HP ArcSight Express Use Case Demonstration Scripts

Summary:

### Summary Analysis This document outlines the demonstration of HP ArcSight Express, a security analysis tool used to monitor network traffic, detect worm outbreaks, and manage security events in real-time. It covers various steps from reacting to alerts to detailed investigations using dashboard analytics and NetFlow data. The demonstration is centered around an "Worm Outbreak" use case scenario, illustrating how HP ArcSight Express can be effectively utilized for security analysis and reporting within a network environment. #### Key Features Explained: 1. **Reacting to the Alert**: Upon receiving a worm outbreak alert via email, technicians are directed to open the HP ArcSight Web service and Replay Agent to replay events at a rate of 200 events per minute for detailed analysis. Logging into the HP ArcSight Express web interface provides access to pending notifications and cases assigned to analysts. 2. **Acknowledge Notifications**: Analysts acknowledge incident notifications through the HP ArcSight Express Console, initiating a workflow process for reviewing and acknowledging these incidents. 3. **Investigate Case Details**: The case details include visualization tools such as the "Worm Outbreak dashboard" where detailed information is presented in real-time. This includes spikes in activity on specific ports, lists of fired worm rules, and infected nodes. 4. **Analyze Worm Outbreak Dashboard**: Detailed views can be obtained by drilling down into elements like attacker addresses to access active channels, which provide direct event logs collected from connectors. 5. **Further Investigate with Drill-Down**: This feature allows analysts to explore specific events or rules contributing to the outbreak for further investigation and action. #### Additional Capabilities: - **Enriching Events with Categorizations**: Enhances management and analysis by categorizing events for better understanding and handling. - **Utilizing Workflow Features**: Utilizes workflow procedures in ArcSight Express for case management, ensuring follow-ups on severe events transformed into full-fledged cases. - **Building Channels**: Filters and visualizes real-time or historical data from various devices within the HP ArcSight platform to provide actionable analytics. - **Generating Detailed Reports**: Provides pre-built or custom categorizations to generate reports on security activities, compliance status, and specific events like failed logins and worm infections. - **Transitioning as an Auditor**: Allows auditors to review and access comprehensive reports across different device types to ensure regulatory compliance in the HP ArcSight Console Interface. #### Conclusion: The demonstration showcases how HP ArcSight Express can be leveraged for quick deployment of perimeter security, real-time visualization, actionable analytics based on detected events, and future threat prevention against attacks like zero-day threats. The tool's ability to send real-time notifications based on criticality levels aids in quicker incident response, providing detailed information that helps address current threats while preparing for potential future security challenges.

Details:

The document provides an overview and detailed steps for demonstrating HP ArcSight Express through a cloud-based environment, CloudShare. It outlines various use cases including security, compliance, privileged user monitoring, shared accounts management, netFlow analysis, worm outbreaks, and more. Each use case is accompanied by specific actions and talking points to facilitate demonstration and understanding of the product's capabilities in handling real-world cybersecurity scenarios. The provided text describes an incident response process using HP ArcSight Express for quick diagnosis and investigation of security events such as logon attempts that lock Windows accounts. Key steps include acknowledging notifications promptly to avoid escalation, reviewing detailed event information through the Inspect/Edit panel, creating channels for further investigation, and utilizing interactive dashboards to monitor user activities like login failures and tracing internal IP addresses. The process involves inspecting users' activity, identifying potential malware infections or unauthorized access attempts, and correlating these with external malicious activities as shown by firewall events and DNS domains. HP ArcSight also supports automated case creation for incident tracking and reporting, ensuring that all relevant security incidents are organized and easily accessible to authorized personnel. The article discusses how HP ArcSight, a security management solution, helps organizations comply with regulatory standards such as ISO 27002 through advanced correlation rules and automated reporting features. It provides a step-by-step guide for setting up and using HP ArcSight to review compliance against access control best practices outlined in section 11 of the standard. The article highlights how manual log reviews can be tedious, time-consuming, and error-prone but are efficiently handled by HP ArcSight through automation and real-time alerts. Additionally, it demonstrates how HP ArcSight maintains a list of former employees whose Active Directory accounts have been disabled to ensure compliance with access control policies. By using HP ArcSight, organizations can easily track regulatory compliance within their infrastructure, providing visibility into both security and compliance status. This document outlines how to address a compliance issue related to former employee account access attempts using HP ArcSight Express. The main goal is to ensure that an organization can dynamically track and manage access by former employees, preventing unauthorized access even if their accounts are deleted from Active Directory or imported into the system via text files. To begin, navigate to the Navigator window, select Lists, expand /ArcSight Solutions/Compliance Insight Package, and right-click "Former Employees". Choose Show Entries to view the list of former employees that HP ArcSight uses for compliance checks. The system compares every incoming event's username against this list to determine if an account is no longer valid. HP ArcSight can automatically update this list by adding usernames upon detecting deletion events from Active Directory or through direct text file import. An optional step involves checking the rule conditions in the InActiveList, which adjusts access based on deleted accounts. The process also includes setting up reports within the HP ArcSight Console to visually verify compliance with ISO 11 Access Control standards. These reports can be customized for efficiency and emailed automatically. The document concludes by emphasizing how HP ArcSight enhances security and compliance visibility through automated rules, notifications, and reporting capabilities. The provided text outlines a procedure for using HP ArcSight Express to investigate an incident involving Mario Rossi logging into his Windows system and connecting to Unix systems. The steps include starting the replay at 50 events per minute, which should show the first three events (Mario's logon to Windows and two Unix connections) in sequence when viewed under "Actor Investigation - Mario Rossi Active Channel." The text also mentions using HP ArcSight Express features such as Notifications, Actors, and NetFlow for deeper investigation. Additionally, the procedure is connected to a workflow process involving email alerts from HP ArcSight which leads to viewing details about the incident in the Inspect/Edit panel and acknowledging it through the HP ArcSight Console. The Active Channel feature helps visualize and understand the activity by showing events like Cisco NetFlow and Blue Coat logs related to Mario Rossi, demonstrating user attribution capabilities of IdentityView for tracking activities back to an identity. The document outlines a series of steps for investigating an incident involving shared account usage, specifically focusing on policy violations within the HP ArcSight system. Here's a summary of the key points: 1. **Investigation Setup**: Begin by logging into the HP ArcSight Console as an administrator and acknowledging or deleting any pending notifications related to cases under your administration. 2. **Dashboard Access**: Navigate to specific dashboards such as Shared Account Logins within IdentityView v2.0, which provides detailed visualizations of shared account activities. 3. **Report Navigation**: Explore the archived reports section for all activity related to the specific actor (in this case, Mario Rossi). This includes graphical and detailed sections that cover various aspects of the investigation, including NetFlow events and physical access logs tied together via IdentityView. 4. **Demo Replay Connector**: Utilize the demo replay connector to visualize the event data being processed in real-time, which helps in understanding the flow of activities related to the shared account usage. This can be adjusted for faster or slower playback speeds based on the investigation's needs. 5. **Workflow and Notification Handling**: The document mentions how HP ArcSight notifies users via email and how administrators can use the console to acknowledge notifications, starting a workflow process for further investigation. It also highlights the system's ability to report on notification statuses and case metrics, including escalation processes if necessary. The purpose of these steps is to efficiently investigate potential policy violations related to shared accounts using HP ArcSight tools and features, ensuring comprehensive coverage through both real-time data visualization and detailed historical analysis. The provided text outlines a procedure for using HP ArcSight Express to investigate a case involving the use of shared accounts on servers within a specific segment of an organization's network. Here’s a summarized breakdown of the steps and key points mentioned in the text: 1. **Initial Notification Inspection**: Upon receiving a notification about suspected activity with a known shared account on a server, double-click on the notification to view detailed event logs related to it. This reveals information about the login events tied to the shared account. 2. **Inspect/Edit Panel Adjustment**: In the Inspect/Edit panel, modify the field settings to focus on specific details such as the Actor Full Name and Department from the IdentityView v2.0 module. This helps in linking the activity back to an identifiable user context. 3. **Event Details Analysis**: The notification indicates that a shared account was used by an employee (David West) on a server, which is against corporate policy for this segment of the network. The events show session openings with a target username 'root', indicating potential misuse or unauthorized access attempts. 4. **Network Model and Rule Application**: The text mentions that the rule monitoring shared account usage specifically targets behaviors observed in certain segments of the network, highlighting how the Network Model detects such incidents within defined zones. 5. **Dashboard Visualization**: A custom Dashboard named "Shared Account Logins" displays aggregated data about shared accounts used across various applications and networks, derived from Data Monitors rather than Query Viewers as seen in default Dashboards. This setup supports drill-down features for deeper analysis by right-clicking on chart portions. 6. **Advanced Reporting**: The investigation concludes with the generation of a detailed report titled "Logins to Known Shared Accounts – Details.pdf", which provides comprehensive information about the incident, including attacker and target zone details derived from the Network Model. This report also showcases how IdentityView can attribute events either by name or IP address depending on available data. 7. **SU and SUDO Activity**: The final aspect of the investigation involves reviewing reports that show all instances of SU (Substitute User) and SUDO (Superuser Do) actions within the environment, providing an overview of administrative access activities attempted or used. 8. **Conclusion**: This use case demonstrates how HP ArcSight Express can be effectively utilized for quick incident detection and detailed forensic analysis related to shared account usage in legacy applications, leveraging network models and comprehensive reporting capabilities to provide actionable insights into potential security breaches or policy violations. In this procedure, the user is instructed to perform several tasks related to monitoring shared account usage in an application and reporting on privileged user activities using HP ArcSight tools. The steps involve opening specific dashboards, navigating through the system to access reports, setting up a demo replay connector for event files, and demonstrating the findings from these actions with accompanying talking points. 1. **Opening Dashboards**: Access two sections within the /ArcNet Dashboards/IdentityView v2.0 section: 'Shared Accounts' (specifically focusing on 'MyLegacyApp Login Sessions') and 'Privileged User Monitoring' (including 'Login Activity by Department' and 'Login Activity by Employee Type'). 2. **Navigating to Reports**: Expand the report tree under /ArcNet Archived Reports group in the reports resource, which leads to a directory containing archived IdentityView reports. 3. **Setting Up Demo Replay Connector**: Begin replaying event files ('IdentityView_v2.0.events') at a slow pace initially (50 events per minute) and adjust speed as necessary (~25 events/second). 4. **Interpreting Findings**: From the dashboards, users can double-click on specific activities to view detailed event details. The reports provide evidence of who accessed the application using shared accounts, which is crucial for compliance and auditing purposes. 5. **Reporting and Compliance**: Without these tools, tracking such activity would be challenging, highlighting the importance of having systems in place like HP ArcSight Express and IdentityView for monitoring privileged user activities and generating necessary reports. The demonstration includes screenshots to visually show how these features work together to address specific business challenges related to access control and compliance reporting within an organization's IT infrastructure. The document outlines a series of steps and actions to be taken when using HP ArcSight Express for system and application usage analysis, focusing on department, employee type, and role-based access rights determination. Key points include: 1. **Dashboard Presentation**: Demonstrate specific dashboards related to login activity by employee type, as well as broader network flow analytics including top port and bandwidth usage, source and target countries, and Microsoft SQL Server monitoring. These should be shown in a circular layout for better visualization if applicable. 2. **Report Review**: Review archived reports such as Bandwidth Usage by Port, Top Bandwidth, Top Source and Target Countries, and Microsoft SQL Server Monitoring Reports to understand system usage across departments and employee roles. 3. **NetFlow Use Cases**: Utilize NetFlow data to analyze traffic distribution among different ports, countries, and servers using the HP ArcSight Console. This involves setting up notifications, reviewing dashboard statistics, accessing archived reports, configuring event files for demo replay, and adjusting replay speeds as necessary. 4. **Optional Actions**: For unauthorized activities or non-compliant configurations (e.g., unauthorized Microsoft SQL Server installations), further investigate these incidents by inspecting event details in the target zone. The document also includes a reference to a detailed script ("HP ArcSight Express and ESM – IdentityView and NetFlow Demo Script.pdf") for visual aids during the demonstration. The document describes a demonstration using HP ArcSight Express for security analysis and reporting, focusing on an "Worm Outbreak" use case. It outlines steps to follow after receiving an email alert about an incident involving a worm outbreak affecting network nodes. 1. **Reacting to the Alert**: Upon receiving an alert via email, open the HP ArcSight Web service and Replay Agent to replay events related to the worm outbreak at a rate of 200 events per minute. Access the HP ArcSight Express web interface and log in as an analyst. The home page shows pending notifications and cases assigned to you. 2. **Acknowledge Notifications**: Click on pending notifications, which initiates a workflow process for viewing and acknowledging incident notifications. Use the HP ArcSight Express Console to acknowledge these notifications once viewed. 3. **Investigate Case Details**: View details about the case by clicking through to specific incidents or cases assigned to you. Note that severe events are transformed into full-fledged cases which can be tracked with a workflow procedure. The case directs you to the "Worm Outbreak dashboard" where detailed information is visualized and analyzed in real time. 4. **Analyze Worm Outbreak Dashboard**: On this dashboard, the top graph displays spikes in activity on specific ports of affected network nodes, while the middle section lists fired worm rules and the bottom shows infected nodes. The ability to drill down into these elements provides a detailed view of the incident's scope and progression. 5. **Further Investigate with Drill-Down**: When exploring specific events or rules that contributed to the outbreak, click on details like attacker addresses to access active channels, which are direct event logs collected by connectors. This setup uses OS logs initially without involving IDS or AV logs, showcasing a basic detection method before detailed investigation. This demonstration shows how HP ArcSight Express can be used for quick deployment of perimeter security and compliance monitoring with real-time visualization and actionable analytics based on detected events. This document outlines the process of using HP ArcSight Express to manage and analyze security events, including how to enrich events with categorizations and use workflow features for case management. It also covers the setup and utilization of channels, dashboards, reports, and archived reports within the system. Additionally, it discusses transitioning from a user perspective to an auditor's role, emphasizing regulatory compliance through detailed reporting capabilities. Key points include:

• Enriching events with categorizations for better management and analysis.

• Utilizing workflow features in ArcSight Express for case management and follow-ups.

• Building channels within the ArcSight Express platform to filter and visualize real-time or historical data from various devices.

• Generating detailed reports on security activities, compliance status, and specific events like failed logins and worm infections using pre-built or custom categorizations.

• Transitioning as an auditor to review and access comprehensive reports on organizational activity across different device types.

• Ensuring regulatory compliance through detailed reporting capabilities in the HP ArcSight Console Interface.

The passage discusses the effectiveness of HP ArcSight Express in detecting and managing worm propagation within a network. It emphasizes the importance of using different data monitors such as Worm Infected Systems, Zone In, and statistical mechanisms for effective detection. By switching between these monitors, IT administrators can visualize the spread of infection and take appropriate actions like denying traffic on port 22 through network engineers or focusing on specific infected hosts to clean them up. The passage also highlights HP ArcSight Express's ability to send real-time notifications based on criticality levels which leads to quicker incident response, providing detailed information in the event inspector where correlation rules and statistical data are examined. This approach not only helps in addressing current threats but is also beneficial for future security measures against even zero-day attacks. The system provides a comprehensive automated reporting solution that offers visibility into both security and compliance status of an organization.