause the activity and investigate specific events related to successful logons and denied TCP connections.
The investigation involves examining event details such as Successful Logon events under Field Set "Actor Field Set" in "/All Field Sets/ArcNet Field Sets/IdentityView v2.0", where IdentityView successfully attributes these events back to a person (David West) using username or IP attribution.
Additionally, the process includes normalizing priority stats during data collection by HPE Confidential, which converts various event-rating scales into a default scale of Very Low, Low, Medium, High, and Very High danger levels. This helps in understanding the risk associated with each event as interpreted by the source that reported it to the SmartConnector.
This text appears to be documentation or a report summary about using ArcSight, a security management tool, for monitoring shared accounts in an IT environment. The document describes how to access various reports within ArcSight that provide information on the usage of shared accounts, including details such as what applications they are used in and where this activity is occurring across the network.
The primary reports include:
1. A summary report showing all shared account activities with general details like which accounts are being used and which applications they belong to.
2. A detailed report that provides more granular information about these activities, including specific details related to zones or networks where this activity is taking place.
3. Another report focuses on the SU (Superuser) and SUDO (Superuser Do) activities, providing a summary of all such actions within the environment.
The ArcSight tool uses a network and asset model to provide human-readable names for IP subnets, which helps in quick understanding without needing detailed technical diagrams or spreadsheets. This model is applicable across various use cases including notifications, reports, rules, and cases related to security monitoring. The final report covers SU and SUDO activities comprehensively.
The document also notes the end of support for IdentityView as it's a legacy product, recommending User Behavior Analytics as an alternative, which seems to be a different or updated product focused on user behavior analysis rather than identity management. The setup process involves logging into the Command Center with administrative privileges and managing any existing notifications.
The text provided outlines instructions for using the Demo Replay Connector in an environment with a proprietary application lacking user access control capabilities. The main purpose of this setup is to track and attribute login activities from a shared account, SystemUser, which has full administrative privileges, back to accountable users.
To implement this solution:
1. Select and start replaying the event files IdentityView_v2.0.events at a rate of 50 events per minute. After approximately two or three minutes, adjust the replay speed to around 25 events per second if necessary.
2. Navigate to the dashboard MyLegacyApp within the IdentityView application to monitor any activity related to SystemUser account in your environment.
3. Access archived reports such as Login Sessions from the ArcNet/IdentityView section and generate a report on user access using the SystemUser shared account. This report should be capable of being run ad-hoc or on a scheduled basis, providing evidence for compliance audits.
Lastly, it is important to note that while IdentityView is still supported but nearing end of sale, User Behavior Analytics (a different product) should be considered as an alternative for selling in this context. The setup and usage instructions are provided for demonstration purposes only.
The summarized text provides a guide on how to use the IdentityView v2.0 dashboard within ArcNet dashboards for monitoring system and application usage based on department, employee type, and role. It involves selecting specific event files for demo replay, setting up the connector to re-play events at varying speeds, navigating through different dashboards, reviewing reports, and accessing archived reports that provide contextual information about user activity. These features are valuable in understanding access rights and system usage within an organization.
Comments