HP ArcSight ESM Default Content: Use Cases in Security Management

Summary:

This document is a comprehensive guide to an intrusion detection and prevention system (IDPS) that monitors various network activities such as alerts from IDS/IPS, anti-virus activity, attack rates, attacker profiles, business impact analysis, denial of service threats, environment state, login tracking, reconnaissance attempts, regulated systems access, revenue generating system vulnerabilities, and security overview. The document provides actionable intelligence for network administrators to identify potential threats, assess affected areas, and plan strategic responses. It is designed for executive-level personnel within an organization, using specialized resources tailored to Cisco products like firewalls, IPS, email security appliances, web security appliances, and wireless access points.

Details:

This document outlines several key components in an intrusion detection and prevention system, focusing on real-time monitoring of various network activities including alerts from IDS (Intrusion Detection Systems) and IPS (Intrusion Prevention Systems), anti-virus activity, attack rates, attackers' profiles, business impact analysis, denial of service threats, environment state, login tracking, reconnaissance attempts, regulated systems access, revenue generating system vulnerabilities, and security overview. Each section is designed to provide actionable intelligence for network administrators, focusing on the identification of potential threats, assessment of affected areas, and strategic response planning. This summary outlines a variety of specialized resources designed to offer detailed, targeted security and network management information for executive-level personnel within an organization. The resources are categorized into distinct use cases tailored to specific Cisco products and technologies such as firewalls, intrusion prevention systems (IPS), email security appliances, web security appliances, and wireless access points. 1. **Targets**: Focuses on providing security intelligence related to specific targets or assets in the network environment. 2. **Vulnerability View**: Offers insights into asset vulnerabilities through vulnerability scanner reports, categorizing them by asset list and vulnerability list. 3. **Worm Outbreak**: Monitors worm activity and its impact on the network infrastructure. 4. **Bandwidth Usage**: Provides detailed information about bandwidth utilization across the network. 5. **Device Activity**: Tracks activities of firewalls, networks, and VPN connections to ensure secure communications. 6. **Hosts and Protocols**: Analyzes network traffic to specific hosts (such as mail and web servers) based on application protocols. 7. **SANS Top 5 Reports**: Identifies suspicious or unauthorized network traffic patterns that may indicate security threats. 8. **Traffic Overview**: Provides a general overview of network traffic across the organization. 9. **Cisco Overview**: Specifically for Cisco Firewalls and Intrusion Prevention Systems, it reports on logins, configuration changes, and other significant events. 10. **Cisco Adaptive Security Appliance (ASA)**: Offers firewall information based on ASA-generated events. 11. **Cisco Cross-Device**: Tracks network activities including logins, configuration changes, and bandwidth consumption across all Cisco devices. 12. **Cisco Firewall Services Module (FWSM)**: Provides detailed reports and dashboards related to firewalls within the network. 13. **Cisco Generic Firewall**: Monitors firewall activity reported by any Cisco device or module. 14. **Cisco Generic Intrusion Prevention System (IPS)**: Generates reports for alerts from IDS/IPS devices, including specific models like IPS 4200 series and Catalyst 6500 series. 15. **Cisco IOS Intrusion Prevention System (IOS IPS)**: Details event statistics and configuration changes reported by Cisco IOS IPS devices. 16. **Cisco Ironport Email Security Appliance (ESA)**: Monitors email traffic based on events from the ESA. 17. **Cisco Ironport Web Security Appliance (WSA)**: Identifies and provides web traffic information from WSA reports. 18. **Cisco Network**: Collects and analyzes network equipment-related data, providing a comprehensive overview of the Cisco network environment. 19. **Cisco Wireless**: Covers wireless traffic recorded by Cisco Aironet access points within the organization's networks. These resources collectively serve to enhance security posture, optimize network performance, and provide actionable intelligence for executive leadership in managing complex IT infrastructures. This document outlines various resources available for monitoring, investigating, and reporting on network bandwidth usage, user account configurations, security application configurations, vulnerabilities, NetFlow data, ArcSight Core Security activities, and configuration changes in SmartConnectors. The primary focus is to provide an overview of system configurations and changes, along with detailed information about specific aspects such as IPv6 traffic, user accounts, and suspicious activities like reconnaissance or denial-of-service attacks. Leveraging this information can help in building correlation content for security monitoring and improving overall system security posture. This summary outlines various use cases within the ArcSight system, focusing on different aspects such as device monitoring, licensing compliance, user access, resource configuration changes, content management, event statistics, reporting performance, storage health, logger events, actor support, priority formula, and case tracking. These use cases provide insights into the status of SmartConnectors, information about devices, licensing compliance, user sessions, resource configurations, content package synchronization, processing statistics, system resources, and more.