HP ArcSight ESM Default Content - Use Cases - Main Index

Summary:

The HP ArcSight Enterprise Security Manager (ESM) platform is designed to provide detailed insights into various aspects of cyber threat monitoring and analysis. This includes tracking user activities, assessing vulnerability levels, and taking preventive measures against cyber threats. Below, I'll outline the key findings and reports mentioned in your provided text, organized according to the categories you've listed: ### Attack Monitoring - **Attack Rates by Target Zone**: Detailed information on the frequency of attacks targeting specific zones within an organization's infrastructure. This includes data on denial-of-service (DoS) events and other malicious activities. - **Reconnaissance Types Detected**: Information about types of reconnaissance activities detected, which can include both automated scanning and attempts to gather information without causing direct harm. - **Worm Outbreak Trends**: Any trends or patterns indicating the spread of malware that could compromise systems across the network. ### Environment State - **System Vulnerabilities**: Detailed reports on identified vulnerabilities in operating systems, applications, and services. This can include both real-time and historical data to understand the evolving security landscape. - **Regulated Systems Vulnerability Status**: Compliance with regulatory requirements regarding system security, highlighting any discrepancies or risks that need immediate attention. ### Reconnaissance - **DoS Events**: Information on denial-of-service attacks, including their frequency, impact, and possible mitigation strategies. - **Port Scanning Activity**: Details about scans conducted to identify open ports and potential entry points for cyber threats. ### Resource Access - **Brute Force Session Trends**: Patterns of failed login attempts that could indicate brute force attacks on user accounts. - **Successful and Failed Logins**: Tracking the success or failure of login activities can provide insights into potential unauthorized access attempts. ### User Tracking - **Compromised User Accounts**: Identification of user accounts that have been compromised, which is crucial for notifying affected users and changing their credentials immediately. - **Vulnerable Systems**: Systems identified as potentially vulnerable to cyber attacks, requiring immediate attention or remediation. ### Vulnerability View - **Top Target IPs**: IP addresses associated with the most frequent potential unauthorized network activities. - **Protocol Distribution Report**: Analysis of traffic patterns by protocol, helping understand the types and prevalence of traffic on the network. ### Worm Outbreak - **Indicators of Compromised User Accounts**: Details about user accounts that are likely compromised due to unusual activity or patterns. ### Business Roles - **Revenue-Generating Systems Compromises**: Any instances where revenue-generating systems have been compromised, which could lead to significant financial losses. ### Security Intelligence Status Report - **IDS Signatures Indicating Potential Unauthorized Network Activities**: Specific signatures of potential unauthorized network activities detected by the Intrusion Detection System (IDS). - **Bandwidth Usage and Protocol Details**: Analysis of traffic usage across different protocols, highlighting any unusual spikes or patterns that could indicate security breaches. ### Notification Overview and Statistics - **Notification Status Report**: An overview of all notifications received within the organization, detailing their statuses and any trends in notification handling efficiency. This structured approach to reporting enables organizations to proactively identify and respond to potential cyber threats, ensuring a more secure operational environment across various IT assets.

Details:

The document provides a comprehensive overview of the content and use cases for HP ArcSight Event Manager (ESM), focusing on various aspects such as anti-virus failures, connector configurations, system health, event monitoring, licensing, and storage management. Key areas include: 1. **Use Case Content** - Covers specific scenarios like failed anti-virus updates across different environments and systems, tracking top infected systems, and virus activity over time. 2. **ArcSight Administration** - Includes reports on actor context by account ID, connector configuration changes including upgrades and versions, system health metrics such as cache status and EPS (Event Processing Speed), event breakdowns by severity, counts, and source/destination pairs. 3. **Configuration Changes** - Detailed reporting on various types of configuration changes made to connectors, resources like ESM configurations, Cisco IPS sensors, and actors including their updates, deletions, and manager department changes. 4. **Licensing** - Provides licensing reports that cover all products, as well as storage-related reports detailing the free space in ASM (Advanced SIEM Management) database and archive processing status. 5. **System Health** - Reports on events by severity, counts, source/destination pairs, destination counts by connector type, top connector types, and event distributions across different connectors. The document is structured to provide detailed insights into the operational performance and configuration of HP ArcSight ESM, aiding in the management and monitoring of cybersecurity infrastructure. The provided text outlines a series of reports and content available within the ArcSight System Management (ESM) module, organized under various categories such as "System Health," "Resources," "User Access," "Content Management," and others. These include detailed views of events categorized by event names, times, source/destination ports, arcSight priorities, and more. The reports cover aspects like active lists access, data monitor evaluations statistics, invalid resources, rule correlation events, user login trends, synchronization status history, and more. Additionally, there are specific reports for Cisco device monitoring including bandwidth usage, configuration changes, and firewall rules related to users and devices. This comprehensive overview suggests that the ArcSight ESM provides a wide range of detailed analytical tools and reporting capabilities for managing and monitoring system health, user activities, and network configurations across various devices and protocols. The document contains a variety of reports related to network security, device management, and performance monitoring across different Cisco technologies. Key areas covered include: 1. **Firewall Configuration Changes**: Includes changes in firewall configurations for inbound and outbound connections by both source and destination hosts, as well as denial metrics like denied inbound and outbound connections per hour or day, along with setup attempts. 2. **Intrusion Prevention System (IPS)**: Alerts related to IPS are detailed by device, type, user, severity, port, and alerts themselves. Metrics include counts of overall alerts and specific attacks over time. 3. **Network Equipment Configuration Changes**: Covers changes in network equipment configuration across devices, types, users, and the frequency of these changes per day or month. 4. **SNMP (Simple Network Management Protocol) Access Trends**: Provides insights into SNMP access patterns, including authentication failures and trends over time for specific targets. 5. **Wireless Networks**: Details wireless device associations with Cisco access points, tracking how devices associate and disassociate from these APs. 6. **Critical Events and Errors**: Logs of critical events and errors from Cisco devices such as routers, switches, and other network elements. 7. **Bandwidth Metrics**: Reports the top bandwidth users in terms of destination and source hosts for Cisco firewalls. This document is designed to provide a comprehensive view of network and system activity across various Cisco technologies, aiding in security monitoring, performance tuning, and overall network management. This document provides an overview of various Cisco systems and their performance, including security and bandwidth usage. It includes detailed reports on the following aspects: 1. **Cisco Firewall Overview** - Covers trends and port usage, intrusion prevention system (IPS) events, configuration changes, and login activities. 2. **Bandwidth Usage by Hour and Protocol** for both Cisco Adaptive Security Appliance (ASA) and Cisco Firewall Services Module (FWSM). 3. **Configuration Changes** categorized by type and user across multiple products including ASA, IOS IPS, IPS Sensor, WSA, and more. 4. **Denied Connections** by address and port, split inbound and outbound for both ASA and FWSM. 5. **Connection Setup Attempts per Day**. 6. **Top Bandwidth Source and Target Hosts**. 7. **VPN Authentication Errors**, connection counts, and accepted/denied connections by address. 8. **Attack Monitoring** including top and bottom attackers, as well as detailed reports on configuration changes specific to different Cisco devices. This document is designed to provide a comprehensive view of the network security and performance metrics across various Cisco products, aiding in the analysis and monitoring of system activities. The provided text lists various reports and statistics available for different Cisco products, primarily related to web security (Cisco IronPort Web Security Appliance WSA) and email security (Cisco IronPort Email Security Appliance ESA). Here's a summary of the content from each entry: 1. **Security Appliance/Request Error Statistics** - Provides detailed information about request errors within the network. 2. **Top Accessed Sites / Top Accessed Sites with Most Traffic / Top Denied Sites / Top Hosts Accessed Most (Distinct) Sites / Top Hosts with Most Web Traffic / Top Sites with Most Request Errors / Top Sources with Most Denied Requests / Top Sources with Most Request Errors** - These reports highlight the most accessed sites, denied sites, hosts by traffic and requests, and sources of errors. 3. **Web Requests per Day in the Previous Week / Web Requests per Hour in the Previous Day** - Statistics on web requests over a specified time frame. 4. **Configuration Monitoring/Cisco ESA Configuration Changes by Type / Cisco ESA Configuration Changes by User / Cisco ESA Configuration Changes per Day / Connection Overview** - Details changes in email security settings and connections. 5. **Message Transaction per Hour in the Previous Day / Message Transactions per Day** - Statistics on message transactions within the email system. 6. **Top Recipients with Most Bandwidth Consumption / Top Recipients with Most Transactions / Top Senders with Most Bandwidth Consumption / Top Senders with Most Transactions** - Information about bandwidth usage and transaction volumes for senders and recipients in emails. 7. **Configuration Monitoring/Critical Systems/Systems With Criticality Ratings by Zone / Assets with Configuration Changes - Last Day / Assets with Configuration Changes - Past Week / Configuration Changes by Type / Configuration Changes by User / Database Errors and Warnings / Firewall Configuration Changes / Firewall Misconfigurations / HIDS Misconfigurations / NIDS Misconfigurations / Router Configuration Changes / Switch Configuration Changes / VPN Configuration Changes** - Details various types of configuration changes across different network devices. These reports are likely part of a broader suite of tools used for monitoring, analyzing, and managing the security and performance of Cisco's web and email security appliances. This document, titled "HP ArcSight ESM Default Content," is a comprehensive report that includes detailed information about various aspects of an organization's IT infrastructure. It covers multiple sections such as configuration changes, user accounts, asset tracking, vulnerabilities, and operational summaries including access tracking, asset restarts, host configuration modifications, and more. Key areas covered include:

• Configuration Changes: This section details modifications to the system configurations made by users or systems across different components like user accounts, passwords, and assets. Specific subcategories are noted for changes such as password changes by various entities (system, zone, etc.), configuration changes per user, deletions of user accounts, and modifications related to asset tracking and vulnerabilities.

• Inventory: It includes details about the roles and types of servers (mail and web) and specific assets with applications.

• Vulnerabilities: The report highlights the most vulnerable assets in terms of confidential data, exposing a list of all exposed vulnerabilities across different segments like email and web servers, critical assets, and those within North America.

• Operational Summaries: This part focuses on user access patterns (top 10 resources accessed by users), asset restarts (events related to startup and shutdown activities), and host configuration modifications by business role or criticality.

• Alerts: There are specific alerts about IPv6 network activity, including logins, denied inbound/outbound connections, successful/failed login attempts, and counts of attackers targeting IPv6 devices.

Overall, this document serves as a centralized repository for IT administrators to monitor the health, security posture, and operational status of their systems based on various metrics and events logged by ArcSight ESM. The document is a comprehensive report generated by HP ArcSight ESM (Extended Security Manager) for intrusion monitoring, detailing various aspects of network traffic and security events. It includes detailed analysis across multiple categories such as IPv6 addresses, attackers, targets, alerts, attack rates, denial-of-service (DoS) events, configuration changes, and errors in anti-virus deployment. Key features include: 1. **IPv6 Addresses**: Summarizes the count of IPv6 traffic with details on sources and destinations, prioritized by ArcSight priority, event names, attackers, and talkers. 2. **Attack Monitoring**: Detailed counts and rates of attacks categorized by severity, type, service, target zone, attacker device types (like firewall or IDS), and VPN connections. 3. **Targets and Attackers**: Analyzes targets affected by the most common ports and protocols used in attacks, with detailed information on top attackers, their port usage, and overall counts. 4. **DoS Events**: Provides a breakdown of inbound DoS events yesterday and reports related to SANS Top 20 vulnerabilities. 5. **Configuration Changes**: Records any changes made by users regarding system configurations that could impact security settings. 6. **Errors in Anti-Virus Deployment**: Identifies and documents errors or issues detected during the deployment of antivirus software, which might indicate potential threats or misconfigurations. 7. **SANS Top 20 Report**: Offers an hourly report on vulnerabilities within systems attacked by SANS Top 20 (version 6.01), highlighting areas where security efforts should be focused. This document serves as a detailed forensic analysis of network traffic and provides actionable insights to enhance cybersecurity measures, particularly focusing on IPv6-based threats and vulnerabilities. This document provides a comprehensive overview of various aspects related to cybersecurity monitoring and analysis. It includes detailed reports on attack targets, compromised user accounts, system vulnerabilities, resource access events, failed logins, successful logins, and more. The content is organized into several categories such as Attack Monitoring, Environment State, Reconnaissance, Resource Access, User Tracking, Vulnerability View, Worm Outbreak, Business Roles, Regulated Systems, and Security Intelligence Status Report. Each section offers specific details that can help in understanding the nature of cyber threats, monitoring system health, tracking user activities, and assessing vulnerability levels to take appropriate preventive measures. The provided text outlines a comprehensive set of reports and trends available within the HP ArcSight ESM (Extended Security Manager) platform, focusing on various aspects of cyber threat monitoring and analysis. These include attack rates by target zone, DoS events, application, operating system, service statuses, port scanning activity, reconnaissance types detected, regulated systems' vulnerabilities, brute force session trends, revenue-generating systems' compromises, top vulnerabilities in events, failed login attempts, vulnerable systems, and suspicious network traffic patterns. The data is presented over the last 24 hours up to a broader time frame such as daily or weekly, with some reports providing monthly or yearly insights. These reports are part of the standard content provided by HP ArcSight ESM for comprehensive security monitoring and incident response. This document contains a variety of reports and summaries related to network traffic monitoring using HP ArcSight Enterprise Security Manager (ESM). The main focus is on identifying suspicious or unauthorized network traffic patterns, with detailed analysis split across several categories including IDS signatures, bandwidth usage, protocol details, device activity, and more. Key findings include: 1. Top 5 reports of IDS signatures that indicate potential unauthorized network activities each day are provided in the SANS Top 5 Reports section. 2. NetFlow Monitoring with ArcSight Foundation helps identify suspicious traffic patterns through detailed analysis of top bandwidth usage daily, weekly, by destination, and by source, along with protocol-specific details. 3. Network monitoring provides extensive breakdowns such as detailed traffic by host, protocol details by host, attacker details by protocol, target details by protocol, device critical events, errors, and status messages. 4. VPN activities are monitored for authentication errors, connections accepted/denied by address or hour, top access and event destinations/sources, attempts, and failures. 5. Traffic statistics, snapshots, inbound and outbound traffic summaries, and bandwidth utilization reports across business hours, last 24 hours, and hourly intervals provide a comprehensive overview of network activity. 6. The protocol distribution report from SANS Top 5 Reports helps understand the types of traffic on the network. 7. Other key indicators include top talkers, accessed web sites, highest bandwidth-consuming conversations, and source ports that are monitored for potential security issues. This document serves as a tool to detect, monitor, and analyze various aspects of network traffic to ensure secure operations in an organization. The provided document outlines a comprehensive set of reports and summaries related to the monitoring, tracking, and analysis of suspicious or unauthorized network traffic patterns within an organization's IT infrastructure. Utilizing ArcSight Foundation and its associated workflows, this system is designed to detect, analyze, and respond to potential security incidents by providing detailed insights into various aspects of network traffic and case management. Key areas covered in the document include: 1. **Traffic Analysis Reports**: These reports focus on summarizing network traffic data across different transport protocols and identifying patterns that may indicate unauthorized activity. Specific reports here include "Suspicious or Unauthorized Network Traffic Patterns/Top Target IPs," which highlights key IP addresses associated with potential threats, as well as detailed analysis by transport protocol. 2. **Case Tracking and Escalation**: This section is dedicated to tracking the status of cases related to suspected unauthorized network activities. It includes an overview of case stages, current statuses, number of cases created today, and escalation levels tied to notification action events. 3. **Operational Summaries and Executive Summaries**: These summaries provide operational insights into the efficiency and effectiveness of handling security incidents. Metrics covered include average time to resolve a case by severity and user, maximum resolution times, as well as trends over different temporal scales including monthly, quarterly, and weekly. 4. **Notification Overview and Statistics**: This part provides an overall view of notifications received, their statuses, and statistics such as the number of unacknowledged level 3 notifications. It also includes trends in notification status by user. 5. **Operational Summaries/Notification Status Report**: A final report that gives a detailed overview of the current status of all notifications within the organization. This document serves as a comprehensive tool for IT security teams and management to monitor, assess, and improve their network security posture by proactively detecting and responding to potential threats associated with unauthorized network traffic.