HP ArcSight Express-ESM Use Case Demonstration Scripts
- Pavan Raja
- Apr 8, 2025
- 17 min read
Summary:
Based on the provided text, here is a structured summary of how HP ArcSight Express/ESM can be used for managing security events, focusing on the features mentioned:
### 1. **Dashboard Customization** - Users can customize dashboards by unselecting event priorities like "Very Low" and "Low" in the legend to focus on more critical alerts. - Visualization tools allow users to switch from a standard chart to a pie chart for better data understanding through different visual representations.
### 2. **Notification and Case Management** - From the home page, analysts can view pending notifications and cases assigned to them. Notifications can be acknowledged directly from the interface for quick diagnosis. - Users can track incidents through a defined workflow process using notification and case metrics.
### 3. **Case Handling** - Cases are created when significant security events occur. Users can unlock cases, change statuses, and access detailed information about the incident via predefined dashboards like "Worm Outbreak".
### 4. **Dashboard Usage** - The dashboard provides real-time graphical representations of network activity spikes, lists fired worm rules, and infected nodes. It allows users to drill down into underlying events for further analysis.
### 5. **Reporting and Compliance** - Users can create channels for different types of events, generate custom reports, and archive important findings for future reference. - The system supports regulatory compliance through cross-device reporting that categorizes information from various devices within the organization.
### 6. **Advanced Features** - **Correlation Rules**: Real-time monitoring checks activities against a reputation database, automatically notifying users of malicious activity detected and allowing for additional rules creation or modification via a graphical rules editor. - **Management Console**: A central dashboard for analysts and managers to investigate daily and weekly activities within their environment. Features include geographic event graphs, event graphs with node labels, and an hourly counts dashboard providing insights into the frequency of events in the system. - **Demo Replay Connector**: Enables replaying historical data from IdentityView and NetFlow events at a rate of 50 events per minute or second for analysis purposes.
### Summary HP ArcSight Express/ESM offers a comprehensive toolset for security analysts to manage and visualize complex security events efficiently through customizable dashboards and structured workflows. Key features include customization, visualization tools, notification management, case handling, dashboard usage, reporting, compliance, advanced rules, and detailed investigations. The system is designed to facilitate efficient detection and response to security threats while offering comprehensive visibility in security and compliance status within an organization.
This summary captures the core functionalities of HP ArcSight Express/ESM as described in the provided text, highlighting how each feature supports the management and investigation of network security incidents.
Details:
This document is a technical guide for HP ArcSight Express/ESM, and it contains various use case demonstration scripts to showcase the capabilities of this security management software. The information provided in this document is confidential and should not be shared outside the evaluation team without authorization from HP. It includes details about current HP products, sales, and service programs that may change at HP's discretion. The document outlines different scenarios for various use cases such as Security, Compliance, Privileged User Monitoring, Shared Accounts, NetFlow, Reputation Security Monitor, and Worm Outbreak, providing detailed steps to configure the software accordingly.
HP ArcSight Express/ESM is a software tool designed to help users manage security alerts efficiently. The document provides detailed instructions on how to use demonstration scripts within the system for various security use cases. Here’s a summarized overview of the steps involved in setting up and performing actions using these scripts:
1. **Setup**:
Log into the HP ArcSight Console as an admin.
Open the dashboard or specific module (ArcSight Express/Operating System/Operating System Login Overview).
Acknowledge any existing notifications and delete any cases from Admin's Archived Reports.
Minimize a specific report, hide Navigator, Viewer, and Inspect/Edit panels for focus on main tasks.
2. **Scenario**:
Start the Replay Connector and launch the Console.
Check for notifications in the HP ArcSight Console.
Drill down to event details by double-clicking relevant entries or using graphical analysis tools.
Change field sets to focus on security aspects.
Investigate VPN assigned IP addresses to identify unusual activities like FTP to hacker domains.
Add findings to a case for further review and reporting.
Pull up the successful login report to assess if an account has been compromised by reviewing activity related to 'swright'.
3. **Action Talking Points**:
Start Replay agent with specific event data, setting default parameters as needed.
Log into the HP ArcSight Console using admin credentials. Note receiving and acknowledging alerts via mobile device notifications.
Use dashboard features like bar charts to drill down on events related to swright for detailed investigation.
Modify field sets to Security Field Set to enhance focus on security-related information.
This document provides a structured guide to effectively manage, investigate, and respond to potential security incidents using HP ArcSight Express/ESM, ensuring that users can quickly identify threats and take appropriate actions based on the gathered evidence.
This summary discusses the use of HP ArcSight for security monitoring, particularly in detecting unauthorized access attempts through a VPN and subsequent contact with malicious sites. The process involves tracing an internal IP address (10.0.110.34), discovering failed logons and external activities via firewall events, and identifying malware-infected devices attempting to reach known malicious domains. Graphical representations such as Event Graphs help visualize the attacker's activity, which can then be added to a case for organized tracking. The system automatically notifies users of incidents and provides comprehensive reporting capabilities.
The summary also covers compliance use cases within HP ArcSight, demonstrating how to set up and utilize the software for regulatory compliance monitoring using ISO standards like 27002. It explains the transition from manual report reviews (as traditional compliance solutions suggest) to automated processes enabled by HP ArcSight, showcasing its ability to detect even when accounts are disabled and maintain lists of former employees whose AD accounts have been deleted. The tool provides a dashboard for oversight and reports that illustrate compliance status.
The article discusses how to optimize access control for ISO 27002 best practice using HP ArcSight. It emphasizes the importance of revoking access when an employee leaves the organization as mandated by ISO 27002 standard 11.2.1. Manual log reviews are tedious and error-prone, but with HP ArcSight, organizations can automate this process to ensure compliance.
The article suggests that instead of performing manual log reviews, which are time-consuming and prone to errors, organizations should use HP ArcSight. This tool allows for automated log review and proactive alerts regarding non-compliance issues. The article provides a step-by-step guide on how to inspect the alert related to former employee access and check compliance with ISO 27002 section 11.
HP ArcSight uses user name correlation to detect when an event is associated with a former employee, even if their account has been deleted or disabled in Active Directory. The tool can dynamically populate its lists by automatically adding new entries based on events such as deleting accounts. Additionally, the article discusses how HP ArcSight can import text files into its list for tracking and correlation purposes.
Finally, the article concludes with a discussion of reporting capabilities within HP ArcSight that allow organizations to run reports efficiently without manual review, reducing compliance check time significantly compared to older methods. The report generation options include scheduling and automatic emailing, enhancing organizational efficiency in managing IT governance and compliance reports.
The document outlines a procedure for monitoring privileged users by logging into the HP ArcSight Console as an admin and performing several steps to set up and use the system effectively. These include acknowledging or resolving notifications, managing cases, reviewing dashboards and reports, configuring event graph options, and setting up a demo replay connector with specific events. The document also mentions integrating user context through the Actor model for correlation rules and actions like notification and case management.
The provided text describes a method for managing user accounts in an Active Directory system using an "Actor model." This model organizes all organizational units (OU) within Active Directory, displaying detailed information about each OU and its associated users. Users are represented by actors with attributes such as full name, employee type, status, department, and more, which are automatically populated from Active Directory.
Within the system, users can inspect and edit actor details through a panel that shows all user attributes and account identifiers used for accessing various systems. The role attributes section is automatically populated based on group membership in Active Directory or similar systems. An overview dashboard provides statistics about the actor model, including total actors, average accounts per user, and breakdowns by status, OU, and department.
This method helps manage multiple identities of users across different systems and applications, facilitating easier tracking and monitoring of user activities within the network.
The provided document discusses a dashboard that integrates with Active Directory to provide insights into group membership and user roles. It mentions that there are 95 groups in the Active Directory system, with users like Erika Mustermann belonging to six groups. The top right panel shows groups with the most members. The dashboard helps organizations assess their least-privileged access control by providing statistics on group sizes and member distribution. Compliance issues arise when too many groups or excessive membership complicates control and management.
The document then shifts focus to another dashboard, this time showing "top bandwidth utilization" from a user perspective rather than an IP address. This provides a different angle for analyzing network traffic, aiming to correlate more closely with business activities.
Another section discusses the login activity by department, which allows users to see what systems and applications various users within departments are accessing. This aids in building better correlation content based on policy perspectives and helps enforce access restrictions aligned with organizational rules.
Finally, a scenario is presented where unauthorized individuals gain access to data centers during off-hours due to a misconfiguration of badge reader authentication. The document explains the potential issues that arise from such an incident, including compliance violations, potential insider threats, and system misconfigurations. In response, users can acknowledge notifications through the ArcSight system to be informed immediately, potentially via email, text message, or paging services.
The notification dashboard presents pending notifications related to employee access to restricted areas. In this case, the most recent notification involves Mario Rossi accessing the server room after hours. To manage escalation levels and avoid higher management involvement, acknowledge the notification by pressing a button which moves it from pending to acknowledged queue. Acknowledging also stops further escalation processes.
Upon double-clicking on the notification, detailed information about the event is displayed. The notification highlights that an employee, Mario Rossi, has badged into the server room after hours. This action triggered a correlation alert due to unauthorized access during non-business hours and without relevant roles or permissions. The system automatically correlated this with relevant user details (Mario Rossi's role in Marketing), providing insights not immediately apparent from the badge event alone.
To further investigate, consider using Active Channels which show all activities related to Mario Rossi over recent days. This can be efficiently managed by filtering events through a simple command rather than manually searching and analyzing complex logs for each user account. The integration of identity correlation in the ArcSight system enriches the data presented in notifications with comprehensive background information stored in the Actor model, enhancing investigation efficiency and accuracy.
The passage describes a scenario where an IT security system automatically tracks user activity, specifically focusing on Mario Rossi's login events and subsequent network traffic. Through session correlation, it is determined that Mario logged into his workstation (192.168.6.103) and then attempted to access unauthorized sites such as personal email accounts and known hacking websites in China via a Unix machine (10.0.111.254). The system uses features like the Event Graph and NetFlow reports from devices like Blue Coat and Cisco to identify and analyze these activities, which could indicate potential security breaches or attempts at data theft such as intellectual property.
The article describes how to use ArcSight's case management system to track and manage incidents involving an employee, Mario Rossi. When Mario badges into the server room after hours, a case is automatically opened in the ArcSight system. From there, users can inspect and edit details such as stages, impact, severity, and assignees. The events related to this incident are shown on the Events tab, which includes both correlated alerts and original trigger events. To add additional evidence to the case, users lock the case for editing and right-click selected events in the Active Channel to add them to the case. They can also add an Event Graph view to visually represent the situation. Finally, a comprehensive report summarizing all activity related to Mario Rossi is generated using the All Activity for Specific Actor report, which captures interactions with various applications over time.
The provided text outlines a procedure for investigating a potential policy violation involving the use of a shared account on a server within a specific network segment. The process is managed through the HP ArcSight Console, with detailed steps including opening notifications, acknowledging alerts, reviewing reports, and using event replay for analysis. Key points include escalation of incidents based on session correlation to identify user identity (in this case, "root"), displaying dashboard information related to shared account logins, and highlighting the use of a specific rule within the network model to monitor policy violations.
This document outlines the setup and usage of a custom dashboard within the HP ArcSight Console for monitoring shared accounts in use, specifically focusing on legacy applications that utilize a single shared account with administrative privileges (referred to as SystemUser). The process involves creating a custom Dashboard using Data Monitors instead of Query Viewers, which is described as having drill-down capabilities through right-click options and investigating specific portions of the chart.
The dashboard, named "MyLegacyApp Login Sessions," allows users to drill down into event details by right-clicking on specific parts of the chart and selecting Investigate. This action opens an Active Channel that can be used to tie shared account activity back to identities by opening the Fields in the Active Channel Field Set.
For detailed analysis, users should refer to archived reports: "Logins to Known Shared Accounts – Summary.pdf" for a high-level overview and "Logins to Known Shared Accounts – Details.pdf" for more specific details such as attacker and target zone information. The report also highlights the benefits of the Network Model provided by HP ArcSight Express/ESM, illustrating how IdentityView can provide attribution either by name or IP address.
Additionally, users are guided through the process of setting up a demonstration using predefined event files to simulate shared account usage within their environment. This setup involves acknowledging and deleting pending notifications under the Admin tab, opening the specified Dashboard, accessing archived reports from the Reports Archives, starting a Demo Replay Connector with specific event files, and following a provided demo script for screenshots.
In summary, this document provides detailed instructions on how to utilize HP ArcSight tools to monitor shared accounts within legacy applications, emphasizing the capabilities of the IdentityView module for attribution through custom dashboards and detailed report analysis.
The provided text outlines a method for tracking user activity in an application using shared accounts, specifically focusing on the SystemUser account. By utilizing HP ArcSight Express/ESM and IdentityView, users can monitor login activities within their applications. This is achieved through a Dashboard that displays any activity associated with the SystemUser account, providing detailed event information when specific events are double-clicked. The application also allows for tracing this activity back to accountable individuals by displaying an IdentityView value in the Active Channel Field Set.
Without HP ArcSight Express/ESM and IdentityView, there would be no means to track SystemUser account activity to a particular user. The text emphasizes the importance of these tools for compliance purposes, such as providing auditors with reports that detail who accessed the application using the shared SystemUser account. This functionality is crucial for maintaining accountability and ensuring regulatory compliance.
To set up this tracking system:
1. Log in to the HP ArcSight Console as an administrator.
2. Acknowledge any pending notifications and clear associated cases.
3. Access specific Dashboards such as "Login Activity by Department" or "Login Activity by Employee Type."
4. Navigate through reports, including archived reports like "MyLegacyApp Login Sessions," to review detailed activity histories tied back to individual users.
5. Utilize the HP ArcSight Express and ESM tools for enhanced monitoring and reporting capabilities.
6. Replay event files using the Demo Replay Connector for real-time or simulated analysis of user activities.
The demonstration script includes screenshots showing how these features work within the system, providing visual aids to understand the process better. Overall, this setup is crucial for organizations aiming to monitor shared account usage effectively and in compliance with auditing requirements.
This document outlines a series of steps and actions to be taken during a demonstration using HP ArcSight Express (ESM) and ESM products. Here's a summary of what is described in the text:
1. **Expanding Archived Reports:** You need to expand the entire tree under the /ArcNet Archived Reports group. This involves accessing and reviewing reports that have been generated as PDFs, saved in the Report Archives. Specific groups include /NetFlow (which contains NetFlow Reports) and others not detailed here.
2. **Hiding Navigator and Inspect/Edit Panels:** You should hide the Navigator and Inspect/Edit panels to focus on other aspects of the demonstration. The Console should remain open for further use during the demo.
3. **Starting the Demo Replay Connector:** This involves selecting event files, starting replaying them at a specified rate (initially 50 events per minute), and adjusting the speed if necessary. For this task, you would select:
NetFlow_IdentityView_v2.0.events for NetFlow reports.
4. **Referring to the Presentation:** Please refer to the HP ArcSight Express and ESM – Demo Script.pptx for screenshots that illustrate the demonstration's flow, specifically focusing on the setup of dashboards and reports being shown during the demo.
5. **Showing Dashboards:** You will be demonstrating several dashboards including:
"Top Bandwidth by Actor" which provides a high-level view of bandwidth usage per identity and country.
"Top Port and Bandwidth Usage" showing port usage broken down into well-known ports, registered ports, and dynamic ports.
"Top Source and Target Countries" to understand the origin and destination of traffic in your environment based on countries.
"Microsoft SQL Server Monitoring" which is configured for Microsoft SQL Server traffic (port 1433), highlighting unexpected activity that may indicate unauthorized deployments.
6. **Reviewing Reports:** You will open and review specific reports:
"Bandwidth Usage by Port.pdf" to see usage per top port in your environment.
"Top Bandwidth Hosts.pdf" and "Detailed Traffic by Host.pdf" for more detailed information on the most bandwidth-intensive hosts, such as 192.168.6.101.
7. **Reputation Security Monitor Setup:** This section involves:
Logging in to the HP ArcSight Console as an administrator.
Deleting any existing Cases under /ArcSight Solutions/Reputation Security Monitor 1.0/Internal Infected Assets.
Starting the Demo Replay Connector with the event file RepSM_demo.events and replaying it at 50 events per minute.
Opening specific dashboards related to this feature, including /Overview/RepSM Overview and /Reputation Data Analysis/Reputation IP Database Overview.
Navigating to lists in the reputation security monitor and showing entries for Malicious Domains and IPs.
8. **Refer to Presentation:** Screenshots from the HP ArcSight Express and ESM – Demo Script.pptx should be used to assist during this demonstration, providing visual references of what dashboards and reports are being shown at different stages of the demo.
The "RepSM" solution uses internet threat intelligence to detect malware infections, zero-day attacks, and dangerous browsing on a network. It provides a summary dashboard that includes information about internal infections, dangerous browsing, and contact with malicious entities. Users can drill down into specific details by right-clicking entries in the dashboard.
The "Internal Infected Assets Dashboard" shows when internal assets are contacting botnet panels. Drilling down from here allows users to investigate each incidence through ArcSight's case management system, which opens a case for further action. The bottom panel displays a monthly trend of this activity.
When investigating malicious activities, such as the Flashback Trojan (Right-click on "mystreamvideo.rr.nu" in the Malicious Entity column), users can find that internal assets are attempting SQL injections and internal logins. ArcSight automatically geolocates sources and destinations based on IP addresses in logged events. The system also integrates with Google for more detailed investigation if needed.
For specific infected assets, users can drill down to see all activity involving the asset by right-clicking the entry. This provides details about contact back to the control site, as well as attempts at SQL injections and internal logins. ArcSight checks every logged event against a list of malicious addresses in real time and integrates this information for malicious domains and IP addresses.
The text discusses an example of using HP ArcSight Express/ESM to manage and respond to cyber threats. It highlights how to use the software's features for detecting malicious activity such as botnets and malware. The process includes monitoring infected assets, integrating with threat response systems like ArcSight Threat Response Manager (TRM) and TippingPoint SMS for containment actions, managing cases through predefined stages, and tracking case progress. Additionally, it mentions the integration capabilities with other management systems like Remedy and reporting functionalities that provide insights into dangerous browsing activities over the last 24 hours.
The text provided appears to be an internal document or guide related to HP ArcSight Express (ESM) software, possibly intended for training purposes. It outlines various features and functionalities within the software, such as creating reports, setting up correlation rules, and using the Management Console for data visualization. Below is a summarized version of the content:
1. **Report Creation**: The user can run a default report that generates a PDF of browsing activity from the last day. This report includes both graphical and tabular formats, which can be customized as needed. Users also have access to a graphical report interface for creating custom reports.
2. **Correlation Rules**: Default rules are used in real-time monitoring to check all activities against the ArcSight reputation database, automatically notifying users of any malicious activity detected. Additional rules can be created or modified using ArcSight’s graphical rules editor.
3. **Management Console**: This is a central dashboard for analysts and managers to investigate daily and weekly activities within their environment. Features include a geographic event graph showing attack locations and network zones, an event graph for visualizing events and logs with node labels indicating activity levels, and an hourly counts dashboard providing insights into the frequency of events in the system.
4. **Demo Replay Connector**: A feature to replay historical data from IdentityView and NetFlow events at a rate of 50 events per minute or second. This is demonstrated through screenshots provided in the accompanying demo script presentation (not included here).
The document concludes with a note that the Management Console was introduced in Express v3.0 and ESM v6.0c, evolving into the Command Center in later versions such as ESM v6.5c. The primary purpose of these dashboards is to facilitate investigations and provide visual insights into IT infrastructure activities.
This document outlines how to use HP ArcSight Express/ESM for managing security events, specifically focusing on a worm outbreak scenario. Key points include:
1. **Dashboard Customization**: Users can unselect event priorities like "Very Low" and "Low" in the legend at the bottom of the dashboard to focus on more critical alerts.
2. **Visualization Tools**: The tool allows users to change the layout from a standard chart to a pie chart, which helps in better understanding the data through different visual representations.
3. **Notification and Case Management**: From the home page, analysts can see pending notifications and cases assigned to them. Notifications can be acknowledged directly from the interface for quick diagnosis.
4. **Escalation Process**: HP ArcSight allows users to report on notification and case metrics, which helps in tracking incidents efficiently through a defined workflow process.
5. **Case Handling**: Cases are created when significant security events occur. Users can unlock cases, change statuses, and access detailed information about the incident from predefined dashboards like "Worm Outbreak".
6. **Dashboard Usage**: The dashboard provides real-time graphical representations of network activity spikes, lists fired worm rules, and infected nodes, with the ability to drill down into underlying events for further analysis.
In summary, HP ArcSight Express/ESM offers a comprehensive toolset for security analysts to manage and visualize complex security events efficiently through customizable dashboards and structured workflows.
The text describes using HP ArcSight Express/ESM to investigate network security incidents such as port sweeps and spike in activity on specific ports. It explains how to use features like Active Channels for real-time event monitoring, Event Inspector for detailed investigation of individual events, and reports for compliance and historical analysis. The system allows users to create channels for different types of events, generate custom reports, and archive important findings for future reference. Additionally, it supports regulatory compliance through cross-device reporting that categorizes information from various devices within the organization.
The document outlines how to use the HP ArcSight Console Interface for analyzing archived reports related to specific device types, such as worm outbreaks in a network environment. The steps involve opening these reports, examining various data monitors like Worm Propagation by Host and Zone, and Infected Systems, highlighting statistical data monitor mechanisms used to detect outbreaks.
The demonstration focuses on using the HP ArcSight Console Interface to review archived reports about a worm outbreak at 200 EPM. It suggests starting the Replay Agent to replay the event, opening only the Worm Outbreak dashboard while closing other dashboards. The key points include:
1. Starting the HP ArcSight Console and reviewing data related to Worm Propagation by Host and Zone, explaining how worms spread across different zones of the network and which hosts are infected.
2. Highlighting the statistical data monitor to discuss the increased event volume indicative of a worm outbreak, using mechanisms like statistical correlation.
3. Using notifications for escalations based on criticality, demonstrating how to double-click on a notification to access detailed information in the Event Inspector.
4. Discussing rule chains and correlations between rules and statistical data monitors, providing insights into potential security incidents or zero-day attacks.
5. Concluding that with advanced correlation rules and associated actions like notifications and case management, HP ArcSight Express/ESM enables efficient detection and response to security threats while offering comprehensive reporting for visibility in security and compliance status within an organization.
Comments