HP ArcSight - Default Content - All Resources - ESM 6.x
- Pavan Raja
- Apr 8, 2025
- 68 min read
Summary:
This document outlines various types of data and metrics collected through different systems and applications used in an organization's security operations center (SOC). These include network monitoring, intrusion detection, Cisco device management, netflow monitoring, IPv6 traffic analysis, and more. The primary purpose is to provide a comprehensive view of the system's health, performance, and vulnerabilities, enabling proactive measures to be taken against potential cyber threats and enhancing overall security posture.
### Data Collection and Analysis: 1. **Network Monitoring**: Continuous monitoring of network traffic for anomalies, unauthorized access attempts, and potential security breaches. This includes analysis of IP addresses, ports, protocols, and data flows. 2. **Intrusion Detection Systems (IDS)**: Utilization of various IDS tools to detect and alert on malicious activities such as hacking attempts, malware infections, denial-of-service attacks, etc. These are typically integrated with ArcSight for centralized management and reporting. 3. **Cisco Device Management**: Monitoring and configuration changes in Cisco devices like routers, switches, and wireless controllers. This includes tracking of interface statistics, VLANs, IP addresses, and security configurations. 4. **Netflow Monitoring**: Collection and analysis of network flow data to understand traffic patterns, bandwidth usage, and identify potential bottlenecks or misconfigurations. 5. **IPv6 Traffic Analysis**: Monitoring and analyzing IPv6 traffic for compliance with organizational policies and regulatory requirements. This includes tracking the use of new protocols and configurations introduced by IPv6. 6. **User Access Tracking**: Logging user sessions including VPN logs, direct log-ins to systems, and application usage to detect potential unauthorized access or suspicious activities. 7. **Vulnerability Assessment**: Regular scanning and analysis of systems for known vulnerabilities using tools like Nessus or OpenSCAP. This includes tracking the criticality and remediation status of discovered vulnerabilities. 8. **Configuration Change Tracking**: Monitoring changes in system configurations, applications, and network settings to detect unauthorized modifications that could lead to security risks. 9. **Event Correlation**: Analyzing events from various sources (e.g., IDS alerts, log files) to identify patterns and correlations that suggest potential cyber threats or malicious activities. 10. **Storage Management**: Ensuring adequate storage space for logs, event data, and system backups to prevent performance degradation and ensure compliance with information retention policies.
### Reporting and Analytics: - **Daily Trend Reports**: Summaries of key metrics such as asset restarts, critical system events, most common account login attempts and failures, user account modifications, vulnerability tracking by criticality and exposure, attack rates prioritized by service and target zone, etc. These reports help in understanding the overall health of the systems and can be used for trend analysis to improve security measures. - **Security Incident and Event Management (SIEM)**: Centralizing all log data from various sources into a single platform like ArcSight for real-time monitoring, alerting on potential threats, and automated incident response. - **Compliance Reporting**: Generating reports on compliance with regulatory standards such as GDPR, HIPAA, etc., by tracking the collection, use, and retention of personal information in accordance with legal requirements. - **Performance Metrics**: Tracking metrics like EPS (Events Per Second), storage space usage, resource utilization for reporting queries, failed queries, to ensure optimal system performance and capacity planning.
### Conclusion: The comprehensive data and metric collection outlined above provide a robust framework for monitoring the health, security posture, and potential vulnerabilities of an organization's information technology infrastructure. By leveraging technologies like ArcSight and integrating with other systems such as Cisco devices and network management tools, organizations can achieve real-time visibility into their IT environments, detect threats early, and respond efficiently to incidents. This proactive approach enhances organizational resilience against cyber threats and ensures compliance with relevant data protection regulations.
Details:
The document lists various "Resource Names" associated with different channels and categories within a system, primarily focused on monitoring and security events. These include:
1. Anti-Virus Information and Events related to anti-virus software.
2. Connector upgrades, caching events, connection status events, and actor audit events in the ESM (Event Management System).
3. ASM (Application Security Monitoring) events within the ESM system.
4. Query viewers and reports status, trends status from resources within the ESM system.
5. Logger application, platform, and system health events.
6. Core security analysis related to system security.
7. Cisco Firewall Systems, IPS Systems, Network Systems, Wireless Systems, and various other Cisco products for monitoring alerts, critical issues, errors, and network device interface notifications.
Each resource name corresponds to a specific type of event or data being monitored within the system, which is crucial for maintaining security and operational health across different technological components.
The text provided outlines various active channels within the ArcSight Foundation and Cisco Monitoring products, focusing on different types of events from various devices and systems. These include intrusion prevention system (IPS) sensor events from Cisco IPS Sensor Systems, error, status, and attack monitoring events across multiple platforms including AIX, AS400, AirMagnet, BlueCoat, Cisco, DB2, EPO, firewall events, identity management events, Microsoft SQL Server events, network events, Oracle, and more. Additionally, there are reconnaissance activities, access initiation and termination events, and an overview of the application, operating system, and service environments. This setup is designed to monitor and analyze cyber threats and security incidents effectively.
This document appears to list various "active channels" and "active lists" related to different aspects of system monitoring, security management, and event handling within the ArcSight platform. The categories include intrusion monitoring, vulnerability scanning, network monitoring, workflow management, system health tracking, connector information, licensing data, content management history, attacker and target tracking, user authentication events, and more. These active channels likely serve to provide real-time or near-real-time updates on security incidents, performance issues, configuration changes, and other relevant activities within the organization's IT infrastructure.
This document appears to be a list of various system monitoring and alert dashboards within the ArcSight platform, focusing on security-related activities. The list includes alerts for suspicious countries, configuration modifications, intrusion attacks, worm outbreaks, firewall blocks, user logon types, event analysis, resource reporting, storage status, connector connection and cache status, device status, user sessions, CPU and memory usage, network configurations, and synchronization details. Each item is part of a specific dashboard designed to monitor different aspects of the system's performance and potential security threats. The data within these dashboards are critical for maintaining the integrity and security posture of the organization's IT infrastructure as well as identifying and responding to cyber-attacks.
This summary covers a broad range of Cisco and generic network security, monitoring, and configuration dashboards within the ArcSight Foundation framework. The primary functionalities monitored include:
1. **Firewall and Intrusion Prevention System Events**: Detailed logs from various firewalls (Cisco ASA, Generic Firewall, FWSM) and intrusion prevention systems (IPS, IOS IPS, IPS Sensor), including denied connections and alerts.
2. **Network Event Overview**: Analyzes network interface status across devices.
3. **Access Points and Wireless Security**: Monitors access points for wireless networks.
4. **Web Transactions and Email Security**: Tracks web transactions via Cisco IronPort WSA and email security appliances (ESA), including sender and recipient details, transaction connections, and overall traffic patterns.
5. **Configuration Changes and Errors**: Monitors changes in system configurations and identifies database errors.
6. **Host Problems and Configuration Modifications**: Identifies issues with hosts such as problems overview and modifications to host configuration.
7. **Attack Rates**: Detailed analysis of attack rates, segmented by service, zones, customers, and overall top customer statistics.
This comprehensive monitoring setup is crucial for maintaining the security and operational integrity of Cisco network infrastructure and detecting potential threats or misconfigurations.
The document appears to be a comprehensive overview of various dashboards within the ArcSight Foundation for Intrusion Monitoring, detailing different aspects such as attack rates, DoS events, reconnaissance activities, user tracking, virus and worm outbreaks, security activity, and more. These dashboards provide detailed insights into the status of attacks, types of services affected, geographic spread of worms, business impact analysis, and overall system health. This information is crucial for understanding the effectiveness of security measures implemented and helps in making informed decisions to improve network safety and operational efficiency.
The provided text lists various dashboard and data monitor entries from the "ArcSight Foundation" suite, focusing on different aspects of network monitoring, intrusion detection, bandwidth usage, device activity, traffic analysis, case tracking, escalation, system health, storage performance, database statistics, connector status, and more. Key components include:
1. **Intrusion Monitoring**: Includes detailed views such as "Security Activity Statistics," "Threat View," and "Traffic Monitoring."
2. **NetFlow Monitoring**: Monitors bandwidth usage with metrics like "NetFlow Bandwidth Usage Monitoring."
3. **Network Monitoring**:
**Bandwidth Usage**: Tracks current, inbound, and outbound bandwidths.
**Device Activity**: Provides overviews of firewall connections, network status, and VPN connection statistics.
**General**: Highlights top traffic to mail and web servers, as well as a moving average of overall traffic.
**Inbound Traffic**: Analyzes moving averages, specific application protocols, and hosts involved in inbound traffic.
**Outbound Traffic**: Similar analysis is done for outbound traffic by application protocol and host.
4. **Workflow**: Tracks cases through various stages including tracking, escalation, and resolution times.
5. **Data Monitor**:
**System Health**: Monitors storage status (archive disk space, recent events), database performance statistics (free space, insert/retrieval times over the last 24 hours and hour), and connector status (connection and cache).
**Configuration Changes**: Logs changes in actors, resources, and system deletions/inserts.
This summary provides a comprehensive overview of how ArcSight Foundation is used to monitor and manage network security, performance, and operational aspects across various devices and systems.
The provided text outlines a comprehensive overview of various data and system monitoring aspects in the context of ArcSight administration, including Event Management System (ESM), event analysis, system health, resource management, user access, logger status, and configuration changes. Key areas covered include:
1. **Configuration Changes**: This includes tracking resources, change logs, and overview related to configurations within ArcSight.
2. **Event Analysis Overview**: This involves monitoring events such as counts, by connector, device address, vendor & product, critical conditions tests, system information, event throughput statistics, and more.
3. **System Health**: This covers health metrics like resource reporting, rules status, trends in queries returning no results, database transaction volume, storage, and user sessions including logs for consoles and ArcSight Web.
4. **Resource Management**: This includes updates to systems and resources, such as recent system resource updates, partial matches per rule, rule error logs, and statistics related to reporting subsystems like ArcSight Reporting Statistics and currently running reports.
5. **User Access**: This involves monitoring user sessions including status of ArcSight users and details on current logged-in users, notification log, and access logs.
6. **Logger Overview**: This includes monitoring disk usage, hardware status, CPU and memory usage statistics over different time frames (last 10 minutes, last hour).
These categories collectively provide a detailed view into the operational state and performance of an ArcSight system, enabling proactive management and troubleshooting to ensure optimal functionality and security.
This document outlines various data monitors and metrics collected from a system named "My Logger" under the ArcSight Administration, covering different aspects such as CPU and memory usage, hardware sensors (CPU, FAN, System), disk read/write rates, network traffic, EPS (Events per Second) usage, sensor type status, firewall monitoring, IDS-IPS monitoring, Windows monitoring, NetFlow monitoring, security activity, and Cisco device monitoring. The data is presented in both 10-minute and hourly summaries, with specific focus on the last hour for certain metrics like memory usage, disk read/write rates, network usage, EPS usage, and disk usage. Additionally, it includes details about denied outbound connections, internal connection drops, top alert destinations, sources, types, alerts, event log alerts, Windows events, operations, reporting devices, bandwidth usage by destination, source, well-known ports, non-well-known ports, and more.
This document provides a comprehensive overview of Cisco's network monitoring and intrusion prevention system functionalities, focusing on various products and their associated event flows, alerts, and statistical data. The information is organized into different categories such as "IPS Event Flow Statistics by Device", "Top IPS Alert Techniques/Alerts", and specific product sections like "Cisco Adaptive Security Appliance (ASA)", "Cisco Firewall Services Module (FWSM)", and "Cisco IOS Intrusion Prevention System". Additionally, it includes data on wireless networks, device inbound and outbound interface statuses, and statistical summaries of successful configuration changes. The document is structured to offer detailed insights into the performance and functionality of Cisco's network security solutions across different platforms and devices.
This is a list of various data monitors and summaries related to Cisco's network security products, including intrusion prevention systems (IPS) sensors, email security appliances, web security appliances, and other configuration changes within the organization. The data includes alerts from IPS sensors, event flow statistics for both IPS devices and specific appliances, configuration change logs, database errors, host problems, attack rates, and more. This information is part of a larger system called Data Monitor ArcSight Foundation, which is used to monitor and manage Cisco's network security infrastructure.
This document provides detailed information on various aspects of intrusion monitoring and attack rates, organized by customer, service, and zone. It includes data categorized into several sections such as "Customer Attack Rates," "Top 10 Customer Attack Rate Statistics," "Attackers," "DoS (Denial of Service) Events," and "Critical Asset Monitoring."
Key findings include:
**Customer Attack Rates:** Detailed statistics showing the attack rates broken down by zones, targeted zones, services, attacker zones, and customer.
**Top 10 Customer Attack Rate Statistics:** Provides a summary of the top customers based on their attack rate statistics, categorized further by service and zones.
**Attackers:** Includes data on critical attacker assets and attacks.
**DoS Events:** Covers inbound event spikes related to firewalls, hosts, networks, and services.
**Critical Asset Monitoring:** Details the count of critical asset groups, specific critical target assets, and anomalies associated with these assets, along with information about top attackers targeting critical assets.
This comprehensive report is crucial for understanding the nature and severity of cyber threats faced by an organization, based on detailed analysis from ArcSight Foundation's intrusion monitoring system.
The provided text outlines a structured approach to data monitoring and intrusion detection within an IT infrastructure using the ArcSight Foundation platform. It categorizes various aspects of security activities, including but not limited to web service attacks, reconnaissance activities, security incidents such as failed logins and successful attacks, user tracking details like login events and identity management issues, and potential malware infections like trojans and worms.
Key components monitored include:
1. **Web Service Targets**: Focusing on the top 10 web services that are under attack based on various service-specific activities like Web Attacks.
2. **Service Attacks**: Detailed monitoring of attacks targeting specific communication, database, email, and other web services which could range from simple activity to complex cyber threats.
3. **Reconnaissance Activities**: Tracking the progress of reconnaissance efforts including scanning activities on hosts, zones, and scanners, as well as highlighting the top scanned zones.
4. **Security Activity**: Monitoring failed logins, commonly used ports, firewall-blocked machines, successful attacks, and indicators of potential security breaches like trojaned or worm-infected machines.
5. **User Tracking**: This includes detailed tracking of user activities such as login attempts (successful/failed), authentication failures, outbound mail over 20MB, and actions taken on the network by users.
This comprehensive monitoring setup aims to provide a holistic view of potential threats and security breaches, enabling proactive measures to be taken against cyber threats.
The provided text outlines various data monitors and details available under different categories within the ArcSight Foundation for intrusion monitoring. These include but are not limited to:
1. **User Tracking**: This includes detailed tracking of user activities such as logins, with specific focus on network login (last 10 failed/successful events), operating system login (same metrics), and VPN login (again, last 10 failed/successful events). It also covers top users based on login activity across different platforms.
2. **Login Results**: This section provides an overview of the results from various types of logins, including network, operating system, and VPN, indicating whether they were successful or encountered failures.
3. **Top Users by Login Activity**: Lists the most frequently active users based on login attempts across different systems (network, OS, VPN).
4. **Anti-Virus Information**: Monitors updates and infections related to anti-virus software, including details about errors in last 10 instances and top offenders in terms of errors or infected systems.
5. **Malware and Virus Activities**: Tracks covert channel operations, real-time malware tracking, outbound high port traffic, virus activity by host and zone, as well as worm outbreaks including target port activities, spread analysis (by attacker, host, and zone), and geographic views of worm spread.
6. **Executive Summaries**: Provides a high-level view of attacked or compromised systems.
This summary covers the key areas monitored to ensure comprehensive security oversight, allowing for detailed analysis and strategic decision making regarding user access, system vulnerabilities, and malware threats.
This document appears to be a comprehensive report on network security and system monitoring, utilizing the ArcSight platform for data analysis. It includes various sections that provide detailed insights into different aspects of system performance, threats, and events across multiple operational levels within an organization's IT infrastructure. Key areas covered in this report include:
1. **Executive Summaries**: Provides high-level overviews of successful attacks categorized by location (by business role), type, and severity.
2. **Operational Summaries**: Detailed information about the current state of applications, operating systems, services, and events such as application event counts, OS event counts, service event counts, top 10 application events, etc.
3. **Security Activity Statistics**: Includes statistics on application protocol events, total event counts by hour and address space, recent events, top attacker IPs, categories, connectors, target IPs, and transport protocols.
4. **Threat View**: Details correlated events at high and very high levels of severity.
5. **Traffic Monitoring**: Focuses on non-US destination traffic monitoring.
6. **Business Roles**: Status summaries for development & operations roles, infrastructure roles, revenue generation roles, and security device roles.
7. **Worm Infected Systems**: Identifies systems potentially infected by worms based on intrusion detection data.
This report is structured to provide a comprehensive view of the organization's IT environment from both an operational and strategic defense perspective, using advanced network monitoring tools to detect and respond to potential threats effectively.
The provided text lists various data monitors and their associated metrics within the ArcSight Foundation framework, focusing on network monitoring and traffic analysis. Here's a summary of these metrics:
1. **Traffic Monitoring/Top Non-US Destinations - Graph**: Displays graphical representation of traffic to top non-US destinations.
2. **Data Monitor ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Traffic Monitoring/Top Non-US Sources - Graph**: Similar to the above, shows a graph for top non-US source locations in network traffic.
3. **NetFlow Monitoring**:
**Inbound Bandwidth (Bytes Per Second)**: Measures the amount of data received per second from external sources.
**List of Top Bandwidth Usage (MB) Events**: Lists high bandwidth usage events, measured in megabytes.
**Outbound Bandwidth (Bytes Per Second)**: Measures the amount of data sent out to other networks or devices.
4. **Network Monitoring/Bandwidth Usage**:
**Current Bandwidth**:
**Inbound Bandwidth - Last Minute**: Current inbound bandwidth usage over the last minute.
**Outbound Bandwidth - Last Minute**: Current outbound bandwidth usage over the last minute.
**Inbound Bandwidth - Last 10 Minutes**: Inbound bandwidth usage averaged over the last 10 minutes.
**Inbound Bandwidth - Last Hour**: Inbound bandwidth usage averaged over the last hour.
**Outbound Bandwidth - Last 10 Minutes**: Outbound bandwidth usage averaged over the last 10 minutes.
**Outbound Bandwidth - Last Hour**: Outbound bandwidth usage averaged over the last hour.
5. **Network Monitoring/Device Activity**:
**Firewall Connection Overview**:
**Top 10 Accepted Ports (Inbound)**: Lists top accepted inbound ports based on firewall rules.
**Top 10 Accepted Ports (Outbound)**: Lists top accepted outbound ports.
**Top 10 Denied Ports (Inbound)**: Lists top denied inbound ports.
**Top 10 Denied Ports (Outbound)**: Lists top denied outbound ports.
**Top 10 Hosts With Denied Inbound Connections**: Identifies hosts with the highest number of denied inbound connections.
**Top 10 Hosts With Denied Outbound Connections**: Identifies hosts with the highest number of denied outbound connections.
**Network Status Overview**:
**Devices with High Error Rates**: Lists devices experiencing a high rate of errors or issues.
**Last 10 Critical Network Events**: Recent critical network events summarized.
**Last 10 Interface Down Messages**: Summaries of interface down messages over the last 10 occurrences.
**Last 10 Interface Status Messages**: Summaries of interface status messages over the last 10 occurrences.
**VPN Connection Statistics**:
**Top VPN Servers with Authentication Errors**: Identifies top VPN servers with authentication errors.
**Top VPN Servers with Denied Connections**: Lists top VPN servers with denied connection attempts.
**Top VPN Servers with Successful Connections**: Lists top VPN servers with successful connections.
**Top VPN Users with Authentication Errors**: Identifies users of VPNs experiencing the most authentication errors.
6. **Network Monitoring/General**:
**Top Traffic to Mail Server**:
**Top Traffic from External to Mail Server (Request)**: Measures traffic requests from external sources to mail servers.
**Top Traffic from External to Mail Server (Response)**: Measures responses from mail servers sent to external sources.
**Top Traffic from Internal to Mail Server (Request)**: Measures internal network requests to mail servers.
**Top Traffic from Internal to Mail Server (Response)**: Measures responses from mail servers within the internal network.
**Top Traffic to Web Server**:
**Top Traffic from External to Web Server (Request)**: Measures traffic requests from external sources to web servers.
These data monitors and their associated metrics provide a comprehensive view of network activity, security incidents, bandwidth usage, device statuses, and traffic patterns within an organization's network.
The provided text lists various data monitors and field sets related to network monitoring, traffic analysis, antivirus information, connector monitoring events, actor audit fields, query statuses, logger application and platform events, system health events, and asset information. These items are part of the ArcSight Foundation framework for network management and security monitoring. Key areas covered include:
1. **Network Monitoring**:
Top traffic to and from a web server (internal and external).
Traffic moving averages categorized by protocol types (ICMP, SYN, TCP, UDP).
Inbound and outbound traffic moving averages and detailed breakdowns by application protocol or host.
2. **Traffic Analysis**:
Detailed monitoring of inbound and outbound traffic patterns.
Breakdown by application protocols like HTTP, HTTPS, FTP, etc., and hosts.
3. **Antivirus Information**:
Virus information gathered from the anti-virus system to ensure network security.
4. **Connector Monitoring Events** and **ESM (Event Management System) Events**:
These sections monitor events related to connectors used in various systems, including upgrades, audit logs, query statuses, and actor activities.
5. **Logger Applications and Platform Events**:
Logs generated by the logger system that cover health, application, and platform-specific events.
6. **Field Sets**:
Comprehensive sets of information fields related to actors, assets, cases, and event channels within the ArcSight framework.
These data monitors and field sets are part of a broader suite designed for comprehensive network management and security monitoring in various organizational contexts where these systems might be deployed for IT infrastructure or cybersecurity operations.
This document provides a detailed list of field sets and templates related to various aspects of the ArcSight system, including event handling, network monitoring, security alerts, vulnerability management, and more. The field sets cover different types of events such as MSSP (Managed Security Service Provider), standard, minimal configurations for inspection, rule actions, and sortable field sets based on specific indices like ARC_E_ET and ARC_E_MRT. Templates include IDefense console and web templates, vulnerability management templates, and AV (Anti-Virus) filters to detect malware and viruses across different systems including Cisco devices, databases, and other network components.
This document outlines a series of filters used in various sections within the ArcSight platform, focusing on different aspects such as system health, storage conditions, connector statuses, configuration changes, and event priorities. The filters are categorized under specific categories including but not limited to: "ArcSight Administration", "Connectors", "ESM (Event Management System)", and "System Health". They cover various scenarios like disk space status, critical events, resource load, rule sets, and more. These filters help in efficiently managing, monitoring, and troubleshooting the ArcSight platform by providing targeted views of specific conditions or issues.
This document outlines a series of filters and queries used in the operation and monitoring of an ArcSight system, which is likely part of a security information and event management (SIEM) solution. The filters are categorized under various sections including Health, Resources, Rules, Storage, User Access, Logger, System Health, Asset Auto-Creation, Core Events, and Event Types.
The filters cover a wide range of operational aspects such as system health metrics like CPU usage, memory usage, disk read/write statistics, network usage, and hardware sensor data (including fan speed sensors). They also include queries related to user sessions (e.g., login events), application events logged by the ArcSight appliances, and asset auto-creation processes for connectors and devices.
The rules engine within ArcSight is used to manage internal events triggered by system health conditions or specific performance metrics such as database load statistics, sidetable cache hit rates, and custom thresholds for critical and warning levels. The document also details trends in the ESM (Event Management System) which are analyzed using conditional variable filters based on time parameters like hour less than 10 or minute less than 10, indicating specific time intervals being scrutinized.
The summary is that this documentation provides a comprehensive set of criteria for monitoring and maintaining an ArcSight system's performance and security posture through detailed filtering mechanisms and query tools.
This document outlines various filters for different types of events and data categories within the ArcSight system, which is a part of HP Confidential—subject to use restriction. The filters are categorized by specific event types, systems, or sources such as ArcSight System, SNMP Forwarding, Microsoft Windows Monitoring, NetFlow Monitoring, Security Activity, Cisco Monitoring, and others. Each filter has its own unique identifier that helps in identifying the type of event it pertains to. Some examples include:
"ArcSight Correlation Events" refers to events related to correlation within ArcSight itself.
"Blocked ArcSight Internal Events" are those internal events that have been blocked by the system.
"Non-Categorized Events" are events that do not fall under any specific category and need further investigation for categorization.
"Severity High, Low, Medium, Unknown, Very High" filters events based on their severity levels within ArcSight.
Filters such as "SNMP Trap Sender', External ID='ArcSight:SNMP Trap Sender", are specifically related to SNMP (Simple Network Management Protocol) and its usage in the system.
Security related filters like "Denied Inbound Connections" and "Anti-Virus Events" focus on network security, anti-virus activities, and other potential threats detected by ArcSight's integrated security modules.
Cisco Monitoring filters are specific to events and functionalities related to devices from Cisco Systems, including firewall configurations, intrusion prevention system alerts, and more detailed application protocol or transport layer information.
These filters help in the effective management of cyber-security infrastructure by focusing on relevant data streams, thereby allowing for faster response times and better decision making in handling security incidents.
The text outlines various filters related to Cisco networking and monitoring within the ArcSight Foundation framework. These filters cover a broad range of network devices, wireless systems, firewall events, SNMP communications, and more. Specifically, they include:
1. **Cisco Network Device Inbound Interface Status Events**
2. **Cisco Network Device Interface Down Messages**
3. **Cisco Network Device Interface Status Events**
4. **Cisco Network Device Outbound Interface Status Events**
5. **Cisco Network Error Events**
6. **Cisco Network Systems**
7. **Cisco Successful Network Configuration Changes**
8. **SNMP Authentication Failed**
9. **SNMP Events**
10. **Cisco Aironet (Wireless)**
11. **Cisco Wireless AP Device Association**
12. **Cisco Wireless AP Device Disassociation**
13. **Cisco Wireless Systems**
14. **Application Protocol is NULL**
15. **Attacker Host or Address Present**
16. **Attacker User Present**
17. **Attacker and Target Address Present**
18. **Attacker or Target User Present**
19. **Firewall Accepts**
20. **Firewall Access Events**
21. **Firewall Deny**
22. **Inbound Events**
23. **Internal Attackers**
24. **Internal Targets**
25. **Login Attempts**
26. **Outbound Events**
27. **Successful Configuration Changes**
28. **Successful Logins**
29. **Target Host or Address Present**
30. **Target User Present**
31. **Unsuccessful Logins**
32. **Windows Events with a Non-Machine User**
33. **Cisco ASA IPS Alert Events**
34. **Cisco ASA Successful Configuration Changes**
35. **Cisco ASA Systems**
36. **Failed VPN Connection Events (Cisco ASA)**
37. **Successful VPN Connection Events (Cisco ASA)**
38. **VPN Authentication Errors (Cisco ASA)**
39. **VPN Events**
These filters are part of a broader system for monitoring and managing Cisco network devices, focusing on various aspects such as interface statuses, error events, firewall actions, SNMP communications, wireless configurations, and security-related incidents like VPN failures and IPS alerts.
The document outlines a series of filters used in the configuration and monitoring of various Cisco products, including routers, firewalls, intrusion prevention systems (IPS), sensors, web security appliances, and email security appliances. These filters are designed to capture specific events or changes related to the configurations of these devices. They cover successful configurations, alert events, system statuses, categorized events, and other relevant activities. The filters are organized under different sections such as "ArcSight Foundation/Cisco Monitoring/Products" for Cisco-specific products, and "ArcSight Foundation/Common/Conditional Variable Filters" for general or appliance-related conditions.
This document outlines a series of conditional variable filters used in an asset management and monitoring system, specifically designed for devices and hosts within the ArcSight platform. The filters are organized under various categories such as Asset, Bytes, Case and Notification, Device, Host, and Categories. Each filter specifies conditions based on whether fields related to device or host information are NULL, not NULL, or meet specific criteria. For instance:
The "Asset/Device Zone AND Asset Name are NOT NULL" filter requires that both the device zone and asset name be present in the data.
Conversely, the "Asset/Device Zone AND Asset Name are NULL" filter demands that these fields should not have any entry or be marked as empty.
These filters are crucial for ensuring that only relevant information is processed, analyzed, or reported upon, which can help in identifying issues, anomalies, and potential security threats related to devices and hosts within the network. This systematic approach supports more targeted monitoring and analysis based on pre-defined conditions, making it easier to focus on critical aspects of the infrastructure monitored by ArcSight.
This text appears to list various conditional variable filters used in a system, possibly within the ArcSight platform. The filters pertain to different categories such as hosts, protocols, timestamps, users, etc., and specify conditions where certain fields should be either NULL or not NULL. Each filter has a unique identifier that includes the category (e.g., Host, Protocol, Timestamp) and specific condition being checked (e.g., Address is NULL, Target Port is not NULL). Some filters combine multiple conditions within the same category (e.g., "Host/Target Zone AND Address are NULL"), while others focus on different aspects of each category (e.g., "User/Event Has E-mail Address"). The list provides detailed criteria for data filtering and analysis, which can be used to refine searches or define specific conditions under which events should trigger alerts or other actions within the system.
The provided text lists a series of filters used in an information management system, specifically within the ArcSight platform. These filters are categorized under various sections such as Variable Filters, Device Class Filters (including events like database, firewall, identity management, network, operating system, and VPN), Configuration Monitoring with subcategories detailing changes in device configurations (like AAA user accounts, database configurations, firewalls, host IDS, networks, routers, switches, and VPNs), and other specific areas including access tracking and user account modifications. Each filter is designed to help in the categorization and analysis of various types of events or configuration changes within a large data stream, aiding in security monitoring, compliance reporting, and incident response activities.
This summary outlines various types of events and data being monitored using ArcSight Foundation, a security information and event management (SIEM) tool. The monitoring includes:
1. **User Account Deletions and Modifications**: Tracking changes to user accounts, which can indicate potential unauthorized access or malicious activities.
2. **Vulnerabilities**: High-priority scans for critical assets, open ports scanning, and vulnerabilities in target assets.
3. **Host Misconfigurations**: Issues related to the configuration of hosts that could be exploited by attackers.
4. **IPv6 Events**: Monitoring attacks and events specific to IPv6 networks.
5. **Intrusion Monitoring**:
**Attack Monitoring**: Includes application, event, rates, attacked or compromised systems, attempted attacks, backdoor traffic, covert channels, denial of service (DoS), firewall accepts/denies, high events, failed logins, and successful attacks.
**Malware-Outbound Traffic**: Indicates potential malware activity attempting to communicate outside the network.
6. **Operational Summaries**: Asset restarts (system shutdown/startup events) and host problems such as crashes or freezes.
7. **Vulnerabilities**: Additional scanning for vulnerabilities, particularly in critical assets where high-priority scans are conducted.
This comprehensive monitoring helps identify potential security threats and misconfigurations that could lead to breaches or other malicious activities.
The provided text outlines various filters and targets used in ArcSight, a type of intrusion monitoring system. These filters are designed to categorize and analyze data based on different criteria such as asset criticality, business roles, attacks targeting assets, port or protocol usage, and specific device types like AIX, AS400, anti-virus software, etc. The purpose is likely to prioritize and focus analysis on areas of highest risk or interest, helping in the detection and prevention of potential security breaches.
The text provided is a list of filters for different devices, systems, and components related to intrusion monitoring within the ArcSight Foundation framework. These filters categorize events based on their nature (such as reconnaissance, resource access, user tracking, vulnerability view, etc.) and the specific system or device they are associated with. Examples include events from internal applications, operating systems, services, email resources, file resources, network devices, identity management systems, firewalls, VPNs, and more. The list is quite comprehensive and covers various aspects of potential security breaches and suspicious activities that might be monitored for threat detection and prevention in networked environments.
This text appears to be a list of filter options within the ArcSight Foundation application, which is used for monitoring and managing network security. The filters are categorized under different sections such as Intrusion Monitoring, NetFlow Monitoring, Network Monitoring, Worm Outbreak, Network Filters, Application Filters, and more. These filters help in narrowing down specific types of events or traffic that need to be monitored based on their source, destination, type, location, network activity, or other criteria.
The text provided is a list of filtered reports and parameters within the ArcSight system, focusing on various aspects such as network monitoring, case tracking, configuration changes, anti-virus licensing, system health, vulnerabilities, and more. Each item in the list represents a specific report or filter parameter used to track and analyze data related to different devices, systems, and security configurations.
This report is focused on monitoring various aspects of system configuration and user activities over the last 6 months, as well as tracking intrusions and unauthorized changes. Key sections include:
1. **Configuration Monitoring** - Monitors unauthorized changes to users, groups, services, accounts, and password changes over the past month.
2. **Intrusion Monitoring** - Details various types of attacks, targets, alerts, logins, failed attempts, and successful logins categorized by device type (IDS), firewall, network, identity management, user tracking, and database. The report tracks top attackers and targets in these scenarios.
3. **User Tracking** - Includes login event audits from firewalls, databases, networks, and identities; as well as detailed analysis of failed and successful logins based on source or destination addresses and users. It also covers the number of connections to specific hosts categorized by device type (IDS).
4. **Attackers and Alerts** - Identifies top 10 attackers and targets in intrusion monitoring, along with top alerts.
This report is intended for use within HP's internal systems and is subject to confidentiality restrictions as indicated by the "HP Confidential" note at the end of the text.
The provided text outlines various focused reports and integration commands related to network monitoring, intrusion monitoring, user tracking, and operating system activities within the ArcSight Foundation platform. Here's a summary of each section:
1. **Intrusion Monitoring Details**:
Focused Reports include details on failed login attempts by destination address, source address, users; successful logins by these addresses and users; VPN-related events like failed/successful logins and audit trails; top hosts by number of connections from VPNs; and detailed reports for Snort (IDS) and Cisco Secure IDS signatures.
2. **User Tracking**:
Focused Reports cover user login activities including failed and successful attempts categorized by destination address, source address, and specific users across the operating system and VPN environments. Also includes audit trails for these events.
3. **Operating System**:
Reports focus on detailed user tracking related to logins, specifically tracking both failed and successful login attempts broken down by destination address, source address, and individual users; as well as audit logs for such activities.
4. **Network Monitoring Summaries**:
Operational summaries of bandwidth utilization are provided across various segments including firewall usage, network traffic, VPN connections, and protocol-specific bandwidth usage. Also includes top bandwidth hosts and weekly summaries of inbound/outbound HTTP traffic.
5. **Integration Commands**:
These commands facilitate the integration with ArcSight Logger by destination, source, event name, or both, for administrative purposes such as logging activities across the network.
These reports and integrations are crucial for maintaining security posture, monitoring user activity, and optimizing network performance in an organization utilizing the ArcSight Foundation platform.
This document outlines a variety of administrative and integration commands for the HP ArcSight platform, including logger settings, TRM (Threat Risk Management) features, system tools for Linux and Windows, configuration settings, and more. The commands cover tasks such as searching logs by user or vendor, managing blocked IP ranges and disabled accounts, investigating network devices, and monitoring system health with connectors.
The provided query viewer path details cover a broad range of system and event analysis functionalities within the ArcSight ESM (Enterprise Security Manager) environment. This includes monitoring and analyzing various aspects such as configuration changes to actors, detailed event analysis, resource reporting including querying and trend analyses, and content management issues with synchronization errors and subscriber errors. The queries are specifically tailored for users who need deep insights into system health, user and device activity, and overall security posture of the network.
The provided text lists a variety of queries related to different aspects of network and security monitoring using the ArcSight platform. These queries cover various types of data, including firewall logs, Windows event logs, Cisco device configurations and events, intrusion prevention system alerts, and internal host risk assessments. Some examples include:
1. "Query Viewer ArcSight Core Security/Firewall Monitoring/Denied Inbound Connections by Port" - This query likely shows a breakdown of denied inbound connections based on the port number, providing details for troubleshooting or security analysis.
2. "Query Viewer ArcSight Core Security/Microsoft Windows Monitoring/Top Devices for Event Name" and "Query Viewer ArcSight Core Security/Microsoft Windows Monitoring/Top Devices for Operation" - These queries focus on identifying top devices involved in specific events or operations within the Microsoft Windows environment, which is crucial for system health monitoring and performance analysis.
3. "Query Viewer ArcSight Core Security/Security Activity/Internal Hosts at Risk" - This query highlights internal hosts that are potentially at risk based on security metrics or alerts.
4. "Query Viewer ArcSight Foundation/Cisco Monitoring/Functionality/Firewall/Top Destination Hosts across Allowed Inbound Connections in Last 2 Hours" - This query provides a snapshot of the most common destination hosts for allowed inbound connections over the past two hours, useful for network traffic analysis and security posture assessment.
5. "Query Viewer ArcSight Foundation/Cisco Monitoring/Functionality/Intrusion Prevention System/Cisco Alert Counts by Port in the Last 2 Hours" - This query shows the number of alerts per port within the last two hours from Cisco's Intrusion Prevention System, indicating potential threats or system vulnerabilities.
These queries are part of a broader security information and event management (SIEM) solution that helps organizations monitor network traffic, detect anomalies, and respond to security incidents in real-time. The detailed logs and analysis provided by these queries can be instrumental in maintaining the integrity and security of an organization's digital infrastructure.
This set of queries and views from ArcSight's Cisco Monitoring function involves a comprehensive analysis of various aspects of Cisco network devices, including intrusion prevention system (IPS) alerts, configuration changes, event counts, wireless device associations, and specific details about the Adaptive Security Appliance (ASA) and Firewall Services Module (FWSM). The primary focus is on providing detailed insights into potential security threats and network configurations.
1. **Cisco IPS Configuration Changes in the Last 6 Hours**: This query involves monitoring significant changes made to Cisco's IPS configuration within the last 6 hours, which can help identify unauthorized modifications that may have been made by an individual with access to the system.
2. **Top Attackers in Cisco Alerts over the Last 2 Hours**: By analyzing data from Cisco devices, this query identifies the top entities causing security alerts or threats during the past two hours. It helps in prioritizing and responding to potential cyber-attacks more efficiently.
3. **Top Targets in Cisco Alerts over the Last 2 Hours**: This is similar to the previous query but specifically targets the specific network elements that are most frequently attacked, which can help in understanding where the vulnerabilities lie within the network setup.
4. **Cisco Network Event Count by Hour**: Provides a count of all events or alerts related to Cisco network devices recorded on an hourly basis. This is crucial for tracking and predicting patterns of network activity and potential issues.
5. **Associated Devices in a Day (Event Based)**: Analyzes the number of wireless devices associated with the network over the course of one day, based on event logs, which can be used to monitor device connectivity trends.
6. **Associations - Disassociations (Trend Based)**: Tracks the trend of associations and disassociations of wireless devices over time, useful for understanding typical usage patterns or changes in device usage within the network.
7. **Disassociated Devices in a Day (Event Based)**: Similar to the fifth query but specifically captures instances when devices are disassociated from the network, which might indicate issues with connectivity, devices leaving the area, or other related events.
8. **Top Access Points with Most Distinct Associated Devices and Top Access Points with Most Distinct Disassociated Devices**: These queries highlight the access points (routers) that have the most distinct associated and disassociated devices, respectively. This helps in identifying which parts of the network are losing or gaining device connections most frequently.
9. **Cisco ASA Hourly Event Count and Cisco ASA Hourly Event per Device**: Provides a count of events related to Cisco's ASA over time, as well as an analysis at the device level for more detailed performance monitoring or troubleshooting.
10. **Top Destination Hosts across Allowed/Denied Inbound/Outbound Connections in Last 2 Hours (Cisco ASA)**: These queries specifically look into traffic to and from specific hosts via Cisco's ASA, differentiated by whether the connection is allowed or denied over the last two hours. This helps in understanding policy compliance and potential unauthorized access attempts.
11. **Top Ports across Allowed/Denied Inbound/Outbound Connections in Last 2 Hours (Cisco ASA)**: Similar to the previous queries but focuses on identifying the top ports used for inbound or outbound traffic that are allowed, denied, etc., which is crucial for network security policy enforcement and monitoring.
12. **Top Source Hosts across Allowed/Denied Inbound/Outbound Connections in Last 2 Hours (Cisco ASA)**: These queries analyze the source hosts associated with allowed or denied inbound and outbound traffic through Cisco's ASA, which is essential for understanding where the network traffic originates from, particularly in terms of security.
13. **Cisco FWSM Hourly Event Count and Cisco FWSM Hourly Event per Device**: Provides a similar breakdown but specifically related to Cisco's Firewall Services Module, helping monitor performance or troubleshoot issues at this specific device level.
These queries collectively provide a detailed view of the health, security posture, and operational status of Cisco network devices within an organization, aiding in proactive management and response to potential threats and configuration changes.
This set of queries and viewers is designed to monitor various aspects of Cisco Firewall Services Module (FWSM), Cisco IOS Intrusion Prevention System (IOS IPS), and Cisco IronPort Web Security Appliance (WSA) from a network security perspective. The main objectives are to track the top destination hosts, ports, source hosts, and other relevant metrics across allowed and denied inbound and outbound connections in the last 2 hours. Additionally, it includes monitoring of hourly event counts for IOS IPS and IPS Sensor devices, as well as configuration changes and web traffic analysis from the IronPort WSA. This setup is aimed at providing detailed insights into network traffic patterns, potential security incidents, and system configurations to ensure a secure and efficient network environment.
The provided list of queries pertains to various monitoring, configuration, and security aspects within a network environment using Cisco products such as the IronPort Web Security Appliance (WSA) and the Ironport Email Security Appliance (ESA). These queries are primarily used for surveillance and analysis in cybersecurity operations. Here is a summary of each query:
1. **Web Traffic and Error Analysis:**
**Top Hosts with Most Web Traffic:** Lists hosts with the highest web traffic volumes.
**Top Sites with Most Request Errors:** Identifies websites or domains with the most request errors, indicating potential issues or malicious activities.
**Unsuccessful Requests:** Tracks failed requests on the network, which could be indicative of security incidents such as denial-of-service attacks or suspicious activity.
2. **Email Security and Configuration Changes:**
**Cisco ESA Configuration Changes in the Last 6 Hours:** Shows changes made to the email security appliance configuration over the last six hours.
**Delivery Connections, Injection Connections:** Monitors connections related to email delivery and injection, useful for understanding email traffic patterns and potential malicious activities like phishing or spam.
**Top Recipients/Senders in the Last 2 Hours:** Lists recipients and senders who have had the most significant bandwidth usage over the last two hours, highlighting high-volume users that might need monitoring for policy violations or suspicious activity.
3. **Configuration Monitoring:**
**Host Configuration Modifications (Today and Yesterday):** Tracks changes made to host configurations, useful for compliance checks and security audits.
**User Configuration Modifications (Today and Yesterday):** Monitors modifications to user account settings, which can indicate potential unauthorized access or policy breaches.
4. **Asset Vulnerability Scans:**
**High-Priority Scan Events Directed Toward High-Criticality Assets (Today and Yesterday):** Identifies high-priority vulnerability scans targeting critical assets, important for maintaining the security posture of essential systems.
5. **NetFlow Monitoring:**
**Top Bandwidth Usage by Destination/Source:** Shows which destinations or sources are using the most network bandwidth, useful for capacity planning and identifying potential bottlenecks or high-traffic areas.
**Top Bandwidth Usage by Source-Destination Pairs:** Provides detailed insights into traffic patterns between different pairs of hosts on the network.
6. **Workflow and Escalation:**
**Case Times to Resolution Dashboard/Average Time to Case Resolution - by Day:** Tracks the average time taken for cases to be resolved, aiding in service level agreement (SLA) adherence monitoring and process improvements.
These queries are part of a broader set used for continuous network security monitoring, incident response, and compliance auditing within an organization's IT infrastructure. They help ensure that systems remain secure and operational according to established policies and standards.
This document outlines a variety of queries related to different aspects of system monitoring and case management within the ArcSight Foundation platform. The queries cover multiple modules such as workflow, case tracking and escalation, case stages, case status, anti-virus errors, and system health storage statistics for the CORR-Engine.
1. **Case History/Case Times to Resolution Dashboard**: This section includes queries related to average and maximum time taken to resolve cases, broken down by severity or user. It provides insights into how quickly different types of issues are being addressed.
2. **Case Stages**: The queries in this part focus on the various stages a case can go through, such as initial, follow-up, final stages, and also provide data on open cases categorized by owner or operational impact.
3. **Case Status Dashboard**: This set of queries deals with the status of cases, specifically regarding open cases classified according to their associated impact, consequence severity, operational impact, and current stage within the case lifecycle.
4. **Anti-Virus Errors and Updates**: The queries in this section pertain to errors related to anti-virus software, including top errors, infected systems, failed updates, and update statistics. This part of the document is crucial for understanding the performance and health of the anti-virus system across the organization's network.
5. **System Health Storage Statistics**: These queries are specifically about the storage usage and activity within the CORR-Engine, providing metrics on archive activation, archival, deactivation statistics, and disk space usage. This is vital for ensuring efficient data management and preventing potential storage bottlenecks.
This is a list of various queries related to different aspects and components of the HP ArcSight ESM (Enterprise Security Manager) system, including administration, connectors, system health, storage, archive tasks, connector upgrades, cache status, event breakdowns, and more. These queries are likely used for monitoring and managing the performance and functionality of the ArcSight system in a large organization or enterprise environment where security operations are critical.
The provided text outlines various queries related to different aspects of ArcSight ESM (Enterprise Security Manager), including administration, configuration changes, event analysis, licensing, and system health. Here's a summarized list of the queries mentioned:
1. **Administration/Connectors/System Health/Event Breakdown:**
**Top Connector Types Chart**: Overview of connector types used in ArcSight ESM.
2. **Query ArcSight Administration/ESM/Configuration Changes/Actors:**
**Actor Authenticators**
**Actor Configuration Changes**
**Full Name and Email Changes**
**Manager and Department Changes**
**Title and Status Changes**
**Actors Created**
**Actors Deleted**
**Actors Updated**
**IDM Deletions of Actors**
3. **Query ArcSight Administration/ESM/Configuration Changes/Resources:**
**ESM Configuration Changes**
**Resource Created Report**
**Resource Deleted Report**
**Resource History Report**
**Resource Updated Report**
4. **Query ArcSight Administration/ESM/Event Analysis Overview:**
**Event Details**
**Events Count**
**Events Count Last 30 Days**
**Events Count Last 7 Days**
**by Device Address/Breakdown by Device Address From Connector**
**by Device Address/Breakdown by Device Address From Vendor and Product**
**by Event Name/Breakdown by Event Names From Connector**
**by Event Name/Breakdown by Event Names From Device**
**by Event Name/Breakdown by Event Names From Vendor and Product**
**by Priority/Breakdown by Event Priority From Connector**
**by Priority/Breakdown by Event Priority From Device**
**by Priority/Breakdown by Event Priority From Vendor and Product**
5. **Query ArcSight Administration/ESM/Licensing:**
**Licensing Query**
**Storage Licensing Data**
**Storage Licensing Data - trend**
**Storage Licensing Data by Connector Name - trend**
**Storage Licensing Data by Connector Type - trend**
6. **Query ArcSight Administration/ESM/System Health/Events:**
**Destination Counts**
**Event Count by Agent Severity**
**Event Count by Source Destination Pairs**
**Event Name Counts**
**Events by ArcSight Priority (Summary)**
**Source Counts by Event Name**
**Time-Based Event Breakdowns/Hourly Distribution Chart for Event**
**Time-Based Event Breakdowns/Hourly Distribution Chart for a Destination Port**
**Time-Based Event Breakdowns/Hourly Distribution Chart for a Source Port**
**Time-Based Event Breakdowns/Hourly Event Counts (Area Chart)**
These queries are designed to help users gather specific information and insights from ArcSight ESM, covering areas such as configuration changes, event analysis, licensing, and system health.
This is a list of various queries related to different aspects of an ArcSight system health and performance. These include events, active lists, data monitors, invalid resources, reporting, trends, rules, session lists, storage space, and more. The queries provide detailed insights into the operational status and efficiency of the system, helping in troubleshooting and ensuring optimal functioning.
The provided list of queries covers various aspects of monitoring and management within the ArcSight ESM (Enterprise Security Manager) system, including user access, content management, firewall monitoring, Windows events, Cisco device monitoring, and more. Here's a summary of each query category:
1. **ArcSight Administration/ESM/System Health/Storage**:
**ASM Database Free Space** queries provide insights into the available free space in the ArcSight Message Store (ASM) database used for storing events. This includes both trend and real-time queries by day and hour, as well as detailed information on the ASM configuration and its performance metrics.
2. **ArcSight Administration/ESM/User Access**:
**User Sessions** include trends in user logins and logouts, broken down hourly or last hour, along with a report summarizing login and logout activities across users.
3. **ArcSight Administration/ESM/Content Management**:
These queries focus on identifying synchronization errors within packages and subscribers, highlighting the top offenders based on error types or frequency.
4. **ArcSight System/Core/Actor Context Report**:
This set of queries deals with analyzing actor events across different contexts such as account IDs, attacker usernames, target usernames, and custom fields. It provides detailed event counts and information related to the actors involved in these events.
5. **ArcSight Core Security** (covering various sub-categories):
**Firewall Monitoring**: Queries for denied inbound and outbound connections by device or port, as well as internal host risks and security alerts across different devices.
**Microsoft Windows Monitoring**: Trends in Windows events over time, broken down by device, operation, event names, or specific devices involved.
**Security Activity**: Reports on internal hosts at risk and active security alerts generated within the network.
6. **ArcSight Foundation/Cisco Monitoring**:
**Bandwidth Tracking** provides a detailed view of bandwidth usage per protocol, hour, top destination, and source hosts, useful for understanding network traffic patterns.
**Configuration Changes**: Detailed reports on Cisco configuration changes by user or time, including trends based on events or day-to-day breakdowns.
**Login Tracking**: Insights into Cisco login details, also available in trend-based formats.
These queries are crucial for maintaining the security and performance of an ArcSight ESM deployment, ensuring that all aspects of system health, user access, content management, and network interactions are monitored and managed effectively.
This document contains a collection of queries related to network security and device monitoring, primarily focusing on Cisco devices and systems. The queries cover various aspects such as login tracking, failed logins, firewall configurations, allowed and denied connections, and performance metrics like daily logins and hourly analysis. Here's a summary of each query:
1. **Daily Logins - Base**: This query provides the basic data related to successful logins across devices within a specific timeframe. It could include details about when users logged in, from which device or IP address, and what results were obtained during these sessions (e.g., success or failure).
2. **Logins per Product**: Specifically tracks login activities categorized by product type, providing insights into user access patterns across different devices.
3. **Failed Logins by Destination Address**: Monitors failed attempts to log in from specific IP addresses, which could indicate potential unauthorized access attempts or network issues.
4. **Failed Logins by Source Address**: Tracks login failures based on the source IP address, useful for understanding where and when login attempts are being made unsuccessfully.
5. **Failed Logins by User**: Provides a list of users who have had failed login attempts, helping to identify potentially compromised accounts or issues with user credentials.
6. **Logins per Day in the Last 7 Days**: Aggregates daily successful logins over the past week, useful for trend analysis and capacity planning.
7. **Logins per Hour in the Previous Day**: Breaks down the previous day's login activity by hour, offering granular insights into peak usage times or potential spikes that might require further investigation.
8. **Successful Login by Source Address**: Tracks successful logins based on the source IP address to monitor where users are logging in from and assess security protocols.
9. **Successful Logins by Destination Address**: Similar to the previous query but focuses on where login attempts are successfully reaching, which can indicate network or firewall configurations that need adjustment.
10. **Top Users with Most Failed Logins** and **Top Users with Successful Logins**: These queries highlight users who have had a high number of failed and successful logins respectively, indicating areas of concern or potential security issues.
11. **Firewall Configuration Changes**: Provides data on any changes made to Cisco firewall configurations over time, which is crucial for maintaining network security policies.
12. **Cisco Allowed Connections** and **Denied Connections**: These queries track the types of traffic allowed or denied between devices connected through Cisco systems, based on destination host, port, or source host.
13. **Event Counts by Hour**: Provides a snapshot of events occurring within an hour across all firewall activities.
These queries are designed to provide real-time monitoring and historical analysis of network traffic and user activity related to security devices like Cisco firewalls and routers, helping organizations maintain cybersecurity posture and optimize network performance.
The provided list of queries pertains to monitoring and analyzing various aspects of Cisco network devices, specifically focusing on firewall configurations, intrusion prevention system (IPS) alerts, device critical events, errors, interface status messages, and network configuration changes. These queries are designed to provide detailed insights into the performance, security, and operational state of Cisco devices within a network environment.
1. **Cisco Overall Denied Outbound Connections by Port**: This query is aimed at identifying which outbound connections have been denied based on their port numbers. It helps in understanding the types of traffic being blocked and possibly highlights potential issues or targeted attacks.
2. **Denied Outbound Connections by Source Host**: Similar to the above, this query focuses on denying outbound connections but from specific source hosts. This can be crucial for forensic analysis when a particular host is suspected of causing disruptions.
3. **Overall Denied Outbound Connections per Hour - Event Based**: Provides detailed information about denied outbound connections broken down by hour over time, which is useful for trending and understanding the frequency with which such events occur.
4. **Overall Inbound Connections per Day** and **Outbound Connections per Day**: These queries offer a daily summary of inbound and outbound network activity respectively, helping to monitor normal traffic patterns.
5. **Overall Outbound Connections per Hour in the Previous Day**: This query provides a snapshot of outgoing connections from the previous day at an hourly resolution, useful for comparing with current performance or trends.
6. **Daily Connection Setup Attempts - Base**: Summarizes all connection setup attempts across the network, providing a baseline for understanding normal network activity and potential issues like failed connection attempts.
7. **Cisco Alert Counts by Port**, **by Port and Device**, **by Reporting Device**, **by Severity**, **by Severity and Device**, **by Type and Device**: These queries pertain to alerts from the Cisco Intrusion Prevention System (IPS), broken down in various ways that help in categorizing, prioritizing, and understanding the nature of security incidents.
8. **Cisco Alert Details (Trend Based)**, **Alerts per Day**, **Alerts per Hour in the Previous Day**: These queries provide detailed trends and snapshots of alerts over time, which are essential for ongoing monitoring and analysis of potential threats.
9. **IPS Configuration Changes in the Last 6 Hours** and **Configuration Changes per Day in the Last 7 Days**: Track changes to IPS configurations to ensure that security policies remain up-to-date and effective against evolving threats.
10. **IPS Event Counts by Hour**, **Top Attackers and Reporting Devices in Cisco Alerts**, **Top Targets and Reporting Devices in Cisco Alerts**: These queries focus on identifying the most active threat actors (attackers) and their targets, which is critical for prioritizing security measures and response efforts.
11. **Cisco Device Critical Events**, **Device Errors**, **Device Interface Status Messages**: Provide real-time insights into hardware or software issues with Cisco devices that might impact network performance.
12. **Network Configuration Changes per Day in the Last 7 Days** and **Configuration Change By Event**: Track changes to networking configurations, which can be both a result of normal operations and potential security incidents like unauthorized modifications.
These queries collectively serve as powerful tools for network administrators and security analysts to maintain the integrity, availability, and security of Cisco network devices within their environments.
This document contains a series of queries related to Cisco network and wireless device monitoring, collected over the last 6 hours. The queries cover various aspects including SNMP access, authentication failures, allowed/denied inbound and outbound connections, event counts, and association and disassociation details for both wired and wireless networks.
1. **Cisco Network Event Count by Hour**: This query provides a summary of network events occurring over the last 6 hours, categorized by hour.
2. **Cisco SNMP Access (Trend Based)**: A trend-based analysis of SNMP (Simple Network Management Protocol) access on Cisco devices.
3. **Cisco SNMP Access On Certain Target (Trend Based)**: Similar to the above but specifically for certain target devices, providing a detailed view of network management protocol access trends.
4. **Daily SNMP Access - Base**: A daily summary of SNMP access events across all Cisco devices.
5. **Device SNMP Authentication Failures/Cisco Device SNMP Authentication Failures**: Tracks authentication failures related to SNMP access for Cisco devices.
6. **Cisco Device SNMP Authentication Failures by User/Device**: Provides detailed breakdowns of SNMP authentication failures, segmented by user and device.
7. **Cisco SNMP Authentication Failures by Device**: Focuses on identifying the root cause of SNMP authentication issues across different devices.
8. **Top Target Weekly Cisco SNMP Access on Device**: Identifies the top targets receiving the most SNMP access requests over a weekly period.
9. **Associated APs per Device**: Monitors the number of associated access points (APs) with each networked device.
10. **Associated Devices in a Day - Event Based**: Tracks all devices connected to wireless networks on a daily basis, based on event data.
11. **Associated Devices per AP**: Analyzes the number of devices connected to each individual AP.
12. **Association - Disassociation Details**: Provides detailed information about associations and disassociations within the network.
13. **Daily Associations - Disassociations (Base)**: A daily summary of association and disassociation events across all wireless networks.
14. **Disassociated Devices**: Lists devices that have been disassociated from the network.
15. **Disassociated Devices per AP**: Segments disassociated devices by their respective APs.
16. **Allowed Inbound Connections by Destination Address (Cisco ASA)**: Monitors inbound connections allowed on Cisco Adaptive Security Appliances based on destination IP addresses.
17. **Allowed Inbound Connections by Port (Cisco ASA)**: Focuses on inbound connections allowed based on port numbers.
18. **Allowed Outbound Connections by Destination Address (Cisco ASA)**: Tracks outbound connections allowed targeting specific destination IP addresses using the Cisco ASA.
19. **Allowed Outbound Connections by Port (Cisco ASA)**: Allows tracking of outbound connections via specified ports.
20. **Denied Inbound Connections by Destination Address (Cisco ASA)**: Lists denied inbound connection attempts based on destination IP addresses.
21. **Denied Outbound Connections by Destination Address (Cisco ASA)**: Identifies and records denied outbound connections targeting specific IP addresses using the Cisco ASA.
22. **Cisco ASA Event Counts by Hour in Last 6 Hours**: Provides a snapshot of security appliance events occurring over the last 6 hours, categorized by hour.
23. **Cisco ASA Inbound Connections per Day and Outbound Connections per Day**: Track daily inbound and outbound connections made through Cisco ASAs.
These queries collectively provide a comprehensive view of network activity, authentication statuses, and connection policies across various Cisco devices, which is crucial for maintaining the security and functionality of network infrastructures.
The text provides a list of queries related to various Cisco monitoring products, including the following:
1. **Cisco Adaptive Security Appliance (ASA)**
Denied Outbound Connections by Source Address (Cisco ASA)
Authentication Errors (Cisco ASA)
VPN/Connections Accepted by Address (Cisco ASA)
VPN/Connections Denied by Address (Cisco ASA)
VPN/Users by Connection Count (Cisco ASA)
2. **Cisco Firewall Services Module (FWSM)**
Allowed Inbound Connections by Destination Address (Cisco FWSM)
Allowed Inbound Connections by Port (Cisco FWSM)
Allowed Inbound Connections by Source Address (Cisco FWSM)
Allowed Outbound Connections by Destination Address (Cisco FWSM)
Allowed Outbound Connections by Port (Cisco FWSM)
Allowed Outbound Connections by Source Address (Cisco FWSM)
Event Counts by Hour (Cisco FWSM)
Event Counts by Hour per Device (Cisco FWSM)
Inbound Connections per Day (Cisco FWSM)
Outbound Connections per Day (Cisco FWSM)
Denied Inbound Connections by Destination Address (Cisco FWSM)
Denied Inbound Connections by Port (Cisco FWSM)
Denied Inbound Connections by Source Address (Cisco FWSM)
Denied Outbound Connections by Destination Address (Cisco FWSM)
Denied Outbound Connections by Port (Cisco FWSM)
Denied Outbound Connections by Source Address (Cisco FWSM)
3. **Cisco IOS Intrusion Prevention System (IOS IPS)**
Event Counts by Hour (Cisco IOS IPS)
Event Counts by Hour per Device (Cisco IOS IPS)
Top Attackers in Cisco IOS IPS Alerts
Top Targets in Cisco IOS IPS Alerts
4. **Cisco Intrusion Prevention System Sensor (IPS Sensor)**
Event Counts by Hour (IPS Sensor)
Event Counts by Hour per Device (IPS Sensor)
Top Cisco Alert Destinations Observed by IPS Sensor
These queries are designed to monitor and analyze various aspects of Cisco network devices, providing insights into security events, network traffic, and system performance.
This set of queries is focused on monitoring and analyzing data from various Cisco security products, including the Cisco Intrusion Prevention System Sensor (IPS Sensor), Cisco IronPort Web Security Appliance (WSA), and Cisco IronPort Email Security Appliance (ESA). The queries cover a wide range of metrics such as configuration changes, web requests, request errors, denied sites, host traffic, and message transactions.
1. Top Cisco Alert Sources Observed by IPS Sensor: This query likely involves monitoring the top alert sources identified by the IPS sensor for intrusion detection events. It helps in identifying potential threats and security incidents.
2. Cisco WSA Configuration Changes in the Last 6 Hours: This query provides details about configuration changes made to the Cisco WSA over the past six hours, enabling real-time tracking of system modifications.
3. Cisco WSA Configuration Changes per Day in the Last 7 Days: This query offers a daily summary of all configuration changes for the Cisco WSA within the last seven days, providing insights into usage patterns and administrative activities.
4. Daily Web Requests - Base: This query provides basic information about web requests processed by the Cisco WSA, including volume and types of traffic.
5. Detail Successful Requests: Detailed analysis of successful web requests to understand specific interactions with websites.
6. Detail Unsuccessful Requests: Analysis of failed or unsuccessful web requests to identify potential issues or security breaches.
7. Request Errors: This query summarizes errors encountered during web requests, which can indicate network issues or attacks.
8. Top Accessed Sites: Identifies the most frequently accessed sites based on traffic data.
9. Top Accessed Sites with Most Traffic: Focuses on sites that generate the highest amount of traffic, useful for resource allocation and security assessment.
10. Top Denied Sites: Lists the sites that have been denied access the most, which is critical for maintaining a secure web environment.
11. Top Hosts with Most Web Traffic: This query identifies hosts generating the highest volume of web traffic, helping to prioritize monitoring or troubleshooting efforts.
12. Top Sites with Most Request Errors: Identifies websites experiencing the most request errors, suggesting potential issues that need attention.
13. Top Source Hosts Accessed Most Sites: These are the source IP addresses from which the most sites have been accessed, useful for understanding user behavior and network access patterns.
14. Top Source Hosts with Most Denied Requests: This query highlights the hosts making the most denied requests, potentially indicating malicious or misconfigured systems.
15. Top Source Hosts with Most Request Errors: Identifies IP addresses responsible for the highest number of request errors, which could indicate significant issues or targeted attacks.
16. Web Requests per Day in the Previous Week: Provides a daily breakdown of web requests over the previous week, useful for understanding weekly trends and usage patterns.
17. Web Requests per Hour in the Previous Day: Offers an hourly analysis of web requests from the previous day, suitable for real-time monitoring and performance assessment.
18. Cisco ESA Configuration Changes in the Last 6 Hours: Similar to WSA queries, this provides a snapshot of configuration changes made within the last six hours for the Cisco ESA.
19. Cisco ESA Configuration Changes per Day in the Last 7 Days: A daily summary of all configuration changes over the past seven days for the Cisco ESA.
20. Cisco ESA Delivery Connection Count by Hour and Injection Connection Count by Hour: These queries provide detailed hourly counts of delivery and injection connections, useful for network traffic analysis and performance monitoring.
21. Daily Message Transactions - Base: Basic information about message transactions processed by the Cisco ESA, including volume and types.
22. Delivery Connections and Injection Connections: Detailed breakdowns of connection types used in email security processing.
23. Message Transaction Details: Provides detailed insights into specific message transaction records.
24. Message Transactions per Day in the Previous Week and per Hour in the Previous Day: These queries offer weekly and daily breakdowns of message transactions, useful for understanding patterns and performance.
25. Top Recipients with Most Bandwidth and Top Recipients with Most Transactions: Identifies email recipients based on bandwidth usage or transaction volume, which is crucial for capacity planning and security assessment.
26. Top Senders: Lists the senders generating the most transactions, useful for understanding who is sending out emails through the Cisco ESA.
These queries collectively provide a comprehensive view of network traffic, configuration changes, and security events across different Cisco products, enabling proactive monitoring, troubleshooting, and security management.
This is a list of queries related to monitoring and configuration changes in various systems, devices, and user access tracked using the ArcSight and Cisco products. The queries cover areas such as email security statistics, device configurations like firewalls, routers, switches, VPNs, operating system user administration, database errors, and failed login attempts. Additionally, it includes details on recent modifications to hardware and software assets, including those made by vendors and products in the last seven days, day, week, or month trends.
This set of queries in ArcSight Foundation covers various aspects of system configuration monitoring, focusing on changes to user accounts, creation, deletion, password modifications, login failures, asset configurations, and vulnerabilities. Key areas include:
1. **User Account Changes**:
Tracking trends for user account creations, deletions, and modifications (including password changes).
Specific tracking of AAA (Authentication, Authorization, and Accounting) related activities like creation and deletion trends.
Trends in user account creations by host and overall user account creation trends.
2. **Asset Configuration Monitoring**:
Reviewing the current configurations of critical systems based on their criticality ratings by zone.
Listing assets with applications, including specific roles such as mail servers and web servers.
3. **Vulnerabilities**:
Identi,fying the most vulnerable assets in a confidential data group or all exposed vulnerabilities across the system.
Tracking trends in vulnerabilities affecting email and web server assets, including Blaster-related vulnerabilities.
Monitoring critical assets with high and very high criticality for exposed vulnerabilities.
These queries are designed to provide insights into the health of user accounts, asset configurations, and potential security vulnerabilities within the organization's IT infrastructure.
These queries are focused on monitoring and analyzing various aspects of system configurations, vulnerabilities, operational status, and user activities in a network environment using the ArcSight platform. The main themes include:
1. **Critical Assets and Vulnerabilities**:
**Exposed Vulnerabilities by Zone** and **Trend Query**: Identifies high-priority vulnerabilities affecting critical assets across different zones, showing trends over time.
**Top Vulnerability Exposure of Critical Assets on Trend**: Displays the most exposed critical assets in terms of vulnerabilities over time.
**Vulnerability Exposure by Asset Criticality**: Analyzes how vulnerability exposure varies based on the criticality of each asset.
**High-Priority Vulnerabilities Detected on Critical Assets**: Highlights vulnerabilities with high priority that have been detected on critical assets, focusing on yesterday's data.
**Exposed Vulnerability Count by Asset**: Tracks the number of exposed vulnerabilities per asset.
2. **Host Configuration Monitoring**:
**Executive Summaries/Overall Host Configuration**: Provides a summary of host configurations including events by zone, business role, criticality, data role, and operating system.
**Operational Summaries/Asset Restarts**: Monitors system startups and shutdowns, with specific focus on critical systems, grouped by zone or showing trends over time.
**Operational Summaries/Asset Vulnerability Scans**: Tracks high-priority scans directed at assets with high criticality.
3. **User Activities**:
**User Removals** and their trend over time.
4. **IPv6 Network Analysis**:
**Alert Counts by IPv6 Device**, **Attacker Counts By IPv6 Target**: Monitors network activities related to IPv6 devices and targets, including attacker counts.
These queries are designed to provide a comprehensive view of the cyber-security posture of an organization's IT infrastructure, highlighting areas of potential risk or operational issues that may require immediate attention or further investigation.
This document provides a comprehensive set of queries focused on monitoring and analyzing network traffic, specifically related to IPv6 devices and attacks. The queries cover various aspects including attacker counts, denied inbound and outbound connections, failed and successful logins, alert counts, attack rates, and detailed information about attackers and targets. They are designed to help in identifying patterns, prioritizing threats, and understanding the behavior of both attackers and targeted devices on an IPv6 network. These queries can be used by security analysts to monitor and respond to potential cyber-attacks effectively.
This summary outlines a series of detailed queries related to intrusion monitoring and attack analysis within the ArcSight Foundation platform. The queries cover various aspects such as device types, ports or protocols, attacker and target counts, alert sources, priority levels, user accounts, and lists of compromised or hit targets. They provide insights into both inbound (DoS events) and outbound attacks, including details on successful DoS incidents over the last hour, denial-of-service attacks, and various types of cyber threats targeting different assets like Windows systems in North America. The queries also include data regarding attackers and their top ports or protocols used to initiate connections, as well as targets affected by these attacks, with a focus on prioritizing critical alerts based on ArcSight priority levels and attacker details.
This document contains multiple queries related to various aspects of cybersecurity monitoring, specifically using the ArcSight platform. The queries cover a wide range of activities including intrusion detection, user tracking across devices, resource access attempts, reconnaissance activities, and service status events.
1. **Application Status Events**: Provides details on top application issues over the last 24 hours, categorized by environment (application).
2. **Environment Status Events**: Charts related to overall system or network health in the last 24 hours, including operating systems and services.
3. **OS Status Events**: High-level view of OS performance issues within the same time frame.
4. **Service Status Events**: Issues reported with critical services, detailed over a similar timeframe.
5. **Ports Scanned & Reconnaissance Types Detected**: Insight into attempted reconnaissance activities involving port scanning and other forms of network probing.
6. **Access Attempts by Resource/Accesses**: Detailed tracking of failed and successful access attempts to various resources.
7. **Active/Closed Sessions**: Active and closed sessions related to user logins, including brute force attacks if detected.
8. **Login Attempts & Events**: Failed and successful login attempts across devices, broken down by users and device types.
9. **Connection Durations & Top Connection Durations**: Duration of identity management connections and summary of the longest active sessions.
This set of queries is designed to provide a comprehensive view of potential security breaches or suspicious activities in an organization's IT infrastructure using ArcSight technology for monitoring and analysis.
The provided queries cover a wide range of security monitoring and reporting tasks within the ArcSight Foundation product, focusing primarily on intrusion monitoring, user tracking, network analysis, vulnerability management, and operational summaries related to attacks. Here is a summarized overview of some key areas covered:
1. **User Tracking:**
**Users by Connection Count**: Lists users based on their connection count.
**Users with Open Connections**: Identifies active connections for each user.
**Login Errors by User**: Tracks login errors across different operating systems and Windows events.
**VPN Connection Durations**: Provides details about the duration of VPN sessions, including open and closed durations.
**Operating System/Login Errors by User (Chart)**: Visual representation of login error statistics per user.
**Windows Events**: Captures detailed information from Windows systems related to system and security audits.
2. **Network Analysis:**
**Device SNMP Authentication Failures**: Monitors SNMP authentication failures, including breakdowns by device and user.
**System Authentication Events**: Tracks various events involving system-level authentication.
**Top Hosts by Number of Connections**: Identifies the top hosts based on connection activity.
3. **Vulnerability Management:**
**Vulnerabilities and Assets**: Scans for vulnerabilities within network assets.
**Worm Infected Systems**: Detects systems infected by worms, indicating potential outbreaks or malicious activities.
4. **Operational Summaries:**
**Attack Rates**: Provides statistics on attack counts across different services and target zones over time.
5. **Executive Summaries:**
Various reports related to business roles (attempts and successful attacks), regulated systems compliance (e.g., Sarbanes-Oxley Act targets), and SIS (Security Incident Management System) metrics such as top attackers, events, rules, targets, and notifications.
6. **SIS Metrics:**
Comprehensive reports on assets compromised, cases added, event counts by agent severity, notifications sent, attack types, and firing rules across the organization.
These queries serve to provide detailed insights into network security posture, user activity, and potential threats, enabling proactive measures to mitigate risks and protect against cyber-attacks.
The provided text outlines a series of queries related to various aspects of network and system security monitoring using the ArcSight platform. These queries cover topics such as intrusion monitoring, attack rates, denial-of-service (DoS) events, reconnaissance activities, environment state, and regulated systems. Here is a summary of each query:
1. **Attack Monitoring**:
Queries related to prioritized attack counts by service or target zone, including trends over time.
2. **Denial-of-Service (DoS) Events**:
Queries for successful inbound DoS events, with trend analysis included in the query names.
3. **SANS Top 20**:
Trends of the top 20 attacked systems based on SANS list version 6.01, presented daily.
4. **Environment State**:
Queries for top status events related to applications, operating systems, and services, all with trend analysis included.
5. **Reconnaissance Activities**:
Includes queries about business roles scanned, port scanning activities by role, reconnaissance types detected, and trends in these areas.
6. **Regulated Systems**:
Queries for information on regulated systems categorized by attacks or hosts, as well as counts of vulnerabilities found.
Each query is prefixed with the section it falls under within the ArcSight system, such as "Query ArcSight Foundation/Intrusion Monitoring/Operational Summaries/...". These queries are crucial for maintaining security posture and understanding network threats effectively.
This set of queries from ArcSight covers various aspects of network security and system monitoring, including intrusion detection, resource access, brute force attacks, revenue-generating systems, vulnerability management, and user login attempts. The queries are focused on tracking trends over time for operational summaries such as failed logins, top resources accessed, vulnerabilities in the system, and more. They also provide detailed insights into compromised systems and focus on specific types of threats like brute force access and vulnerabilities across different assets.
This document contains a series of queries related to network security and monitoring, primarily focused on intrusion detection and prevention systems (IDS/IPS), network traffic analysis, bandwidth usage, and vulnerability scanning. The queries are part of the ArcSight Foundation module within a larger system designed for real-time security event management. Here is a summary breakdown:
1. **Top Vulnerable Systems**: Tracks trends in the number of vulnerable systems over time, providing details on vulnerabilities detected by scanners hosted on these systems. This includes specific queries to see which systems are most frequently identified as vulnerable and the total number of vulnerabilities each week.
2. **Vulnerability Scanner Logs**: Provides detailed logs from vulnerability scanning tools run across various hosts within the network, allowing for real-time monitoring and analysis of potential security risks.
3. **Suspicious or Unauthorized Network Traffic Patterns**: Monitors patterns that may indicate unauthorized access attempts or suspicious activities on the network. This includes queries focused on identifying the top 10 talkers, IDS signature destinations, sources, and alerts, as well as targeting specific IP addresses known for high traffic volumes.
4. **Bandwidth Usage Analysis**: Analyzes network usage to identify bandwidth hogs and potential misuse or abuse of resources. It covers detailed analysis by source and destination IPs/ports, including trends over time at both a daily and hourly resolution.
5. **Network Monitoring Details**: Provides granular insights into network traffic by host and protocol, detailing attacker and target information for each type of communication observed on the network.
These queries are designed to help security analysts and administrators stay abreast of potential threats, track emerging patterns of behavior, and manage vulnerabilities in real-time across a complex IT infrastructure.
This is a list of queries related to network monitoring and device activity using the ArcSight software. It includes various types of events such as critical events, errors, interface status messages, VPN authentication errors, connections accepted or denied by address or hour, top VPN accesses by user or event destinations/sources, and traffic summaries including inbound and outbound traffic by protocol, host, and transport, along with bandwidth utilization and trends in usage.
This set of queries in ArcSight Foundation pertains to network monitoring and operational summaries, focusing on outbound traffic statistics. The queries include detailed tracking of traffic by application protocol, source host, transport protocol, and trends over time at both daily and hourly intervals. They also provide snapshots of top attackers, protocols, targets, and bandwidth usage per firewall address. Additionally, there are reports on suspicious or unauthorized network traffic patterns such as protocol distribution, talkers, accessed web sites, highest bandwidth-consuming conversations, source ports, and target IPs. The queries cover case tracking and escalation, including resolution times and audit events trends, along with visualizations of cases by stages like initial, follow-up, and final stages.
This set of queries primarily focuses on tracking and analyzing various aspects of cases, notifications, and escalations within the ArcSight Foundation workflow system. The queries cover a wide range of data points including case stages, statuses, operational impacts, consequences severity, creation dates, target analysis, notification details, escalation levels, and user-specific status reports.
1. **Case Tracking and Analysis:**
**Open Cases Details** and **Queued Stage Cases by Owner (Chart)**: These queries provide detailed views of open cases categorized by their owner or stage.
**Cases Open by Stage (Chart)**, **Open Cases by Associated Impact (Chart)**, and **Open Cases by Consequence Severity (Chart)**: Focus on the status and characteristics of open cases based on impact and severity.
**Open Cases by Operational Impact (Chart)**: Analyzes the operational impact on cases that are still open.
**Recently Closed Cases**: Provides a list or chart of recently closed cases, possibly for trend analysis.
**Cases Created Today** and **Cases per Target**: Tracks new cases created over time and their targets.
**Open Cases**: Lists all currently open cases, which is useful for ongoing case management.
2. **Notification Details:**
**All Level 3 Notifications**, **Notification Action Events**: Provides detailed views of notifications along with the actions taken on them.
3. **Operational Summaries and Trends:**
**Level 3 Notifications** charts and tables are provided for monthly, quarterly, and weekly trends to understand notification patterns over time.
**Notifications by Destination Group**, **by Severity**: Analyzes notifications based on their destinations and the severity of the issues they report.
**Notification Escalation Level Events Overview Charts and Tables**: For tracking escalations in a graphical format across different timelines.
4. **Status Reports:**
**Notification Status Report** and related charts (**Chart**, **Table** with monthly, quarterly, and weekly trends) provide an overview of the current status of notifications.
**Notifications By Acknowledgement Status Chart**: Tracks the acknowledgment statuses of notifications for accountability.
This summary highlights that these queries are designed to comprehensively monitor and analyze case management within a security information and event management (SIEM) system, providing detailed insights into open cases, notification handling, operational impacts, and user-specific communication metrics.
The provided list includes various reports and templates related to different aspects of cybersecurity, system health, and operational summaries within the ArcSight framework. Here's a summary of each item:
1. **Notifications Status Table - Weekly Trend**: This is a table showing the trend of notifications over time, likely tracked weekly.
2. **Query ArcSight Foundation/Workflow/Operational Summaries/Notifications by Acknowledgement Status Chart - Monthly Trend**: A chart that tracks the status of notifications related to acknowledgement, broken down monthly.
3. **Query ArcSight Foundation/Workflow/Operational Summaries/Notifications by Acknowledgement Status Chart - Quarterly Trend**: Similar to the above but quarterly.
4. **Query ArcSight Foundation/Workflow/Operational Summaries/Notifications by Acknowledgement Status Chart - Weekly Trend**: A chart showing weekly trends in notification acknowledgements.
5-16. **Queries for Notifications by Destination Group and Escalation Level Charts, and Severity Charts** (each with monthly, quarterly, and weekly trend options): These queries provide charts that track the performance of notifications based on destination group, escalation level, and severity over time.
17. **Query ArcSight Foundation/Workflow/Operational Summaries/Trends/Notification Events - Trend**: A query for tracking trends in notification events.
18. **Query ArcSight Foundation/Workflow/Operational Summaries/Trends/Notifications - Trend**: Another query for overall trend analysis of notifications.
19. **Query ArcSight Foundation/Workflow/Operational Summaries/Unacknowledged Level 3 Notifications**: This focuses on unacknowledged notifications at level 3, potentially indicating critical issues.
20-25. **Report Templates** from different categories including system health, licensing, chart and table layouts, and more: These templates are designed for generating standardized reports in various formats such as landscape or portrait, with one to four charts and tables.
26-31. **Other specific report templates** covering intrusion monitoring, antivirus errors, and licensing across regulated systems.
These items collectively represent a comprehensive set of tools and data visualizations used within the ArcSight system for monitoring and reporting on cybersecurity operations, system health, and operational performance.
This document series is a comprehensive set of reports from ArcSight, focusing on various aspects of system health, antivirus updates, storage management, connector configurations, and more. The reports include detailed information about the status of anti-virus software across multiple systems, update activities for both general use and regulated environments, virus activity analysis over time, storage space usage in the ASM (Archive Storage Module) database, upgrade history for connectors, cache statuses, event breakdowns by connector type and other relevant metrics. These reports are intended for management and administrative purposes within MSSP (Managed Security Service Provider) setups to ensure optimal system performance and compliance with security protocols.
This report documentation outlines various types of reports available within the ArcSight ESM (Enterprise Security Manager) system, categorized by their purpose and content. The reports cover different aspects such as configuration changes, licensing information, event management, resource usage, user access patterns, data monitors, and more. Here's a summarized list:
1. **Configuration Changes**: Reports detailing modifications made to actors, resources (such as configurations), and licensing settings.
2. **Licensing**: Various reports providing insights into the current state of licensing including full licensing report, storage licensing report, and detailed reporting by type or user.
3. **System Health**: Focused on event management and system resource utilization:
**Events**: Counts and breakdowns of events by destination ports, source destinations pairs, ArcSight priorities, time-based distributions, top activities, and more.
**Resources**: Involves reports about active lists, data monitors (statistics), invalid resources, reporting issues like failed queries or longest running query times.
4. **User Access**: Tracks user sessions including login trends and session list access statistics.
This documentation provides a comprehensive overview of the various types of reports available in ArcSight ESM, aiding in the monitoring and administration of the system's configurations, performance, and usage patterns.
The provided text lists a variety of reports available in the ArcSight ESM (Extended Security Manager) platform, categorized under different sections such as User Access, Content Management, System Core, Cisco Monitoring, and Foundation. These reports cover various aspects including user logins, logout activities, synchronization statuses, bandwidth usage, configuration changes, login tracking, vulnerability assessments, and firewall functionalities.
Here is a summary of the main report categories:
1. **User Access**: Includes detailed logs of user sessions with features like ArcSight User Logins - Last Hour, which tracks user logins over the last hour and categorizes them by success or failure.
2. **Content Management**: Reports on synchronization statuses for packages and subscribers, highlighting errors to assist in troubleshooting and management issues within content delivery systems.
3. **System Core**: Focuses on asset vulnerabilities and specific reports related to Cisco devices including configuration changes, login tracking (successful or failed), and bandwidth usage per protocol or host.
4. **Cisco Monitoring**: Extensive coverage for all Cisco networking devices, providing detailed insights into configuration changes by type or user, as well as login activities tracked by source or destination IP addresses, users, and hosts.
5. **Foundation**: General reports on various functionalities such as bandwidth tracking across devices, which categorizes data usage per protocol and tracks the top destinations or sources of bandwidth.
Each report serves a specific purpose in maintaining security, performance monitoring, error detection, and configuration management within network environments monitored by ArcSight ESM.
The provided list consists of various technical reports related to network and security monitoring using Cisco systems, specifically through ArcSight Foundation. These reports cover a wide range of functionalities including firewall management, intrusion prevention system alerts, allowed and denied inbound and outbound connections, bandwidth usage by hosts, and critical events or errors recorded from the devices.
The reports detail data such as:
Allowed outbound connections by source host
Denied inbound connections by destination host and port
Denied outbound connections by destination host and port
Inbound connection setup attempts per day
Outbound connection setup attempts per day
Summary of allowed and denied traffic through a Cisco firewall
Top bandwidth usage by destination and source hosts via the firewall
Intrusion Prevention System (IPS) alerts, including count by device, type, severity, port, and specific targets or attackers.
Configuration changes in the IPS system, including by device, type, user, and over time.
These reports likely serve to provide a comprehensive view of network security posture, performance metrics, and potential threats detected within the Cisco network infrastructure managed through ArcSight Foundation.
This is a list of reports generated by ArcSight Foundation for monitoring Cisco devices and networks. The reports cover various aspects such as interface status, network configuration changes, SNMP authentication failures, firewall overview, intrusion prevention system (IPS) activity, bandwidth usage, and VPN performance. Specific details include interface status messages, changes in network equipment configurations categorized by device, type, user, and day; SNMP access trends; wireless devices associated with Cisco Access Points; and detailed statistics for the Cisco Adaptive Security Appliance (ASA), including denied inbound/outbound connections, connection setup attempts, bandwidth usage by protocol and host, VPN authentication errors, and more.
This is a collection of various reports related to Cisco products and their configurations, primarily focused on monitoring and security aspects. The reports cover different areas including VPN connections, bandwidth usage, configuration changes, denied inbound/outbound connections, intrusion prevention system settings, web security appliance details, and more. These reports are generated by ArcSight Foundation using data from Cisco Adaptive Security Appliance (ASA), Firewall Services Module (FWSM), Intrusion Prevention System Sensor (IPS Sensor), and IronPort Web Security Appliance (WSA). Each report provides insights into the performance, configuration changes, traffic patterns, and security events associated with these devices.
This document outlines a series of reports generated by various Cisco products, including the ArcSight Foundation and Cisco IronPort Web Security Appliance (WSA) as well as the Cisco IronPort Email Security Appliance (ESA). Each report is designed to provide specific insights into network traffic, web requests, email transactions, and configuration changes across different devices such as routers, switches, firewalls, and more.
1. **Cisco WSA Reports:**
Top Hosts with Most Web Traffic: Identifies the hosts generating the most web traffic on the Cisco IronPort Web Security Appliance.
Top Sites with Most Request Errors: Lists websites with the highest number of request errors as reported by the Cisco IronPort WSA.
Top Sources with Most Denied Requests: Profiles sources responsible for the highest number of denied requests from the Cisco IronPort WSA perspective.
Top Sources with Most Request Errors: Identifies the sources experiencing the most request errors on the Cisco IronPort WSA.
Web Requests per Day in the Previous Week: Provides a daily breakdown of web requests over the past week for the Cisco IronPort WSA.
Web Requests per Hour in the Previous Day: Shows the distribution of web requests across hours from the previous day as monitored by the Cisco IronPort WSA.
2. **Cisco ESA Reports:**
Configuration Changes by Type and
This document provides a comprehensive summary of various configuration and user account changes monitored through the ArcSight Foundation platform, focusing on network devices (switches, VPNs), user accounts (creation, deletion, modification of passwords), and asset configurations. Key findings include:
1. **Configuration Changes**:
Detailed reports on switch configurations, VPN misconfigurations, and zones by configuration change count over the past week.
2. **User Accounts**:
Creation and deletions of AAA (Authentication, Authorization, Account Management) user accounts, along with specific reports for VPN and general user account creations and modifications.
3. **Asset Tracking and Configuration**:
Most common account login failures by attacker user on the most recent day, configuration changes per user over the last week and by zone, and a summary of current asset configurations.
4. **Inventory**:
Assets with applications, roles such as mail servers and web servers, categorized under revenue-generating assets.
5. **Vulnerabilities**:
10 most vulnerable assets in a confidential data group, all exposed vulnerabilities across the organization, especially focusing on email and web server assets. Additionally, there are reports on Blaster Vulnerable Hosts and critical asset exposure trends over the last 90 days.
These reports help in maintaining network security, ensuring compliance with configurations, and tracking user activities to prevent unauthorized access or malicious activities.
The provided list of reports from ArcSight Foundation and Configuration Monitoring covers a wide range of security-related metrics and operational details, including vulnerability exposures, asset configurations, user activities, access logs, and network traffic. Here's a summary of each report type mentioned:
1. **Vulnerabilities by Zone Trend - Last Month** (ArcSight Foundation/Configuration Monitoring)
Trends in critical vulnerabilities across different zones over the last month.
2. **Critical Assets Report** (ArcSight Foundation/Configuration Monitoring)
Details on assets identified as critical, including exposed vulnerabilities and vulnerability counts.
3. **Top Vulnerability Exposure of Critical Assets** (ArcSight Foundation/Configuration Monitoring)
Insights into the most vulnerable critical assets based on exposure levels.
4. **Vulnerability Exposure by Asset Criticality - Current Month** (ArcSight Foundation/Configuration Monitoring)
Analysis of vulnerabilities categorized by asset criticality for the current month.
5. **Exposed Vulnerabilities by Asset** (ArcSight Foundation/Configuration Monitoring)
Details on exposed vulnerabilities per asset, highlighting high-priority issues.
6. **Exposed Vulnerability Count by Asset** (ArcSight Foundation/Configuration Monitoring)
A count of all exposed vulnerabilities per asset, prioritized where necessary.
7. **High-Priority Vulnerabilities Detected on Critical Assets - Yesterday** (ArcSight Foundation/Configuration Monitoring)
Summary of high-priority vulnerabilities affecting critical assets from yesterday.
8. **Top 10 Assets by Exposed Vulnerability Counts** (ArcSight Foundation/Configuration Monitoring)
The top 10 most vulnerable assets based on the number of exposed vulnerabilities.
9. **Top 10 Exposed Vulnerabilities by Asset Counts** (ArcSight Foundation/Configuration Monitoring)
The top 10 most critical exposed vulnerabilities, grouped by asset type.
10. **Vulnerabilities of Assets in North America** (ArcSight Foundation/Configuration Monitoring)
Vulnerability analysis specific to assets located in North America.
11. **Host Configuration Events By Zone** (Executive Summaries)
Operational details on host configurations across different zones.
12. **Host Summary by Business Role** (Executive Summaries)
A summary of hosts categorized by their business roles.
13. **Host Summary by Criticality** (Executive Summaries)
Hosts grouped and analyzed based on their criticality levels.
14. **Host Summary by Data Role** (Executive Summaries)
Details on hosts organized according to the role of data they handle.
15. **Host Summary by Operating System** (Executive Summaries)
A summary of hosts classified by their underlying operating systems.
16. **Top User Logins - Last Week** (Operational Summaries/Access Tracking)
Details on the top user logins over the last week.
17. **Top User Logins - Yesterday** (Operational Summaries/Access Tracking)
Summary of the most significant user logins from yesterday.
18. **User Login Failures Trend - Past Week** (Operational Summaries/Access Tracking)
Trends in login failures over the past week, indicating potential security issues.
19. **Asset Startup and Shutdown Event Log - Last Day** (Operational Summaries/Asset Restarts)
Logs of asset startup and shutdown activities from the last 24 hours.
20. **Asset Startup and Shutdown Log - Last Week** (Operational Summaries/Asset Restarts)
Detailed logs of asset startup and shutdown events over the past week.
21. **Assets Restarting Twice or More - Last Week** (Operational Summaries/Asset Restarts)
A list of assets that restarted twice or more within the last week, potentially indicating issues.
22. **Critical Asset Startup and Shutdown Event Log - Last Day** (Operational Summaries/Asset Restarts)
Logs specifically for critical assets regarding their startup and shutdown events from yesterday.
23. **Host Configuration Modifications Summary** (Operational Summaries)
A summary of modifications made to host configurations over time.
24. **User Removals - Last 30 Days** (Operational Summaries)
Records of user accounts removed from the system within the last 30 days.
These reports collectively provide a comprehensive view of an organization's cybersecurity posture, highlighting areas of potential vulnerability or operational inefficiency that may require attention and improvement.
This document contains a series of reports from ArcSight Foundation, focused on monitoring network security incidents involving IPv6 addresses. The reports cover various aspects such as successful logins, attacker targets, alert counts, device types (like firewalls, IDS, VPNs), and severity levels. Key findings include:
1. **IPv6 Traffic Analysis**: Reports detail traffic patterns based on IPv6 source and destination addresses, including top sources and destinations for alerts.
2. **Intrusion Detection System (IDS) Analysis**: Focuses on the performance of IDS signatures across different IPv6 addresses, highlighting successful detections and their severity levels.
3. **Attack Monitoring**: Provides detailed breakdowns of attack types, counts, rates, and affected devices or services, prioritized by severity or type.
4. **Firewall Activity**: Details inbound and outbound denial activities based on IP address and port numbers, segmented per hour and device type.
5. **VPN Usage**: Analyzes user activity and session lengths within VPN connections using IPv6 addresses.
The reports are confidential and intended for internal use only, with specific focus on the identification of potential threats and performance improvements in network security measures against IPv6-based cyber attacks.
This document outlines a variety of reports related to intrusion monitoring within the ArcSight system, focusing on different aspects such as attackers, attack sources, DoS events, SANS Top 20 vulnerabilities, target assets affected by attacks, and more. The reports cover detailed information about the types of attacks, their targets, and the most frequent attackers involved in these incidents. They also provide insights into the geographical distribution of attacks and specific details on vulnerable systems as identified by SANS Top 20 (version 6.01) vulnerabilities.
The reports include:
Details on top and bottom attackers, including those with the highest number of attacks or least number of attacks within a specified period.
Inbound DoS events reported for the previous day.
Hourly updates on SANS Top 20 attacked systems based on vulnerability areas.
Target counts by various criteria such as device type (IDS), port, and ArcSight priority, including attacker details and specific event names affecting target assets.
Lists of targets affected by recent activities categorized into compromised, hit, and scanned lists.
Charts and tables showing the top N targets based on attack signatures targeting Windows assets, geographical distribution, or other relevant criteria.
This document is part of a larger security monitoring suite that helps in identifying potential threats, understanding patterns of cyber attacks, and ensuring network security by prioritizing vulnerabilities and attackers to mitigate risks effectively.
The provided reports from ArcSight Foundation, an intrusion monitoring system, cover a wide range of security-related details and activities. These include compromised user accounts, access events, environment state summaries, reconnaissance activities like port scanning and prioritized scans by zone or type, resource access (with specific focus on database, email, and file resources), failed login attempts across devices, successful logins, connection counts and durations, and more.
1. **Compromised User Accounts**: The reports detail compromised user accounts under "Attack Monitoring/Targets/User Accounts" showing both "Access" and "All Activity." This section is further broken down into specific types of attacks or suspicious activities that might indicate a compromise.
2. **Environment State Summaries**: These are 24-hour summaries across different application, operating system, service status events:
**Top Application Status Events** over the last 24 hours.
**Environment Status Events**, including both high and low priority statuses.
**OS Status Events** highlight any significant deviations in typical operation from the previous day.
**Service Status Events** are monitored to ensure optimal service performance, with alerts generated for any anomalies or failures.
3. **Reconnaissance Activities**: This includes:
**Port Scanning Activity** which is a common method used by attackers to identify open ports and vulnerabilities on a target system.
**Prioritized Scanning Activity by Zone** helps in focusing security efforts where they are most needed.
**Reconnaissance Types Detected by Zone** provides detailed information about the types of reconnaissance activities occurring within specific zones or environments.
4. **Resource Access**: Detailed reports under this section include:
**Access Events by Database Resource**, **Email Resource**, **File Resource**, and **Resource** which provide insight into who has accessed what resources, potentially indicating excessive privileges being granted to certain users.
**Database Resource Access by Users** and **Email/File Resource Access by Users** are particularly revealing about privileged access abuse.
5. **Access Sessions**: This includes:
**Access Activity**, which tracks session initiation events across different systems or applications, highlighting potential unauthorized activities.
**Brute Force Access Activity**, indicating attempts to guess login credentials on a system through repeated failed logins.
6. **User Tracking**: This involves monitoring of user activity including device-crossing for:
**Failed Login Attempts** and their destination/source addresses, which are crucial in identifying potential account takeover scenarios.
**Successful Logins**, tracking legitimate access by users across devices and networks.
**Connection Counts and Durations by User** provide insights into user behavior patterns.
7. **Device SNMP Authentication Failures**: This highlights issues with authentication mechanisms used to manage network-enabled devices, which are critical for maintaining the integrity of networked systems.
These reports collectively serve as a comprehensive security posture assessment tool, providing actionable intelligence regarding potential threats and vulnerabilities within an organization's IT infrastructure.
This document appears to be a comprehensive report generated by the "ArcSight Foundation" system for intrusion monitoring, covering various aspects of security and operational activities. The report is detailed and includes multiple sections such as:
1. **User Tracking and Activity**: Details about user activities are reported, including attempted and successful attacks, tracked through business roles.
2. **Vulnerability Management**: Includes views on asset vulnerabilities, listing the top 10 targets related to Sarbanes-Oxley compliance and overall vulnerability counts across assets.
3. **Worm Outbreaks**: Tracks systems infected by worms, providing a list of affected machines.
4. **Security Intelligence Status Report (SIS Report)**: A consolidated report that provides an overview of the security status including attacked targets, application, operating system, service, and environment status trends over time.
5. **Attack Monitoring**: Trends in attack rates, prioritized by service, target zone, DoS events, inbound attacks, SANS Top 20 threats, reconnaissance types detected, scanning activities, resource access brute force sessions, and daily top resource access trends are detailed.
6. **Regulated Systems**: Reports on vulnerabilities associated with regulated systems, categorized by attack type, host, and total counts of vulnerabilities.
7. **Revenue Generating Systems**: Coverage includes details about attacked revenue-generating systems, their compromises in terms of availability, and all forms of compromise.
Each section provides a specific insight into the security posture of the organization, detailing potential risks and areas requiring attention based on detected threats and vulnerabilities. The report is marked as "HP Confidential" indicating that it contains sensitive information which should be handled with appropriate use restrictions.
This report overview covers various aspects of network and system monitoring using the ArcSight platform, including intrusion monitoring, vulnerability assessments, network traffic analysis, and operational summaries. Key reports include:
1. **Intrusion Monitoring**:
**Revenue Generating Systems - Compromise - Confidentiality Report**: Monitors potential compromise of revenue-generating systems affecting confidentiality.
**Revenue Generating Systems - Compromise - Integrity Report**: Tracks potential issues compromising the integrity of revenue-generating systems.
Various reports under "Operational Summaries" and "Vulnerability View" sections, focusing on top vulnerabilities across different zones, events trends, and detailed vulnerability scans by host or vulnerability type.
2. **SANS Top 5 Reports**:
**Attempts to Gain Access Through Existing Accounts**: Includes failed login attempts over time (daily, weekly) and the most frequently failing users.
**Systems Most Vulnerable to Attack**: Trends in vulnerable systems over time (monthly, yearly), detailed by host and vulnerability type.
Suspicious or Unauthorized Network Traffic Patterns: Monitors top talkers, IDS signature destinations/sources, and alerts from intrusion detection systems.
3. **NetFlow Monitoring**:
**Top Bandwidth Usage Reports** for daily, weekly, and specific analysis by destination and source ports.
4. **Network Monitoring Details by Host**.
These reports collectively provide a comprehensive view of network security, system integrity, and potential vulnerabilities, enabling proactive measures to be taken against cyber threats and breaches.
The provided documents and reports are related to network traffic monitoring and analysis using the ArcSight Foundation platform. They cover various aspects of network activity including detailed traffic by host, protocol details, device activity (network and VPN), bandwidth utilization, inbound and outbound traffic summaries, and more. These reports help in understanding the network performance, identifying trends, troubleshooting issues, and ensuring security compliance. The data is confidential and subject to specific use restrictions as indicated by HP Confidential—subject to use restriction.
This document is a collection of various reports related to network monitoring and security operations, primarily using the ArcSight platform. The reports cover different aspects such as outbound traffic summaries, protocol distributions, case tracking and escalation, and notification details. Here's a summary of each report mentioned in the document:
1. **Outbound Traffic - Daily Summary**: Provides a daily overview of network traffic originating from the organization's network.
2. **Outbound Traffic - Weekly Summary**: Offers a weekly recap of outbound traffic patterns.
3. **Outbound Traffic by Protocol - Weekly Summary**: Breaks down outbound traffic by specific protocols over a week.
4. **Traffic Snapshot**: Provides a snapshot view of current network traffic conditions at the time of reporting.
5. **Traffic Statistics**: Aggregates statistical data on overall network traffic, possibly including bandwidth usage and other relevant metrics.
6. **Protocol Distribution Report**: Focuses specifically on identifying suspicious or unauthorized network traffic patterns related to protocols used across the organization's network.
7. **Top 10 Talkers**: Lists the top users or devices generating significant amounts of network traffic.
8. **Top 10 Types of Traffic**: Identifies the primary types of data being transmitted over the network, possibly highlighting anomalies.
9. **Top List of Accessed Web Sites**: Reports on websites accessed by employees through the organization's network.
10. **Top Source Ports and Target IPs**: Detailed view into the most frequently used source ports and targeted IP addresses in network communications.
11. **Traffic Moving Average Report**: Averages traffic data over a set period to smooth out fluctuations for easier analysis.
12. **All Cases**: Tracks all cases related to workflow or alerts, providing an overview of active issues.
13. **Case Stages and Status Overview**: Details the stages and statuses of cases tracked by ArcSight.
14. **Cases Created Today and per Target**: Provides a daily count of new cases created and those associated with specific targets.
15. **Open Cases**: Lists all currently open cases requiring attention.
16. **All Level 3 Notifications**: Includes detailed logs of all notifications received at the third level of notification hierarchy.
17. **Notification Action Events**: Provides a log of actions taken in response to notifications, detailing who and when these actions were performed.
18. **Average Time to Case Resolution - By Severity, Day, and User**: Analyzes how quickly cases are resolved based on their severity or assigned personnel.
19. **Max Time to Case Resolution - By User**: Identifies the longest duration taken to resolve any given case by different users.
20. **Notification Escalation Level Event Overview - Monthly, Quarterly, Weekly Trends**: Tracks escalations in notification handling over time, segmented by monthly, quarterly, and weekly trends.
21. **Notification Status Trends - Monthly, Quarterly**: Provides a detailed view of how notifications are being managed across different periods.
Each report serves to provide insights into the efficiency and effectiveness of network operations, security measures, and overall IT management, helping in decision-making processes for potential improvements or adjustments in policies and procedures related to network usage and security.
This document contains a variety of reports and rules related to the ArcSight system, focusing on operational summaries, notification status, connector health, storage issues, licensing audits, resource management, and more. The reports include details such as weekly, monthly, and quarterly trends in notifications by user overview, as well as specific breakdowns by acknowledgement status. The rules cover a wide range of topics including configuration changes to connectors, system health metrics like cache status, connection status, and detailed issues with rule performance.
The text outlines a variety of rules and alerts related to system resources, user access, storage issues, database management, logger sensor status, content management data, security activities, and threat tracking in an ArcSight system. Key highlights include:
1. **System Resource Exhaustion**: Alerts for critical or warning levels of free space in the ASM (ArcSight Storage Manager) database, changes in ASM database status such as becoming down, normal, having space issues, or now available.
2. **User Access and Sessions**: Monitoring of user login/logout activities, timeouts, and logger sensor statuses.
3. **Storage Issues**: Alerts regarding the criticality of free space in the ASM database, changes in its status, and indications of insufficient storage capacity.
4. **Security Activities**: Various security-related alerts such as antivirus update failures, brute force login attempts, outbound traffic to suspicious countries, ports, or services, possible denial-of-service (DoS) attacks on hosts or networks, and other suspicious activities indicated by high numbers of IDS alerts, blocked outbound traffic, and more.
5. **Threat Tracking**: Alerts for attempted system compromises, successful compromises, incidents resolved, hostile attempts such as brute force and reconnaissance activities like port scans and vulnerability scans.
This summary highlights the comprehensive monitoring and alerting mechanisms in place to manage potential issues related to system resources, user access, security, and threat tracking within an ArcSight-based system configuration.
This summary covers a variety of security events and rules monitored by the ArcSight system, including traffic from suspicious sources, detection of viruses, changes in critical device configurations, insecure software or hardware configurations that may lead to vulnerabilities, successful configuration changes, possible attacks such as brute force login attempts, exploitation attempts, and denial-of-service (DoS) attacks. Additionally, it highlights anomalies in communication patterns, network traffic volumes, and alerts related to potential security threats like backdoors, email vulnerabilities, and operating system flaws. The summary is part of a larger security monitoring framework used by HP for threat detection and response, ensuring the protection of sensitive information as per company policy.
The text provided outlines a series of security rules within the ArcSight Foundation framework, focusing on various aspects of intrusion monitoring, reconnaissance activities, resource access violations, user tracking, network traffic anomalies, worm outbreaks, and case management. These rules are designed to detect specific patterns or events that may indicate potential cyber threats or malicious activities such as brute force attacks, unauthorized access attempts, port scans, and more. The rules cover areas including operating system vulnerabilities (e.g., Microsoft MSDTC, Message Queuing Service, NNTP, NetDDE, Plug and Play, SMB, Task Scheduler services), network-based reconnaissance techniques (application protocol scan, host/network port scans), resource access initiations and terminations, user session tracking for different types of users (administrative, normal), VPN sessions, and significant changes in traffic patterns. Additionally, the text mentions specific malware outbreaks linked to DDOS attacks and worm activities that are monitored for potential network disruptions or internal security breaches. Finally, there are rules related to case management such as escalations and deletions within incident handling processes.
The provided text outlines a variety of monitoring, tracking, and reporting activities related to cybersecurity and system health within the ArcSight platform. These activities are categorized under different sections such as Intrusion Monitoring, Workflow Management, Case Tracking and Escalation, User Access, Licensing, System Health, Connector Configuration, and more. Key tasks include:
1. **Case Investigation**: Starting and tracking cases related to incidents or events.
2. **Resource Access Monitoring**: Detecting brute force attacks and general resource access patterns.
3. **User Tracking**: Monitoring user sessions including VPN and direct log-ins.
4. **Configuration Changes**: Tracking changes in network configurations, device settings, and system properties across various devices and platforms.
5. **Storage Management**: Ensuring adequate storage space for events, databases, and logs.
6. **Event Analysis**: Analyzing the frequency and nature of security-related events to detect trends or anomalies.
7. **Licensing Compliance**: Tracking licensing usage and history to ensure compliance with software licenses.
8. **System Health Monitoring**: Evaluating performance metrics such as EPS (Events Per Second), storage space, and resource utilization for reporting queries, failed queries, and overall system health.
9. **User Sessions**: Logging user sessions to track active logins and identify potential unauthorized access.
10. **Event Trends**: Observing trends in event types and occurrences over time.
These activities are crucial for proactive security management, incident response, compliance monitoring, and performance optimization within the cybersecurity infrastructure.
This document outlines a variety of daily trend reports and summaries related to various aspects of system monitoring, user access tracking, vulnerability exposure, intrusion detection, and resource access within the ArcSight Foundation framework. The reports cover topics such as asset restarts and critical system events, most common account login attempts and failures, user account modifications including creation, deletion, and password changes, vulnerability tracking by criticality and exposure, attack rates prioritized by service and target zone, reconnaissance activities like port scanning and top 10 reconnaissance types detected, brute force access session trends, asset counts by vulnerability, and failed logins per hour. These reports are designed to provide a comprehensive view of the system's health, security posture, and potential vulnerabilities that may require attention or mitigation efforts.
This document outlines various types of data and metrics collected through different systems and applications used in an organization's security operations center (SOC). These include network monitoring, intrusion detection, Cisco device management, netflow monitoring, IPv6 traffic analysis, and more. The primary purpose is to provide a comprehensive view of the system's health, performance, and vulnerabilities, enabling proactive measures to be taken against potential cyber threats and enhancing overall security posture.
Comments