HP ArcSight Express and ESM - Console Demonstration Script

Summary:

This demonstration script outlines a comprehensive approach to showcasing the capabilities of HP ArcSight for managing cybersecurity incidents and providing detailed reports. By following these steps, you can effectively demonstrate how ArcSight helps organizations monitor their systems, analyze network traffic, and respond to potential threats. Here’s a summary of what is covered in the provided information: ### 1. Reputation Security Monitor Setup - **Log In**: Access the HP ArcSight Console as an admin. - **Delete Existing Cases**: Clear any previous cases related to Reputation Security Monitor 1.0. - **Demo Replay Connector**: Use the event file `RepSM_demo.events` for replay at a rate of 50 events per minute. - **View Dashboards**: Open specific dashboards under `/ArcNet Active Channels/Demo Live` and `/ArcSight Solutions`. - **Show Entries**: Navigate to lists to view entries related to Malicious Domains and IP Addresses. ### 2. Management Console Setup - **Log In**: Access the Management Console or Command Center (IP:8443) as an admin. - **Replay Event Files**: Use `IdentityView_v2.0.events` and `NetFlow_IdentityView_v2.0.events` at specified rates. - **Navigate Dashboards**: View dashboards under `/All Dashboards/ArcNet Dashboards/Management Console`. ### 3. Command Center Setup - **Log In**: Access the ESM 6.5c Command Center (vm-esm65c:8443) as an admin. ### Additional Information - **PowerPoint Presentation**: Use the provided PowerPoint presentation `HP ArcSight Express and ESM – Demo Script.pptx` for visual aids. - **Replaying Event Files**: Automatically generate incidents which can then be addressed in later parts of the demonstration, if needed. - **Demonstration Scope**: Note that notifications and cases are not central to this demo; they will be generated automatically during replay. ### Worm Outbreak Use Case - **Web Interface Demonstration**: Follow similar steps as above but within the ArcSight web interface. - **Console Interface Demonstration**: Follow same process in the HP ArcSight Console interface. ### Conclusion - **Automated Reporting**: Emphasize how automated reporting solutions help organizations stay compliant and provide detailed visibility into both security and compliance issues. - **Advanced Correlation**: Highlight how advanced correlation rules and actions like notifications and case management can improve incident detection, including addressing zero-day attacks. By following this script, you can effectively demonstrate the capabilities of HP ArcSight for managing cybersecurity incidents, providing detailed reports, and enhancing overall security posture through automated monitoring and response mechanisms.

Details:

The document you've provided appears to be a technical guide for HP ArcSight Express/ESM, which is likely an enterprise security management software. It outlines several key points including important notices regarding confidentiality, use case demonstration scripts, and the general purpose of the software in context with HP products. The "Important Notice" section at the beginning highlights that this document contains confidential information from Hewlett-Packard Company (or its affiliates). The recipient is asked to maintain strict confidence over the information provided and not share it beyond their evaluation team without permission, except under specific conditions or if the information was already publicly known. This clause underscores HP's policy on protecting proprietary data in technical documentation. The document then moves into a section discussing "Use Case Demonstration Scripts" which suggests that there might be pre-configured scripts provided to help users understand and test the capabilities of ArcSight Express/ESM by simulating real-life scenarios or use cases, potentially helping them evaluate how the software can address specific security challenges. Lastly, the document reiterates HP's disclaimer about the accuracy and completeness of the information contained within, indicating that it is provided for informational purposes only. It also highlights the lack of warranties and the absence of any liability from HP or its representatives in case users encounter issues while using the software based on this documentation. This serves as a disclaimer typical in technical manuals to limit potential legal repercussions if the software does not perform as expected. Overall, the document appears to be primarily intended for internal use by HP employees and authorized personnel during sales pitches or demonstrations of their ArcSight Express/ESM product, providing clear instructions on how to handle sensitive information and what to expect from using this software. The text highlights the concept of developing a solution for a project, where "solution" refers to proposed products or services without any guarantee of meeting requirements. It also clarifies that using terms like "partner" or "partnership" indicates a collaborative relationship rather than a formal legal partnership. Lastly, it advises addressing any concerns through communication with sales representatives and provides a step-by-step guide for using HP ArcSight Express/ESM to analyze security use cases, including logging in, reviewing reports, and investigating events. The conclusion emphasizes the efficiency and effectiveness of HP ArcSight in detecting and managing security incidents, even those that are newly discovered or unanticipated. The provided text outlines a procedure for using the HP ArcSight system to enhance compliance reporting and security practices, focusing on access control best practices as outlined in ISO 27002 section 11. Key steps include setting up the console, reviewing reports manually or leveraging automation with HP ArcSight, and demonstrating how the system can manage former employee access after account deactivation. The conclusion highlights HP ArcSight's ability to improve security incident detection and compliance visibility through automated reporting capabilities. This document outlines a series of steps to be followed in an exercise using HP ArcSight, focusing on the IdentityView 2.0 solution for actor management and investigation. The tasks involve accessing specific dashboards, configuring console event graph options, starting a demo replay connector, and reviewing reports related to actors. 1. **Accessing Dashboards**: Navigate to various URLs in the ArcNet environment to view predefined dashboards:

• Go to `/Shared/All Dashboards/ArcSight Solutions/IdentityView 2.0/Actor Management/` for general actor management views like `Actor Overview` and `Actor Roles Overview`.

• Access `/ArcNet Dashboards/IdentityView v2.0/Privileged User Monitoring/Identity Investigation/` to see `Top Bandwidth by Actor`.

• For privileged user monitoring, view `/ArcNet Dashboards/IdentityView v2.0/Privileged User Monitoring/Modeling/` for `Login Activity by Department`.

2. **Opening Active Channels**: Open the specific active channel for an actor of interest, e.g., `/ArcNet Active Channels/IdentityView v2.0/Actor Investigation – Mario Rossi`, to track actions in real-time or during a demo replay. 3. **Navigating and Reviewing Reports**: Use the Navigator to reach the `Reports` resource under `/ArcNet Archived Reports group`. Expand the tree to view all saved reports, which are stored as PDF files within the report archives. These reports can be found in the `/IdentityView v2.0` section of the system. 4. **Configuring Console Event Graph Options**: Adjust settings for event graphs within the HP ArcSight Console:

• Edit preferences to show nodes once per unique source, with simple node representations and identifiers set to `Attacker Host Name` and `Name`. Set the graph layout to organic.

5. **Starting Demo Replay Connector**: Use the demo replay connector to play predefined event files (`IdentityView_v2.0.events`), starting at 50 events per minute, focusing on key actions for an actor:

• The initial playback should include three specific events related to Mario logging onto a Windows system and connecting to Unix systems. Adjust speed as necessary during the demonstration.

6. **Refer to Additional Resources**: For visual aids, refer to the HP ArcSight Express and ESM – Demo Script presentation (pptx), which may provide screenshots demonstrating the flow of the demonstration. This document provides a structured approach for using ArcSight IdentityView 2.0 to manage and investigate actors, focusing on practical steps such as accessing dashboards, configuring settings, and conducting demonstrations with pre-defined events. The provided text outlines a series of steps to be followed during a demonstration using the HP ArcSight Console, specifically related to handling notifications, managing cases, accessing dashboards, reviewing reports, starting demo replay connectors with specific event files, and ensuring proper setup before and during the demonstration. These steps are tailored for two distinct use cases: "Shared Accounts Use Case" and "Shared Accounts Use Case (Legacy Application)". **General Setup Instructions:** 1. Log in to the HP ArcSight Console as an admin. 2. Open the Notifications tab, acknowledging any pending notifications. 3. Delete any associated Cases under the admin's cases. 4. Navigate to and open the required dashboards: specifically, "/ArcNet Dashboards/IdentityView v2.0/Shared Accounts/" for both use cases. 5. In the Navigator, browse to the Reports resource, then expand the entire tree under the /ArcNet Archived Reports group. 6. Access the reports by opening the "Reports, Archives" tab and reviewing them as per the specific dashboard's requirements (e.g., "Shared Account Logins" or "MyLegacyApp Login Sessions"). 7. Hide Navigator and Inspect/Edit panels to focus on the demonstration setup. **Demo Replay Connector Setup:** 1. Start the Demo Replay Connector. 2. Select and start replaying specific event files (e.g., "IdentityView_v2.0.events"). 3. Initially set the replay speed at 50 events per minute; adjust to approximately 25 events per second if necessary after a brief period. **References:**

• The demonstration setup and process are detailed in an accompanying document, likely a PowerPoint presentation titled "HP ArcSight Express and ESM – Demo Script.pptx".

• Refer to this presentation for visual aids (screenshots) that accompany the text descriptions provided here.

The document outlines a series of steps for conducting demonstrations using HP ArcSight, specifically focusing on two use cases: Privileged User Monitoring and NetFlow. Here's a summary of the setup and procedure for both scenarios: **Privileged User Monitoring Use Case:** 1. **Login**: Access the HP ArcSight Console as an admin user. 2. **Notifications Tab**: Acknowledge any pending notifications and clear associated cases under the admin’s cases. 3. **Dashboards**: Navigate to specific dashboards such as IdentityView v2.0/Privileged User Monitoring/Modeling. 4. **Reports**: Open the Navigator, expand the Reports resource, and access archived reports in PDF format. 5. **Demo Replay Connector**: Use the provided event files for replay at a rate of 50 events per minute. Adjust the speed as necessary during the demo. **NetFlow Use Case:** 1. **Login**: As an admin, log into the HP ArcSight Console. 2. **Notifications Tab**: Manage pending notifications and associated cases. 3. **Dashboards**: Access the NetFlow dashboard within /ArcNet Dashboards. 4. **Dashboard Adjustment**: Modify the dashboard layout to circular if required (for Microsoft SQL Server Monitoring). 5. **Reports**: Explore the Reports, Archives under /ArcNet Archived Reports group and access archived reports in PDF format. 6. **Demo Replay Connector**: Use the specified event files for replay at 50 events per minute, with flexibility to adjust speed based on the demo's progression. Both demonstrations involve setting up the ArcSight Console, accessing specific dashboards and reports, preparing event files for replay, and adjusting the playback speed as needed during the demonstration. The provided information outlines a series of steps for setting up and running demonstrations using the HP ArcSight system, specifically focusing on different connectors and dashboard views. Here's a summary of what is being discussed: 1. **Reputation Security Monitor Setup:**

• Log in as admin to the HP ArcSight Console.

• Delete any existing cases under the specific path for Reputation Security Monitor 1.0.

• Start the Demo Replay Connector and select the event file `RepSM_demo.events`.

• Set the replay rate to 50 events per minute.

• Open the Active Channel `/ArcNet Active Channels/Demo Live` and view the following dashboards:

• `/ArcSight Solutions/Reputation Security Monitor`

• `/Overview/RepSM Overview`

• `/Reputation Data Analysis/Reputation IP Database Overview`

• Navigate to lists, open `/ArcSight Solutions/Reputation Security Monitor`, and show entries for both Malicious Domains and Malicious IP Addresses.

2. **Management Console Setup:**

• Log in as admin to the Management Console or Command Center (IP:8443).

• The demonstration applies to ArcSight Express 4.0 and Enterprise Security Manager (ESM) 6.5c.

• In the Management Console, navigate to `/All Dashboards/ArcNet Dashboards/Management Console` group and in the Command Center, do the same under `Navigator`.

• Start the Demo Replay Connector with event files:

• `IdentityView_v2.0.events`

• `NetFlow_IdentityView_v2.0.events`

• Set replay rates to 50 events per minute or 50 events per second.

3. **Command Center Setup:**

• Log in as admin to the ESM 6.5c Command Center (vm-esm65c:8443).

• The demonstration is specific to ESM 6.5c and does not apply to Express versions.

These steps are designed to illustrate how to set up and run demonstrations using HP ArcSight, focusing on different scenarios like reputation security monitoring, management console usage, and command center functionalities. The information also includes references to a PowerPoint presentation (HP ArcSight Express and ESM – Demo Script.pptx) for visual aids related to the demonstration setup and execution. To conduct a demonstration using HP ArcSight Express and ESM, follow these steps: 1. **Start the Demo Replay Connector**: This involves selecting event files such as "IdentityView_v2.0.events" and "NetFlow_IdentityView_v2.0.events". Begin replaying these files at a rate of either 50 events per minute or 50 events per second. 2. **Refer to the HP ArcSight Express and ESM Demo Script**: For visual guidance, refer to the PowerPoint presentation titled "HP ArcSight Express and ESM – Demo Script.pptx", which includes screenshots demonstrating the flow of the demonstration. 3. **Understanding Demonstration Scope**: This specific demonstration does not cover Notifications or Cases; however, replaying the event files will generate these automatically. If discussing incident lifecycle aspects, you can showcase them but should note that they are not central to this demonstration. 4. **Worm Outbreak Use Case**: There are two parts to this use case:

• **Demonstration using the HP ArcSight Web Interface** where you would follow a similar process as described for the Demo Replay Connector, but within the web interface context.

• **Demonstration using the HP ArcSight Console Interface**, which follows the same steps as above, but in the console interface of HP ArcSight.

5. **Conclusion**: Highlight how advanced correlation rules and actions such as notifications and case management enhance incident detection, including addressing zero-day attacks. Additionally, emphasize the automated reporting solution that provides visibility into both security and compliance within an organization using HP ArcSight Express/ESM.