ESM Express Console Demo Script 1.1
- Pavan Raja
- Apr 8, 2025
- 47 min read
Summary:
This document outlines a comprehensive demonstration of how to use ArcSight ESM/Express (ESM) and IdentityView within the HPE Confidential framework to track login activities related to shared accounts in legacy applications like MyLegacyApp. The main objective is to showcase the capabilities of these tools in ensuring compliance with user access controls, particularly through the use of the SystemUser account as an administrative tool across all users. ### Key Points and Actions: 1. **Logging into ArcSight Console**: Begin by logging into the ArcSight Console as an administrator. This initial step is crucial for navigating through various sections to execute the demonstration effectively. 2. **Navigating to IdentityView v2.0 Dashboard**: Access the specific IdentityView v2.0 dashboard within the /ArcNet Dashboards section of the ArcSight Console. Here, you will find a report titled "MyLegacyApp Login Sessions", which is pivotal for tracking login activities associated with shared accounts. 3. **Setting Up Event Files for Replay**: Begin by setting up a demo replay of event files associated with IdentityView_v2.0 at a rate of 50 events per minute. This initial setup will help in understanding the performance and potential adjustments can be made thereafter based on observed performance requirements. 4. **Filtering Events Using AttributableActor**: Create a new Active Channel by filtering events using the
. This filter is essential for isolating activities tied to specific users, in this case, David West. It helps in pinpointing the user responsible for any shared account activity within MyLegacyApp.
5. **Viewing Archived Reports**: Proceed to view archived reports related to this use case by accessing the Reports tab under the ArcNet Archived Reports group in the Navigator. Navigate to the IdentityView v2.0 directory to access detailed reports such as "Archived Report: Logins to Known Shared Accounts – Details.pdf". These reports provide a comprehensive overview of shared account activity, including details about attackers and target zones.
6. **Reviewing Detailed Information**: Open the provided PDF report for an in-depth analysis of shared account activities. This detailed information helps in understanding the interactions between different users and systems using the shared SystemUser account, ensuring compliance with administrative access controls.
7. **Addressing Potential Questions**: Be prepared to answer questions about different columns in the reports. Emphasize the value of IdentityView's ability to pinpoint actors by name or IP address using its network model capabilities. This feature helps in understanding and visualizing user interactions within the system, enhancing overall compliance and accountability.
8. **Reporting Compliance**: Highlight the importance of reporting tools like the MyLegacyApp Login Sessions report for auditors. These reports demonstrate access rights within various departments and employee types, ensuring that activities are recorded clearly for auditing purposes. Reports can be run both ad-hoc and on a scheduled basis based on organizational needs.
### Conclusion: This demonstration outlines a detailed process of how ArcSight ESM/Express (ESM) and IdentityView can be effectively utilized to track login activities in legacy applications that utilize shared accounts without user access control features. It underscores the importance of reporting tools for compliance with auditing requirements, ensuring accountability through clear identification and visualization of user interactions within the system.
Details:
The document "ESM/ESM Express 6.11 Use Case Demonstration Scripts" from Hewlett Packard Enterprise (HPE) is a confidential guide intended for evaluation purposes only. It contains information about HPE's current products, sales, and service programs that are subject to change at the company's discretion. The document should not be reproduced or disclosed outside the group responsible for evaluating its contents without written authorization from HPE.
The purpose of this document is to provide a detailed demonstration of how the ESM/ESM Express 6.11 can be used through scripts, with examples and instructions on how to utilize these features effectively within ArcSight Console. The information provided in this document should not be considered as an offer for sale or solicitation to purchase any HPE product(s) or service(s).
The information contained in the ESM/ESM Express 6.11 Use Case Demonstration Scripts is deemed reliable, but without warranties of accuracy or completeness. The recipient should independently verify and validate all information provided before relying on it for any purpose. Neither HPE nor its representatives shall be liable for any claims, losses, or damages arising from the use of this document or its contents.
The term "solution" in this context refers to the products and services offered by HPE, which may include software applications and related support provided under specific contractual agreements between HPE and the client. The definitive agreement must be signed by authorized representatives of both parties for any terms and conditions mentioned within the document to become binding.
The text provided is a summary of terms and conditions related to a proposal or agreement between parties, likely from Hewlett Packard Enterprise (HPE) and a customer. Here's a breakdown of the key points mentioned in the document:
1. **Implied Assurance of Solution Fit**: The term "solution" used in the context of proposed products or services does not imply that these will automatically meet all the Customer’s requirements without further development based on additional information from the customer.
2. **Definition and Nature of Partnership**: The terms "partner" or "partnership" are clarified to mean a collaborative relationship between parties, rather than implying a formal legal partnership. This suggests a more informal business alliance focused on mutual benefits derived from teamwork.
3. **Validity of Pricing Estimates**: Pricing estimates provided in the document are valid for 30 days from the date they were submitted. After this period, revisions or updates may be necessary to reflect current information and conditions.
4. **Document Submission Preferences**: If HPE submits a proposal in both electronic and hard copy formats, only the hard copy will be considered the official, valid version if there are differences between them. Similarly, if only electronic versions are submitted with differing content, preference is given to the PDF version of the document.
5. **Resolution of Concerns**: If any party has concerns, questions, or issues regarding this notice, they should contact their local sales representative for resolution.
6. **Copyright and Confidentiality**: The proposal is protected by copyright law (© Copyright 2017 Hewlett Packard Enterprise Development Company, L.P.) and contains confidentiality provisions ("HPE Confidential—subject to use restriction"). This indicates that the information should not be disclosed or used beyond the agreed-upon purposes without authorization from HPE.
7. **Use Case Demonstration Scripts**: The document includes demonstration scripts for various security use cases and tools provided by HPE, specifically related to ArcSight Console and its Express version (ESM/ESM Express). These scripts are meant to illustrate how specific security measures can be implemented using the software products offered by HPE.
This summary highlights the contractual aspects of the document, particularly focusing on the terms that define expectations for both parties in a professional relationship, as well as procedural guidelines regarding proposal submissions and dispute resolution mechanisms.
The PowerPoint presentation outlines a demonstration of how an analyst uses and interacts with ESM/ESM Express within the ArcSight platform to investigate suspicious or malicious activity. The setup involves logging into the ArcSight Console as an admin, deleting existing notifications and cases, starting a demo replay connector with specified event files, and hiding unnecessary interface panels.
The use case begins with ESM/ESM Express detecting suspicious activity, which triggers a notification via email and SMS to the analyst. The workflow includes:
1. Receiving a notification of detected malicious activity.
2. Acknowledging the notification in the ArcSight Console.
3. Navigating through interfaces such as Dashboard, Active Channel, and Report to review details about the events associated with the notifications.
4. Creating a case related to the suspicious activities observed in the investigation process.
Throughout this demonstration, key actions include acknowledging notifications promptly to initiate the workflow, reviewing event details within the Viewer Panel, and managing cases appropriately to track investigations efficiently.
When you receive a notification about multiple login attempts to a locked Microsoft Windows account, indicated by a correlated event with a red lightning bolt icon in the ArcSight SmartConnector interface, it means someone is trying to access an account that has been disabled for logging in. Your field set, which is tailored to show only relevant fields of interest, will display various base events triggered by these attempts.
In this context, the normalized base events are critical for correlation and analytics within your security system. These events wrap everything together and help in understanding the broader scenario. The SmartConnector automatically handles normalization, making it easier to focus on specific areas of interest during an investigation.
The SmartConnector also categorizes events, such as Category Behavior = /Authentication/Verify and Category Device Group = /Operating System, providing a structured way to understand what each event means and abstracting the details for broader applicability across different devices or operating systems. This not only simplifies understanding but also makes your content more portable and less tied to specific device vendors, ensuring that updates in software versions do not require significant changes to your existing content.
The document outlines a process for investigating login activities using a combination of dashboard views and interactive panels within a system designed to monitor operating system login events. Here's a step-by-step breakdown of what is described:
1. **Opening the Navigator Panel**: Accessing a panel that provides an overview of the organization's real-time operational status, including details about user logins.
2. **Accessing Dashboards**: Within the Navigator Panel, navigate to the 'Dashboards' section and select the specific dashboard titled "Operating System Login Activities." This dashboard displays an overview of all login activities related to operating systems across the organization.
3. **Investigating Specific Events**: A case was created as part of the workflow triggered by a notification about multiple failed login attempts, which led to locking a user's Windows account due to suspicious activity.
4. **Locking the Case**: The case is locked after being reviewed in the Inspect/Edit Panel for further investigation. The stage of the case was changed from 'Queued' to 'Initial', and an investigator added a note indicating that they are starting the investigation.
5. **Using Active Channels**: To focus on specific user activities, navigate to "Active Channels" where events related specifically to operating system logins can be viewed. Here, the channel is paused to allow for detailed examination of swright's login attempts and any associated network details such as IP addresses used during these sessions.
6. **Focusing on Target User**: The Active Channel is adjusted to focus solely on swright's activities, revealing that he uses a remote VPN with an assigned address (10.0.110.34), and the investigation reveals multiple authentication failures starting from when he accessed the network remotely.
This document outlines how to use software tools to investigate user login events by navigating through various dashboard views and interactive panels, providing detailed steps on analyzing operating system login activities step-by-step.
The provided text appears to be a section from an IT security document or report, detailing the use of VPNs and IP addresses within a corporate network for investigation purposes. Here's a summarized version of what is discussed in the passage:
1. **VPN and Internal Address**: An attacker wants to investigate activity from an internally assigned IP address (e.g., 10.0.110.34). It is suggested that one would naturally want to look into all other related activities associated with this IP address, which can be easily done in the network monitoring system.
2. **Investigation of Events**: When examining these events, it appears that there were multiple failed login attempts and various types of activity including FTP connections to malicious sites. The conclusion is drawn that the user might have been infected by malware attempting to contact malicious sites through the corporate network.
3. **Active Channel Creation**: To further investigate this issue, a channel can be created within the system where all related events are monitored. This allows for a detailed analysis of the activities and helps in understanding the nature of the threat more clearly.
4. **Normalization Process**: During the normalization process, the SmartConnector collects data about the level of danger associated with each event based on the scale provided (Very Low to Very High). This standardizes the various rating scales used by different data sources into a uniform metric for easier interpretation and prioritization.
5. **Threat Intelligence Feed**: The system identifies correlated events where there are communications to malicious domains, such as dslzn11.badguy.net. These can be seen on both firewall configurations (Cisco Pix – Accept event) and through the Threat Intelligence feed provided by the system.
6. **Active Channel Management**: Within the Active Channel, one can adjust settings like columns displayed or field sets used to refine the investigation further. This flexibility in customization helps tailor the view to specific areas of interest related to malware communication with malicious domains.
This summary assumes that the text is discussing a scenario where network security monitoring tools are being utilized for incident response and threat analysis, employing features such as VPN tracking, IP address analysis, and real-time threat intelligence integration within their platform.
This passage describes a system for managing and analyzing security events using IBM ISS RealSecure software with specific focus on FTP_USER/FTP_PASS events and dangerous browsing activities to malicious domains. The system is designed for ease of use without requiring scripting, supporting integrations with various sources including HPE and third-party, open-source, and custom solutions.
The interface allows users to add important events directly to a case file, which serves as the central hub for an investigation. This includes dangerous outbound communications to malicious domains, failed login attempts to locked Windows accounts, and multiple login attempts from specific users. Users can easily save searches or share them with others, utilizing features like breadcrumbs that allow investigators to revisit steps and stages of their investigations without starting over.
Advanced reporting capabilities are also available within the system, allowing for detailed validation and confirmation of findings. This includes generating reports on failed logins and other security-related events. The passage highlights how these features facilitate efficient handling of ongoing cases until they can be handed off to another analyst or team member.
This document describes a procedure for analyzing security events using ESM (Enterprise Security Manager) / ESM Express with ArcSight Threat Intelligence feed. The goal is to investigate potential threats by reviewing failed login attempts, dangerous browsing activities, and other suspicious behaviors over the last 24 hours. Here's a summary of the steps involved:
1. **Navigate to Reports**: In ESM/ESM Express, go to "/All Reports/ArcSight" under Solutions/Reputation Security. Use default parameters to generate reports on failed login attempts and dangerous browsing activities over the last 24 hours.
2. **Generate Reports**: Click "Reports" in the Navigator Panel, then select the report type (e.g., Threat Intelligence feed) and use defaults for configuration. Save the generated PDF files.
3. **Attach to Case**: Open the case related to the incident, where you will find options to attach the reports as evidence. Right-click on the report name under "Dangerous Browsing Activities" and select "Report," then choose "Report with defaults." Attach both PDFs to the case.
4. **Add Investigation Notes**: In the same case, add notes about the actions taken (e.g., disabling VPN account, taking infected host offline) and recommended follow-up actions for further investigation. Provide details in the notes field under "Investigation found compromised" and "Recommended Actions."
5. **Update Case Attributes**: Adjust the case attributes to reflect the current stage of the investigation by changing the stage from Initial to Follow-Up in the ESM/ESM Express interface. Set Operational Impact to 3-High based on the severity of the issues detected.
This process ensures that all relevant security events and generated reports are documented within the case, facilitating a coherent and comprehensive follow-up investigation by other analysts.
The text provided is a summary of a presentation or demonstration about HPE Confidential—subject to use restriction, focusing on the capabilities and features of the ESM/ESM Express tool within the ArcSight console. It outlines a specific use case related to compliance with ISO standards, emphasizing how an analyst would interact with the system to review and manage access controls for former employees.
Key points include:
1. The default configuration can be customized based on organizational processes and procedures.
2. ESM/ESM Express integrates seamlessly with existing case management and ticketing systems.
3. Compliance use case involves reviewing and managing access control practices, particularly focusing on section 11 of ISO 27002 which deals with access control best practices.
4. The demonstration showcases how ArcSight can automate parts of the compliance process by detecting unauthorized access attempts even after disabling Active Directory accounts.
5. The tool maintains a list of users whose AD accounts have been disabled, ensuring continued monitoring for compliance purposes.
6. A reporting feature is highlighted as part of the demonstration, showing how easily events and logs can be reviewed through ArcSight's interface.
The presentation concludes with an emphasis on the efficiency and ease-of-use of ArcSight in managing these compliance aspects within a corporate environment.
The text discusses a method for ensuring compliance with regulatory standards, specifically focusing on ISO 27002 best practice 11.2.1 which pertains to revoking access when employees leave the organization. The process involves using tools such as ArcSight Console to automate log reviews and alert managers of potential non-compliance issues. By acknowledging alerts about former employee access, managers can quickly identify and rectify any gaps in compliance, making it easier to demonstrate adherence to regulatory standards during audits.
The provided text describes an action involving reviewing compliance status through a dashboard, focusing on ISO Section 11's non-compliance due to the Former Employee Account Access Attempt event. It then explains how ArcSight identifies former employees by checking incoming events against a list of former employees. This process involves using lists from ArcSight's Navigator window and Compliance Insight Package for tracking and correlation purposes.
ArcSight dynamically updates this list, automatically adding deleted accounts or importing new entries from text files. The text also briefly mentions the rule that handles inactive user account events by removing them from privileged lists and moving them to a "deleted employees" list. Finally, it highlights how ArcSight can generate reports on these lists for easier access and analysis, comparing this method to manually reviewing extensive documents.
ArcSight is an advanced security system that helps organizations quickly identify and respond to security incidents, including potential zero-day attacks. With its comprehensive features for notification and case management, ArcSight allows organizations to have better visibility into their overall security and compliance status. In addition to incident detection, ArcSight offers automated reporting solutions that provide detailed insights across the organization's infrastructure.
To demonstrate how ArcSight can be used in a NetFlow environment, here are the steps for setting up and using it:
1. Log in as an administrator to the ArcSight console.
2. Navigate to the Notifications tab to acknowledge any pending notifications and delete associated cases.
3. Access the Dashboards by opening the /ArcNet Dashboards/NetFlow/ section, where you can view:
Top Port and Bandwidth Usage
Top Source and Target Countries
Microsoft SQL Server Monitoring
4. Modify the Microsoft SQL Server Monitoring dashboard to a circular layout.
5. In the Navigator, go to the Reports resource and open the Reports, Archives tab to review generated NetFlow reports in PDF format under the /ArcNet Archived Reports group.
6. Configure the Demo Replay Connector by selecting relevant event files (e.g., NetFlow_IdentityView_v2.0.events) for replay at a rate of 50 events per minute, adjusting the speed as necessary after about two to three minutes.
The demonstration includes specific dashboards:
The Top Bandwidth by Actor dashboard provides an overview of bandwidth usage categorized by identity and country. This dashboard can be adapted to analyze bandwidth across various devices in the organization's network.
The Top Port and Bandwidth Usage dashboard shows which ports are actively used in the environment, broken down according to specific criteria.
The provided text is a summary of a document discussing network monitoring and security practices, specifically focused on identifying unauthorized activities such as an unregistered Microsoft SQL Server installed in a non-DMZ segment (desktops). Here's a summarized breakdown of the key points discussed:
1. Network Port Usage: The document differentiates between known ports (0-1023) and registered ports, along with dynamic ports (1024-65,535), providing insights into which ports are actively being used for data transfer.
2. Dashboard Functions: Two dashboards are mentioned to provide visualizations of network traffic from a country perspective and monitoring Microsoft SQL Server traffic on port 1433. The latter reveals that the traffic is incorrectly routed to the desktop segment, suggesting potential security breaches or unauthorized installations.
3. Investigation Tools: An optional feature allows deeper investigation by clicking on specific zones to view detailed event information. This includes opening reports such as "Bandwidth Usage by Port" and "Detailed Traffic by Host," which provide more granular insights into network usage and host traffic, respectively.
4. Reporting and Policy Compliance: The document mentions the use of archived reports like "Bandwidth Usage by Port" and "Top Bandwidth Hosts" to assess bandwidth usage across different ports and hosts in the network environment. This helps in identifying potential issues or non-compliant activities that can be further investigated and addressed according to corporate security policies.
In summary, this document outlines a structured approach for monitoring and managing network traffic through various dashboards and reports, focusing on unauthorized use of services like Microsoft SQL Server and providing actionable insights for IT administrators to enforce compliance with organizational policies.
This document outlines a series of steps to be followed during a demo replay of the ArcSight Activate product by an admin. The process involves setting up and configuring various components, opening specific files, channels, and websites, as well as installing certain packages. Here is a summarized breakdown of the tasks:
1. **Admin Role**: As the administrator, you will initiate the demonstration by starting the demo replay connector to load event files such as 'activate_50epm.events' at a rate of 50 events per minute.
2. **Opening Channels and Dashboards**: You need to open specific ArcSight Activate channels including the main channel and a personal investigating channel, along with the corresponding dashboard for Malware Outbreak Statistics. This will take approximately 5 minutes to populate the data monitors.
3. **Installing Packages**: Two primary packages are installed:
**Malware Monitoring**: Includes L1 (Indicators and Warnings) and L2 (Situational Awareness) monitoring, with a product package of PMcAfeeEpoVirusScan.
**Network Monitoring**: Incorporates L1 (Indicators and Warnings) and L2 (Situational Awareness) monitoring, along with the PSnort product package. Note that this network monitoring is not utilized in the demo but includes Snort events as part of the event file.
4. **Opening Websites**: The following websites should be accessed within different browser tabs:
ArcSight Marketplace for general information and potential sign-up if needed.
Specific Activate wiki pages on L1 Malware Monitoring, L2 Malware Monitoring, and P-McAfee ePO Virus Scan for detailed knowledge about the products.
5. **ArcSight Activate Information**: Review key wiki pages to understand the benefits and functionality of activating ArcSight:
Main Wiki page with an overview of Activate.
Page explaining why to use Activate.
Discussion on problems that Activate can solve.
This document provides a structured way for demonstrating and understanding the capabilities of the ArcSight Activate product, including its configuration and integration features.
ArcSight Activate is a modular content development methodology that provides a collection of reusable components to quickly deploy and develop actionable use cases. It allows users to implement and customize packaged use cases without reinventing the wheel, empowering them to build their own use cases using a library of reusable components, standardized deployment tactics, methodology, and defined best practices.
The Activate framework organizes its packages by type:
The Activate Base package provides resources such as filters, global variables or active lists that are used by all other packages.
Level 1 (L1) Activate packages consume indicators from multiple or different event sources, normalize this information to ensure consistency within the Activate Framework, and can also enrich events with device-specific data.
Level 2 (L2) Situational Awareness Packages contextualize events with information from various internal ArcSight models, including the network model, asset model, actor model, threat intelligence model, etc.
Product packages are specific to a range of releases or versions and generally include L1 content, sometimes accompanied by FlexConnectors or Parser overrides.
ArcSight Activate content is available on the ArcSight Marketplace, where security professionals can share and download security use case demonstration scripts.
The text describes HPE's ArcSight Activate, a platform that provides comprehensive security resources similar to what large companies use for their security management. On the ArcSight Activate Marketplace, users can find various resources such as best practices, guidelines, and use cases, including FlexConnectors, utilities, tools, and partner integrations.
The marketplace offers different types of content categorized into packages like L1 and L2, which are specifically designed for technologies like perimeter and network monitoring, application monitoring, physical security, host monitoring, malware monitoring, data security monitoring, and threat intelligence monitoring. The L1 packages focus on detecting and reporting potential malicious activities, while the L2 packages provide additional context to these incidents.
ArcSight Activate is highly modular and can easily expand its support for more products and vendors by making minor adjustments to specific filters. This flexibility allows it to accommodate a wide range of devices supported by ArcSight SmartConnectors, FlexConnectors for internal applications, or companies that are part of the Security Technology Alliances Partner Program.
To find content related to malware monitoring, users can perform a search on the Marketplace and look for L1-Malware Monitoring and L2-Malware Monitoring packages that provide information and tools to address issues related to malware.
This passage discusses malware monitoring using ArcSight Activate, a tool provided by Hewlett Packard Enterprise (HPE). The Activate ePO VirusScan module is designed for virus scanning and protection, which aligns with the antivirus vendor and product mentioned in the text.
ArcSight Activate provides guidance on malware monitoring within its wiki documentation. For level 1 malware monitoring, it offers a L1 Malware Monitoring package that addresses specific use cases related to log sources. This package is modular and extensible, supporting various devices through filter editing. The page also highlights the option to modify thresholds for customizing content according to individual environments.
The L2 Malware Monitoring package extends from the L1 version by incorporating additional context provided by the Network and Asset Model. This added context helps in prioritizing responses during outbreaks like virus or worm incidents, focusing on critical assets such as servers in a DMZ or other high-value systems that are more vulnerable to security threats affecting their operations. The L2 package's content enhances this monitoring with specific details about asset criticality and potential impacts, aiding in better management of malware risks within the organization.
The passage concludes by noting that the information is HPE Confidential, subject to certain use restrictions.
The text provides a demonstration of how to navigate and interact with specific features within the ArcSight Console related to malware monitoring using the McAfee ePO VirusScan product package. It outlines the use of "Activate" for L1 and L2 Malware Monitoring, detailing its modular design that allows it to be integrated into various security monitoring use cases beyond just malware detection. The demonstration includes viewing a test plan which includes specific events designed to ensure proper functionality, as well as showing two active channels within the ArcSight Console: the Main Channel and the Personal Investigating Channel. These channels are used by SOC managers for triaging incidents and assigning them to analysts based on subject matter expertise and availability, while analysts can use the Personal Investigating Channel to focus on their assigned cases automatically personalized according to their ESM login.
The text describes a scenario where Steve, a Level 1 analyst, is tasked with reviewing and analyzing an incident related to malware activity on IP address 172.17.1.1. The process involves switching between channels in the ESM (Extended Security Manager) system to access detailed information about the event.
The user interface shows multiple active channels including /All Active Channels/ArcNet, Active Channels/AcrSight, and Main Channel. The Main Channel displays information about malware activity detected by Activate, specifically W32/SQLSlammer.worm. This Malware is identified as affecting assets in the DMZ (a network zone) which includes a PCI system named arcnet-dmz.
The process involves:
1. Identifying correlated events triggered by the Level 1 Malware Monitoring package and McAfee ePO VirusScan product, both hooked together.
2. Selecting one of the correlated events for IP address 172.17.1.1 to open in the Inspect/Edit Panel.
3. Using the ESM Network and Asset model to identify more critical assets affected by this malware outbreak in the DMZ.
4. Annotating the incident in ESM to assign it to Steve, ensuring that annotations help track and escalate events through the workflow.
The text provides a step-by-step guide on how to use ESM features for managing malware incidents, emphasizing the importance of network analysis and asset identification in mitigating potential threats.
The text outlines the role of annotations in an Event Management System (ESM), a tool used for flagging and assigning individual or related events for follow-up. Annotations are flexible and can be utilized in various ways within a workflow environment, serving as a tracking device to monitor all events passing through the ESM correlation engine, a triage tool before escalating an event to a case, or even being unused if preferred.
The process involves defining a structured approach for assigning correlated events to Level 1 team members for investigation, which includes customizing stages according to the organization's workflow setup. After selecting and adjusting the stage of a correlated event to "Level 1 Investigating" and assigning it to an analyst (Steve), the event will no longer appear in the main channel but will be visible in Steve’s personal investigating channel.
The text also explains how to switch to the active channel where Steve can view the assigned correlated event, specifically mentioning the Active Channels such as ArcNet and AcrSight. The role of annotations is further highlighted by their use in tracking metrics like cases by status, severity, event category, and more, serving as a field within the ESM schema for various uses in content management.
This summary describes a process for handling a malware incident involving the W32/SQLSlammer.worm, which was detected on host 172.17.1.1 located in the DMZ. The steps include annotating the correlated event and entering comments about antivirus updates, malware removal, and full system scans performed to resolve the issue. After performing these actions, the event is closed with a status indicating it has been staged for closure.
Additionally, this process involves monitoring the malware activity through the ArcSight Activate dashboard provided by HPE, which shows data related to moving average data monitors, malware infection rates within the organization and DMZ areas. This tool helps visualize the malware's impact and recovery progress in real-time. The use of this Malware Monitoring package offers benefits such as reuse of content between different use cases, enforced best practices, standardization of content development, easy sharing of content, quicker learning curves for new developers, and improved onboarding for skilled developers.
The demonstration starts by logging into the ArcSight Console as an admin and deleting any existing cases related to "Reputation Security Monitor" within the specified path. Next, a demo replay connector is set up to start replaying the event file "RepSM_demo.events" at 50 events per minute.
The user then navigates to specific channels and dashboards:
They open the Active Channel "/ArcNet Active Channels/Demo Live".
They access the following dashboards:
The main dashboard "/ArcSight Solutions/Reputation Security Monitor /Overview/RepSM Overview" which provides an overview of activities including internal infections, dangerous browsing, and contact with malicious entities.
The "/Reputation Data Analysis/Reputation IP Database Overview" dashboard to analyze reputation data related to IP addresses and domains.
They explore the list "/ArcSight Solutions/Reputation Security Monitor", right-clicking on entries like "10.0.20.21|macmini" in the Internal Infected Assets Dashboard, which leads to a more detailed view in another dashboard.
The demonstration highlights how the RepSM Overview dashboard helps identify internal infections and dangerous activities by showing monthly trends and pointing towards a specific malicious domain (mystreamvideo.rr.nu). The user can investigate further using this information, confirming that it is linked to malware like the Flashback Trojan.
The text describes an incident response process involving the detection of a malware infection affecting internal assets, specifically targeting SQL injections and internal logins. The user is advised to close the browser window if they do not have internet access for further investigation. The infected asset is identified as 10.0.20.21 from which malicious activities are being attempted against other systems.
To investigate this issue, the user accesses a dashboard called "Summary of Infected Assets" where various options such as integration commands and geolocation details can be found. They click on the specific entry for IP 10.0.20.21 to drill down into further details about the infected asset. From here, they observe that there have been attempts at SQL injection and internal logins from this asset in the last 24 hours.
The user then proceeds to investigate the malicious activities more closely by right-clicking on one of the events related to .nu domain (China) and choosing "Show Event Details." The system automatically geolocates sources and destinations based on IP addresses present in the logged event, which is used here to identify China as the location of the destination.
The user then closes all base events involving this infected asset from the last 24 hours and proceeds to review the currently infected assets and recorded interactions with malicious entities through a table provided by ArcSight. This system continuously checks every logged event against a list of malicious addresses, real-time updating this list based on detected exploits and threat scores for each entity.
In summary, the text outlines steps taken in an IT security scenario where malware was identified within internal systems leading to attempted SQL injections and logins from one of these assets. The process involves accessing specific details through a dashboard, investigating further with event details, and leveraging automated tools like geolocation and real-time threat detection features provided by ArcSight for enhanced security monitoring and response.
The text provided is a summary of a document discussing a system for managing and updating a database of malicious domains and IP addresses. The database is maintained by TippingPoint's Reputation Digital Vaccine, which includes contributions from thousands of white hat researchers. ArcSight has an integrated connector that updates the list every two hours, although in this demo version, it appears static.
The system allows users to view a subset of the over 700,000 entries in the database, each with associated reputation scores. The viewer panel includes tabs for Malicious Domains and Reputation IP Database Overview, which provides an overview of the state of the repository. Specific features include integration with ArcSight Threat Response Manager (TRM) for quarantine actions like port blocking or MAC filtering, as well as potential integration with TippingPoint Security Management System (SMS).
The document also outlines a use case demonstrating how to select specific infected assets and perform remediation actions through an integrated system, showcasing the capability to interface with ArcSight TRM for immediate containment measures. This example highlights the practical application of the system's features in real-world scenarios.
The document provides a detailed guide on how to manage cases within ArcSight for monitoring internal infected assets, utilizing features such as case management, workflow integration, and real-time reporting. Here's a summarized breakdown:
1. **Opening and Managing Cases**:
Navigate to the Navigator panel, where you can automatically open a case for each asset. From the dropdown menu, choose "Contacting the botnet." This action involves ArcSight Solutions/Reputation Security.
2. **Case Management and Workflow**:
The system allows for seamless management of cases through predefined stages. Users can assign cases to other ArcSight users, track progress, report on case statuses, and receive notifications about ongoing issues.
3. **Integrating with Other Systems**:
Cases can be integrated with other management systems like Remedy. This involves double-clicking the specific case number (e.g., 10.0.20.21|macmini) to open it in the Inspect/Edit panel for detailed review and action.
4. **Closing a Case**:
To close a case, navigate to the appropriate stage by clicking on "Queued" from the Stage row drop-down menu and changing the stage to "Closed." This step includes entering follow-up actions in the Actions field and closing the case through predefined stages within ArcSight.
5. **Real-Time Reporting**:
The Events tab provides a record of all events involved in the case, ensuring transparency and accountability. Additionally, users can track dangerous destination activities such as accessing exploit types and botnet contacts from the Access to Dangerous Destinations By Exploit Types panel.
6. **Dashboard Interaction**:
A dashboard within the Viewer panel allows for an overview of interactions with high-risk destinations, updating in real time based on checks against a reputation database. This feature enables proactive monitoring and response to potential security threats.
This document serves as a practical guide for effectively managing cases related to internal infected assets using ArcSight, highlighting its capabilities in case management and integration with other systems, providing actionable insights into the status of these assets.
The ArcSight Reputation Security Monitor is a tool that provides real-time views and reports on various activities, focusing particularly on dangerous browsing incidents over the last 24 hours. It includes detailed reports such as "Dangerous Browsing Activities During the Last 24 Hours" in long form format, which can be customized based on user preferences or specific requirements. The tool also offers graphical representations alongside tabular data to provide a comprehensive view of activity trends and details.
In addition to its real-time capabilities, ArcSight Reputation Security Monitor includes correlation rules that automatically check all activities against the HPE Confidential—subject to use restriction ArcSight reputation database for malicious patterns. These rules not only detect potential threats but also create cases and can include automatic remediation actions like quarantine, enhancing security measures through automation.
The interface is user-friendly with a graphical report interface allowing users to easily modify or create custom reports as needed. The tool supports multiple output options including PDF generation directly from the browser, making it versatile for different reporting needs and preferences.
The provided text discusses the use of ArcSight's Management Console for detecting malicious communications with a focus on security analysts using dashboards to investigate events from devices, systems, and applications. It explains how to access and navigate the Management Console or Command Center within HPE Confidential guidelines, specifically tailored for Express 4.0 and ESM 6.5c+. The demonstration involves setting up a demo replay connector with event files including IdentityView_v2.0.events and NetFlow_IdentityView_v2.0.events to analyze at specified rates (50 events per minute or second).
The text highlights the role of the Management Console in Express v3.0, ESM v6.0c+, now integrated into the Command Center within ESM. It describes how analysts and managers use these dashboards for day-to-day and week-to-week investigations to understand their environment's activities. The demonstration includes a Geographic Event Graph dashboard that uses SmartConnectors to enhance event data visualization, enabling users to see where attacks and threats are coming from and going, as well as providing detailed geo-location information (physical country, region, latitude, longitude; logical zone name).
The provided text discusses a demonstration of HPE Confidential—subject to use restriction, specifically focusing on the Event Graph Dashboard and Hourly Counts Dashboard within ESM (Enterprise Security Manager) or ESX Express management tools. It outlines steps for visualizing event data, including how to manipulate node labels and unselect specific event priorities to tailor the dashboard for targeted analysis.
The demonstration also includes a change in layout from bar graphs to pie charts using the View, Event Counts by Hour, Pie Chart feature. The text concludes with an overview of potential dashboards available within these tools that can be shown to customers, emphasizing their utility in investigation and environment understanding through visualization capabilities.
The text discusses a demonstration about using a Command Center to investigate network issues. It mentions that analysts and managers typically use the Command Center daily for environment monitoring. A specific example involves complaints from users about slow network performance.
To address this, the user demonstrates how to visualize top port and bandwidth usage by bringing up a dashboard related to ArcNet. The dashboard shows detailed information on ports and their traffic, specifically highlighting port 1433 which is used for Microsoft SQL Server communication.
The demonstration then moves from general overview to more focused analysis using an unstructured free-form search term "netflow" within the event details presented in the Command Center. This step allows for detailed investigation of network events based on Cisco NetFlow data, making it easier to identify and troubleshoot performance issues.
The provided text describes a user interface feature in a system, likely related to event monitoring or network analysis. Here's a summary of its key functionalities and steps:
1. **Histogram View**: Users can view a histogram of events, with details about scanned events, matching query results, and the time taken for the search when hovering over bars in the histogram.
2. **Drill-Down Functionality**: By clicking on specific bars in the histogram representing different time periods, users can drill down to view events within that particular timeframe.
3. **Advanced Search**: Users can perform a more targeted search by using an "Advanced Search" feature. This allows them to specify logical conditions (using operators and conditions) to narrow down the search results. For example, you can set criteria like destination port 1433 for Microsoft SQL Server traffic.
4. **Building Searches**: Users can build complex searches by adding nested logical conditions in a dialog box. They select fields like "destination port" (after typing "destinationp"), choose the appropriate operator (e.g., equals '='), and enter the specific value (1433). After setting these criteria, they run the search to see targeted results.
5. **Viewing Event Details**: Users can expand individual events to view detailed information by clicking on them. This provides more granular insights into specific incidents that match the query.
6. **Customizing Fieldsets**: The system allows users to customize which fields are displayed in the event details view by adjusting the fieldset using the "Customize fieldset" option.
Overall, this feature is designed to enhance user's ability to efficiently search and analyze specific events within a large dataset, providing detailed information about each event that matches the criteria defined by the user.
This text discusses how to customize a network analysis tool for specific data needs. The user wants to add destination ports to their search fieldset and visually represent top or bottom "talkers" on a specific port (in this case, 1433).
To achieve this, the user performs a netflow query with the operator AND followed by destinationPort = 1433. They can refine results using additional operators like | top sourceAddress to show the most significant sources of traffic on that port. By default, these queries display up to the top 10 results, but users can adjust this number as needed (e.g., | top 5).
For visualization, they can change chart settings to display a pie chart showing top events. The user can then drill down into specific IP addresses highlighted in the pie chart for more detailed analysis. Similarly, if looking for less significant contributors, the same process applies with appropriate adjustments in the search query and visualizations desired (e.g., changing from "top" to another ranking like bottom).
This text suggests how to leverage network data interrogation tools effectively by customizing queries based on specific objectives such as identifying key participants or patterns of communication across a network, which can be crucial for cybersecurity monitoring, performance tuning, and other analytical tasks related to digital infrastructure.
The provided text appears to be a part of documentation related to HPE's ArcSight ESM/ESM Express software, possibly focusing on network management and security features. Here’s a summarized version of the content in bullet points for easier understanding:
### First Use Case (Bandwidth Usage by Port Report)
1. **Navigate to Reports**: Access the NetFlow group under /All Reports/ArcNet Reports.
2. **Select Bandwidth Usage by Port Report**: Click on the "Bandwidth Usage by Port" report within the NetFlow group.
3. **Run Default Parameters**: Execute the report with its default settings.
4. **View Results**: Open the generated report in Adobe Acrobat to view the bandwidth usage data for each port, as documented in your environment.
### Second Use Case (Worm Outbreak Investigation)
1. **Start Services**: Begin the ArcSight Web service and Replay Agent. Set the replay speed to 200 events per minute for worm events.
2. **Deploy ArcSight ESM/Express**: This software is used for perimeter security, compliance monitoring, and generating reports. It alerts you (the analyst) in case of significant security incidents.
3. **Log In**: As an analyst, log into the ArcSight ESM/Express interface using a web browser.
4. **Acknowledge Notification**: Upon receiving a phone alert about a worm outbreak, acknowledge the notification and initiate the investigation process through the console.
5. **Review Home Page**: On the main page, you can see pending notifications and cases assigned to you. Click on "pending notifications" to start the workflow.
These use case demonstrations highlight how ArcSight ESM/Express can be used for network monitoring, security event management, and reporting, providing a comprehensive solution for system administrators and security analysts.
This passage describes how to use ArcSight ESM/Express for managing security incidents. Here's a step-by-step summary of the process:
1. **Notifications**: Start by clicking on the Notifications icon and acknowledging them. Each notification provides details about an incident that requires attention, which can be quickly diagnosed by looking at all the details in another part of ArcSight ESM/Express.
2. **Cases**: If notifications are severe enough to create cases, click on the Cases icon and select one of the created cases. This allows you to keep track of incidents and follow a workflow procedure with defined stages and interfaces for managing each case. The description directs you to specific dashboards like the Worm Outbreak dashboard for quick diagnosis.
3. **Dashboard**: Navigate to the appropriate dashboard, in this case, the Worm Outbreak dashboard by expanding the device type tree and opening it. Dashboards provide real-time graphical representations of events such as spikes in activity on a port for a network node, lists of worm rules that have fired, and infected nodes.
4. **Drill-down**: Click on any element of the dashboard to perform a first level drill-down, which provides an overview of the incident. This includes details about the attacker and port involved in the outbreak.
5. **Metrics Reporting**: ArcSight can report on notification and case metrics, providing insights into how incidents are being handled and managed across your network.
This process helps in effectively managing security incidents by ensuring that all notifications are acknowledged promptly, cases are appropriately tracked and managed through a structured workflow, and detailed visualizations help in understanding the scope and nature of an incident.
The text describes a process for investigating a worm outbreak event in an IT environment using ArcSight software. Here's a summary of the steps and functions mentioned:
1. **Detection via Correlation**: The system detects a correlation between a node performing a port sweep and a spike in that node’s activity on the same port, indicating a potential worm outbreak.
2. **Investigation Tool**: Using ArcSight Express, users can click on the attacker address to investigate further. This involves creating a channel for detailed analysis of events related to the attacker.
3. **Active Channels**: These are real-time views of all events occurring within an organization. Lightning bolts indicate correlation rules that are actively firing based on specific event types.
4. **Event Inspector and Categorization**: At the lowest level of detail, users can inspect individual events using the Event Inspector feature. Events are enriched with categorizations to provide more context and structure for analysis.
5. **Case Management**: Once an understanding of the situation is achieved, actions such as blocking ports and quarantining infected machines can be taken. These actions are documented within a case management interface that helps organize the workflow.
6. **Workflow Features**: These features help users manage and track processes efficiently, ensuring all necessary steps are followed in handling security incidents.
7. **Dashboard View**: Users gain access to various graphical dashboards that provide visual representations of security activities across different devices. This aids in monitoring and trend analysis.
8. **Custom Channel Creation**: Advanced users can create their own channels for specific types of events or timeframes, enhancing the flexibility and specificity of the investigation process.
This step-by-step approach using ArcSight software helps in rapidly detecting and responding to worm outbreaks and other cyber threats by leveraging advanced analytics and visualization tools.
The ArcSight Express Security Management (ESM) tool provides a dashboard view called "Security Intelligence Status" which gives an overview of the security status of your organization. This is accessed via a hierarchical menu with icons representing different devices and categories such as Anti-Virus, Database, Firewall, etc., allowing users to drill down for detailed reports. Additionally, there's a section labeled "Archived Reports," where specific reports like "Infected Systems" can be found to guide actions like quarantine, and cross-device reports provide metrics across all device types based on categorization. The system also supports regulatory compliance by providing various report types tailored for auditors, such as "Failed Logins By User." All these features are accessible via a user-friendly interface that allows users to run ad-hoc reports, schedule automated email delivery, or archive reports for future reference.
This document outlines the use of ArcSight, a software tool developed by HPE (formerly known as Hewlett-Packard Enterprise), for detecting and analyzing specific types of cyber threats within an organization's IT infrastructure. The demonstrations provided are designed to be conducted using the ArcSight Console Interface, with a focus on simulating the detection and response to a worm outbreak event.
The demonstration involves starting the Replay Agent to replay events from the worm outbreak, focusing initially on the Worm Propagation by Host data monitor which highlights how the worm spreads across different hosts in the network. The Worm Propagation by Zone data monitor is then switched to, allowing for visualization of where the worm is originating (typically from external networks such as the Internet) and attempting to spread next within the organization's infrastructure.
The demonstration also includes a detailed view through the Worm Infected Systems data monitor, which visually displays those systems that have been infected by the worm. This information aids in planning and executing remediation efforts to clean these systems and prevent further infection. A statistical data monitor is highlighted as it demonstrates how ArcSight uses statistical mechanisms to detect increased event volumes indicative of a potential outbreak, providing insights into specific hosts potentially affected by the worm.
Lastly, the demonstration touches on notification and escalation capabilities within ArcSight, which are used to alert IT teams about critical security incidents. This interactive feature allows for real-time visualization of alerts without constant monitoring, enhancing the efficiency and effectiveness of cyber threat detection and response efforts within organizations.
This summary outlines a demonstration of how to use ArcSight ESM/Express for advanced correlation rules and associated actions such as notification and case management. The process involves double-clicking on a notification in the event inspector to access the rule chain, which is used to correlate events generated by both rules and statistical data monitors. By discussing this correlation and exploring the content of an event, users can identify security incidents or zero day attacks more efficiently than before with ArcSight ESM/Express.
Additionally, ArcSight provides a complete automated reporting solution that offers visibility into organizational security and compliance status through its integration capabilities with third-party systems like Protect724. The summary concludes by mentioning the ArcSight Marketplace setup process where users can access various security packages, use cases, best practices shared within the community and download them for their own use. It also highlights the need to have accounts on both ArcSight Marketplace and Protect724 for better experience and service usage.
The provided text outlines a process for utilizing HPE ArcSight Marketplace to enhance security management by accessing comprehensive resources related to legacy systems, including product documentation, best practices, use cases, guides, and content specific to Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS).
The user navigates through the ArcSight Console's Marketplace interface, searches for "ids," and finds an IDS - IPS Monitoring Package. The package includes a dashboard, reports, and supporting resources like filters, field sets, queries, and data monitors. This content is designed to be triggered by network IDS/IPS devices and provides visual insights into the performance of these deployed systems, highlighting top attackers and targets.
In summary, this guide demonstrates how HPE ArcSight Marketplace can facilitate security management by offering detailed resources for legacy systems like IDS and IPS technologies, enhancing monitoring capabilities through specialized use cases and dashboards.
To summarize this information, here's a brief overview of what was discussed:
1. **Alert Counts**: One can view top 10 alerts and their counts on the dashboard. Double-clicking on any slice or event provides detailed information about events, including normalized fields and categorized fields for inspection or editing.
2. **Reports**: The default reports are available by running archived reports from the Navigator Panel under Reports and Archives. Specific reports can be accessed within the ArcSight Marketplace content to review alert counts broken down by attacker and target, among others.
3. **Marketplace Content**: The ArcSight Marketplace serves as a repository for additional apps, documentation, community sharing related to ArcSight security content and SIEM best practices. It provides valuable insights and expanded capabilities beyond what is included in the standard product offerings.
4. **DNS Malware Analytics Setup**: This section outlines how to set up a demonstration of DNS Malware Analytics within the ArcSight Console using specific event files for replay, starting with DMA_DNS.events at a rate of 50 events per second. The demo involves accessing the DMA Analytics dashboard, specifically the DMA Analytics Overview, which is part of the ArcNet Dashboards.
In summary, this demonstration highlights how to leverage the ArcSight Marketplace for expanded capabilities and insights beyond standard product features, demonstrating the effectiveness of cloud-based threat detection and real-time remediation through DNS Malware Analytics.
The DNS Malware Analytics (DMA) system is designed for both standalone operation and integration with a Security Operations Center (SOC) using ESM/ESM Express as the SIEM. It consists of two main platforms: an on-premise DNS Capture Module that captures DNS traffic from internal DNS servers, and a cloud-based DNS Analytics platform which acts as a "black-box" analyzer for these events.
The DMA detects infected hosts by identifying systems with malware or suspicious activities through the captured DNS data. It sends alerts to the ESM/ESM Express or other alert handlers, allowing for further SIEM analytics and action on detected threats. The system integrates well with ESM/ESM Express, transmitting alerts in CEF format for correlation with other data sources.
The DMA Analytics Overview Dashboard provides a visual interface showing key events such as top malware analytics events, bad clients querying random domains, and more. Users can drill down into specific details of these events through the Inspect/Edit Panel, accessing detailed information including normalized fields to enhance threat detection and response.
This document outlines a use case for monitoring privileged users using IdenityView, which is now considered end-of-sale but still supported. The user should be familiar with User Behavior Analytics (UBA) as it's a distinct product and should be sold separately. The setup involves several steps in the ArcSight Console:
1. Log in to the console as an admin.
2. Navigate to the Notifications tab, acknowledge or resolve any pending/acknowledged notifications.
3. Delete any associated cases under the admin’s Cases.
4. Open and review specific dashboards related to IdentityView 2.0 for actor management, privileged user monitoring, and login activity by department.
5. Access the Active Channel for Actor Investigation - Mario Rossi.
6. Explore the Reports resource, including archived reports which are stored in PDF format under /ArcNet Archived Reports group, specifically within the IdentityView v2.0 folder.
7. View the Actors resource to review configurations and settings.
8. Adjust Event Graph options in Edit > Preferences for better visualization: source nodes as attacker host names, target nodes as target host names, with an organic layout on the graph.
9. Hide the Navigator Panel and use Inspect/Edit features while leaving the console open.
10. Start a Demo Replay Connector by selecting IdentityView_v2.0.events for replay.
The passage outlines a process for monitoring user activity within a system using ArcSight software. Here's a summary of the key points:
1. **Event Rate Adjustment**: Initially, events are set to 50 per minute, but this can be adjusted upwards to about 25 events per second if necessary after 2-3 minutes. This adjustment allows for the immediate playback of three specific events related to Mario, which include his successful logon to a Windows system and the opening of two Unix sessions.
2. **Event Sequence**: The sequence of events includes:
Mario logging on to his Windows system (one Microsoft Successful Logon event).
Mario connecting to a Unix system (two Unix session opened events).
3. **User Context Enhancement**: The passage discusses integrating user context within the ArcSight system to enrich events and build identity correlations, which aids in understanding the connections between different systems and users.
4. **Actor Model Creation**: An Actor model is created through integration with Active Directory, pulling in all user information from ARCNET.COM domain. This integration automatically groups users by Organizational Unit (OU) within Active Directory, displaying accounts under respective OUs such as Admin Accounts, Contractors, Employees, Vendors, and Service Accounts.
5. **System Representation**: The Actor model serves as a representation of all users in the system, grouping them based on their organizational unit in Active Directory. This integration helps in creating an organized view of user information across different systems.
In summary, this passage describes how to set up event monitoring for user activity using ArcSight, emphasizing the importance of context enrichment and identity correlation through a detailed Actor model that represents users within various organizational units.
When you open an object, like Mario Rossi, by double-clicking on it in a software application, you will see details specific to that person. These details are pulled from Active Directory and include attributes such as full name, employee type (like being a full-time employee), status (active), department (Marketing), user names for accessing systems, and group memberships. The software provides an overview of the actor's information in panels like Inspect/Edit Panel and Viewer Panel. The Actor Overview dashboard within the Viewer Panel gives general statistics about the person based on their data stored in Active Directory and integrated identity management system roles.
Based on your description, it appears you are working with an Actor model which includes 36 Actors and encompasses multiple account IDs across these actors. The analysis suggests that there is a correlation between user accounts, indicating the presence of about 3 to 4 accounts per user in your system. This complexity can make it challenging to discern what specific activities individuals are undertaking on your network due to their varied identifiers across different systems or applications.
Additionally, you have detailed information regarding the status of these Actors, with 33 active and 3 disabled accounts out of a total of 36. This data is crucial for implementing correlation rules to monitor activity from potentially terminated employees whose accounts are disabled.
Furthermore, your Actor model includes groups created within it based on different organizational units (OU) and departments. The breakdown by department reveals that the Information Technology department has the highest number of users, followed by Marketing. This level of detail helps in understanding the distribution of user roles and responsibilities across various departments within your organization.
Lastly, through the role perspective in Active Directory integration, you have information about group membership statistics, including 95 groups, providing insights into how many groups specific users belong to based on their role assignments.
This passage discusses the use of an Active Directory dashboard for monitoring and analyzing user and group information in large organizations. The dashboard provides insights into groups, users, and their memberships across multiple domains within the organization's Active Directory system. It highlights how having numerous groups or users belonging to many groups can lead to control issues related to least-privileged access and compliance concerns.
The passage then describes two specific dashboards available on this platform:
1. "Top Bandwidth by Actor": This dashboard shows the top bandwidth utilization from the user's perspective, rather than focusing solely on IP addresses generating traffic. It allows for a more granular view of network usage by individual users and can help in understanding which applications or systems are consuming the most bandwidth across the organization.
2. "Login Activity by Department": Another useful feature is the ability to track login activities categorized by department. This dashboard provides information about what types of systems and applications different departments' users are accessing, providing a user-centric perspective on IT usage within each department.
These dashboards leverage the system's capability to utilize user context information for more insightful analysis in areas such as network management (bandwidth utilization) and access controls (login activities). The integration of this contextual data helps in creating better correlation content across different aspects of organizational IT, offering a holistic view that can be leveraged for improving security policies, compliance, and overall user experience.
From the provided text, we can summarize that the author discusses a policy in their organization restricting access to data centers during off-hours to only authorized individuals such as finance professionals and tier 3 administrators. However, unauthorized personnel are still gaining access due to system misconfigurations, which leads to compliance violations and potential security risks. The notification system is supposed to alert when unauthorized users gain access; the author mentions that they want immediate notifications sent to them via email, text message, or page so they can take appropriate action.
The text describes a notification system where escalation levels can change based on acknowledgement. When notifications are at level 1 and not acknowledged promptly, they will escalate to level 2, potentially involving the manager. To prevent this, one can click an acknowledge button which moves the notification from the pending queue to the acknowledged queue. The text then details how to inspect a specific notification about an employee entering the server room after hours, showing details such as the correlated event and its triggering base event. This particular notification identifies Mario Rossi, reveals that he is not part of data center operations or an IT administrator, and highlights the time of day when the violation occurred (non-business hours). The alert was generated by correlating three components: the badge event itself, the user's role during the event, and the time of day.
The text discusses a method for investigating suspicious activity within a data center by leveraging identity correlation from an ArcSight system. It starts with observing an event detail where a user name appears as a cryptic number, which is then correlated back through the Actor model to reveal the full name and department (Marketing) of the user. This information allows questioning why a Marketing employee is accessing the data center during non-business hours.
Next, the text introduces the use of an Active Channel in the ArcSight system to investigate all activities related to Mario Rossi over the past few days. Instead of manually searching through logs such as DHCP and Active Directory for all systems Mario Rossi logged into at specific times, the Active Channel automatically pulls back all relevant activity with a single filter query "Show me everything that Mario Rossi did."
Lastly, it mentions observing events from Blue Coat and Cisco devices to further analyze suspicious activities. The focus here is on leveraging advanced correlation techniques through these systems to uncover potential threats or unauthorized access within the network.
In the provided text, an example of network security monitoring using ArcSight is discussed. The scenario involves identifying user activity through event correlation based on successful logon and session opening events without a username field.
The method used for identification was session correlation, which involved analyzing multiple events to establish a pattern or sequence that could be attributed to the user in question. For instance, it was noted that the first event after successful login was a Microsoft login from Mario's desktop workstation, indicating his logged-in status and IP address (192.168.6.103). Further activities on Unix machines using different accounts were also correlated to confirm that they belong to Mario Rossi (mrossi for the first session and marior for the second).
To visualize this activity in a more understandable manner, the text suggests using ArcSight’s Event Graph feature. This tool allows for grouping of events like Microsoft login and Cisco NetFlow events together, which provides a hierarchical layout that is easier to interpret. When viewed through this lens, patterns such as IP addresses, account usages, and session connections become clearer, indicating countries of origin in the network traffic (e.g., China and Brazil).
The visual representation provided by the Event Graph helps in quickly understanding the sequence of activities associated with Mario Rossi's logged-in status on the network, highlighting both normal usage patterns and potentially suspicious activity that warrants further investigation.
This passage describes an incident where a user named Mario from a desktop established an initial session. Through the use of a Blue Coat proxy, it was observed that he attempted to access personal email accounts and several job hunting websites like careerbuilder.com, monster.com, and hotjobs.com. These actions were considered early warning signs for potential dissatisfaction with his current position within the company.
Additionally, Cisco NetFlow events indicated that Mario used anonymous proxies to visit foreign countries' anonymous sites and a known hacking website in China. This behavior suggested possible data exfiltration or intellectual property theft from the company. He might have been downloading hacking tools to engage in sabotage activities once he left the organization.
Based on this observation, it was recommended that an escalation should be made to human resources through the case management system within ArcSight for further investigation and handling.
The document outlines a procedure for investigating an incident involving an employee (Mario Rossi) being badged into a server room after hours. To begin the investigation, open the specific case in question on the platform. Here you can find various attributes including stages, impact, severity, which are customizable and assignable to different users. The initial tab also provides tracking mechanisms for monitoring the progress of this incident.
Next, navigate to the 'Events' tab where you will see both correlated alerts (based on the alarm triggered) and original base events that led to this alert. To continue with the investigation:
1. Close the Navigator Panel and open the Viewer Panel.
2. Show the Actor Investigation - Mario Rossi Active Channel by right-clicking on selected events in the Active Channel.
3. Lock the case for editing, then select 'Add to Case' from the context menu (Case in Editor).
4. Expand the Other selected Event(s) under the Events tab in the case to add these events to the case. Click 'Apply' to save the changes made to the case.
5. As part of this evidence, you can also add an Event Graph view by right-clicking and selecting 'Add Graph View to Case'. This visual representation helps greatly in understanding the situation at hand.
6. Finally, check the Attachments tab within the case to confirm that additional attachments or evidence has been added successfully.
The paragraph discusses the use of an Archived Report in a digital forensics case involving evidence bundling and reporting capabilities. It explains how, after closing the Inspect/Edit Panel and opening the Navigator Panel, one can select the Reports resource, navigate to the Archives tab, and open the "Archived Report All Activity for Specific Actor - Mario Rossi.pdf". The report includes a visual graph that summarizes various applications accessed by the specific actor (Mario Rossi), such as badge reader, Cisco NetFlow, Windows, Blue Coat, and Unix systems.
Below the graph, there is a table with detailed information about the traffic's origin and destination based on session correlation. Although some events do not include user name information, thorough analysis through this method confirms that the activity belongs to Mario Rossi. The report provides a quick visual understanding of the digital activities associated with the case and can be saved as a copy and attached to the case for further use in human resources or legal processes.
The provided text outlines a process for using ArcSight to review and analyze shared account login activities during a policy violation investigation. Here’s a summarized step-by-step guide:
1. **Login**: Start by logging into the ArcSight Console as an admin user.
2. **Notifications Tab**:
Acknowledge any pending notifications.
Delete any associated cases under the admin's cases.
3. **Dashboards**:
Navigate to `/ArcNet Dashboards/IdentityView v2.0/Shared Accounts/` and open the **Shared Account Logins** dashboard.
4. **Reports**:
Open the Reports, Archives tab in the Navigator.
Expand the entire tree under `/ArcNet Archived Reports group`.
Locate reports generated for IdentityView v2.0 which are saved as PDF files in the Report Archives.
5. **Adjust Interface**:
Hide the Navigator and Inspect/Edit panels to focus on the Console.
6. **Demo Replay Connector**:
Select event files: `IdentityView_v2.0.events`.
Start replaying these files at a rate of 50 events per minute initially, then adjust to approximately 25 events per second if needed.
This process is designed to quickly compile all relevant activity and evidence related to the shared account login activities under investigation into a coherent case that can be handed off to appropriate authorities. The text also notes that IdentityView is still supported but has reached its end of sale, suggesting use of User Behavior Analytics as an alternative.
The text describes a process for handling notifications and incidents related to shared account logins in a network environment monitored by ArcSight. Here’s a summary of the key points mentioned:
1. **Notification Acknowledgment**: When there are pending notifications assigned to an individual, they need to acknowledge them through the Console. This action starts the workflow process where one needs to view and accept any incident notifications.
2. **Alert Page**: The alert page is the starting point for handling incidents related to notification of shared account logins. It involves viewing and acknowledging these notifications.
3. **Escalation Process**: ArcSight provides a mechanism for escalating issues, which in this case would be when an employee uses a shared account on servers within a specific segment of the network. The process includes:
Identifying that shared accounts are used but are against corporate policy specifically for the mentioned server segment.
Noting the use of a root user as the target username in session opened events, which triggers the notification and incident escalation system.
4. **Incident Details**: When an incident is triggered by a notification about the shared account login, details such as the identity name and department are highlighted. This helps in quick diagnosis and understanding of what led to the notification. 5. **Network Model and Rule Monitoring**: The rule that triggers this notification specifically monitors for behavior within a particular network segment. ArcSight highlights attacker and target zone fields in events related to this incident, which reflect how the system is designed to detect such incidents based on predefined rules about monitoring specific segments of the network. 6. **Dashboard Overview**: A custom dashboard named "Shared Account Logins" provides an overview of all shared account activities within the environment, including details like source and target address, applications, and used shared accounts. This dashboard is customized to use Data Monitors instead of Query Viewers as seen in default dashboards. This process demonstrates how a security monitoring tool like ArcSight can be configured to alert and respond to specific risky behaviors in an organization's network environment, using customizable dashboards for quick situational awareness. The text discusses the drill-down capabilities of a dashboard, emphasizing its dynamic updating and right-click "Investigate" feature for detailed analysis. It specifies that double-click drill-down is not supported but highlights the use of a filter with an inactive list condition to facilitate investigation. The user guide provides specific steps on how to navigate the dashboard to view event details: start by right-clicking on David West in the "Top Known Shared Accounts in User" section and selecting "Investigate". This action opens an active channel, which can be further investigated by creating a new Active Channel with the
filter.
The guide explains that if additional event files are used (like demoexpress-SP1.events or arcexpressdemo.events), this Active Channel and Field Set will display events unrelated to identities. It then moves on to discuss how to view detailed information by opening the "Archived Report: Logins to Known Shared Accounts – Details.pdf" for a comprehensive overview of shared account activity, including attacker and target zone details.
Finally, it addresses potential questions from the customer about different columns in the report, emphasizing the value of IdentityView's ability to pinpoint actors by name or IP address using its network model capabilities.
This document outlines the process for demonstrating how ArcSight ESM/Express (ESM) and IdentityView can be used to track login activities of a legacy application with shared accounts in an environment lacking user access control capabilities, such as MyLegacyApp. The use case focuses on using the SystemUser account, which has full administrative privileges across all users, for compliance purposes related to tracking who accesses this proprietary application.
To execute the demonstration:
1. Log into the ArcSight Console as an administrator and navigate to the Notifications and Dashboards sections.
2. Access the specific IdentityView v2.0 dashboard named "Shared Accounts" within the /ArcNet Dashboards section, where you will find a report titled "MyLegacyApp Login Sessions".
3. Proceed to view archived reports related to this use case by accessing the Reports tab under the ArcNet Archived Reports group in the Navigator, and then navigate to the IdentityView v2.0 directory to locate relevant reports.
4. Begin demonstrating the use case by setting up a demo replay of event files associated with IdentityView_v2.0 at a rate of 50 events per minute initially, adjusting as necessary after 2-3 minutes based on performance requirements.
The main purpose is to illustrate how ArcSight ESM/Express and IdentityView can help address the challenge of tracking login activities in legacy applications that use shared accounts without user access control features, ensuring compliance through detailed reporting and analytics within the application environment.
This document outlines a use case for monitoring activity using the SystemUser account within a system called MyLegacyApp. The purpose is to demonstrate how events can be correlated back to an accountable user (Chan Siu Ming) using IdentityView in ArcSight Console. Here's a summary of the key points and actions mentioned:
1. **Event Monitoring**: From the MyLegacyApp Event Graph Data Monitor dashboard, you can double-click on any activity to view detailed event details. This allows for tracking specific activities within the application.
2. **Identifying the Active Channel Field**: In this field, you can see the value of IdentityView, which is used to tie shared account activity back to an identity, in this case, Chan Siu Ming.
3. **Correlation Options**: Right-click on any correlated events and select Correlation Options to view a detailed correlation chain. Without ArcSight ESM/Express or detailed IdentityView capabilities, it would be challenging to track the SystemUser account activity back to the accountable user. Highlighting the role of the SystemUser in this process is crucial for compliance and accountability.
4. **Reporting Compliance**: The use case emphasizes the importance of reporting tools like the MyLegacyApp Login Sessions report. This report is used by auditors to show access to the application using the shared SystemUser account, ensuring compliance with auditing requirements. Such reports can be run both ad-hoc and on a scheduled basis.
5. **End of Sale Notice**: A note informs that IdentityView, though still supported, will reach end of sale status soon, recommending User Behavior Analytics as an alternative for monitoring user behavior in a more modern context.
6. **Setup Instructions**: The setup process involves logging into the ArcSight Console as an admin, acknowledging and deleting any pending notifications under admin's Cases, opening specific IdentityView dashboards, and accessing archived reports through the Reports Navigator pane.
Overall, this use case demonstrates how to effectively monitor user activity using the SystemUser account in a legacy system like MyLegacyApp, ensuring that activities can be traced back to accountable users for compliance purposes.
This text provides a step-by-step guide and highlights the importance of reviewing reports in an IdentityView v2.0 system for understanding access rights within various departments and employee types, as well as showing how to review specific reports from the Report Archives using HPE Confidential guidelines. The process involves navigating through the software to view PDF files related to user activity by department or type, such as login activities, which are crucial for determining appropriate access levels in an IT environment.
Comments