HP ArcSight Logger Use Case Demonstration Scripts

Summary:

The document serves as a user guide for demonstrating HP ArcSight Logger solutions within CloudShare's on-demand virtual cloud environment, covering multiple use cases including security, compliance, IT operations, and application development among others. Each use case includes action talking points to showcase the capabilities of HP ArcSight Logger through specific tasks such as investigating custom login banners, reviewing dashboard panels like failed logins by user or top destination ports, exploring detailed event information in NetFlow analysis, configuring alerts for compliance, generating reports on device configurations, and visualizing data from SQL Servers. The guide also provides screenshots to illustrate the demonstration flow, ensuring clarity during actual demonstrations. This approach allows users to effectively demonstrate HP ArcSight Logger's features to stakeholders or potential customers by following clear steps outlined in the document.

Details:

The document provides a comprehensive guide on how to demonstrate HP ArcSight Logger solutions through CloudShare's on-demand virtual cloud environment. It outlines various use cases including security, compliance, IT operations, application development, and NetFlow analysis among others. For each use case, the document includes action talking points that guide the user (demonstrator) in performing specific tasks to showcase the capabilities of HP ArcSight Logger. For instance, under the Security Use Case, the demonstrator is guided through a scenario where they investigate a recently departed employee. The process involves noting and interacting with a custom login banner, reviewing various dashboard panels such as failed logins by user and top destination ports, and exploring detailed event information in the NetFlow Top Destination Ports panel. The document also includes screenshots that illustrate the demonstration flow, which is referenced for clarity during the actual demonstration. This approach ensures that users can effectively demonstrate the features of HP ArcSight Logger to stakeholders, potential customers, or other relevant parties. The text provided is a user guide or tutorial on how to use HP ArcSight Logger for various dashboard types such as column, bar, pie, area, line graphs and stacked columns/bars. It covers the process of opening different custom dashboards, selecting specific data panels, adjusting settings like number of top entries displayed, and using advanced search features to analyze logs related to user activities. The guide also mentions specific use cases and how to navigate through them using Logger's interface. This text discusses using ArcSight Logger for searching and analyzing network events, specifically focusing on an example where a user is investigating FTP activities related to a person's username in a finance server. The process involves constructing a search query with various operators like "Contains" and logical connectors such as "OR". Once the query is defined, it can be refined by adding more terms or using pipe commands ("|") for advanced filtering. The Logger provides suggestions and assistance based on input, allowing users to explore related data through graphical charting or exporting results in various formats like pie charts, CSV files, etc. Additionally, ArcSight Logger offers the capability to generate custom reports which can be further customized according to user needs. The example demonstrates how to run a report specifically for investigating a user's activities within the system, providing detailed insights into their actions such as creating users, granting roles, clearing audit logs, and sending suspicious articles. Furthermore, Logger allows users to create personalized favorites groups of reports for easier access and management. It also provides various options for exporting data or running predefined reports that are part of the default Logger suite. Overall, this tool helps in effectively managing and analyzing large volumes of network-related events through customizable search functionalities and comprehensive reporting capabilities. The text provides an overview of HP ArcSight Logger's features related to regulatory compliance, specifically focusing on PCI Compliance Insight Package and drill-down reports. It discusses options such as custom login banners, role-based access control, and the ability to export reports in various formats like Adobe PDF, MS Word, and MS Excel. The text also highlights how users can run ad hoc reports through the Logger interface, manage different log retention requirements, automate log review, receive real-time alerts for compliance issues, and utilize drill-down capabilities to access detailed information within reports. Additionally, it mentions the availability of Compliance Insight Packages (CIPs) tailored for other regulatory standards like Sarbanes-Oxley, ISO 27002, and NIST 800-53, which provide necessary reports to demonstrate compliance with these regulations. The article discusses the use of a Logger tool, likely referring to ArcSight Logger, for monitoring and analyzing network activities, specifically focusing on IT operations (IT Ops) and PCI compliance requirements. It outlines how alerts can be configured in the Logger to trigger based on specific conditions such as default account usage or web server issues. These alerts can have multiple destinations including email, SNMP, Syslog, and correlation engine for further analysis. The article also mentions that users with auditor access only have read permissions, ensuring that sensitive configurations cannot be altered without proper authorization. The article then moves to the IT Ops use case where a web server is down, illustrating how Logger can facilitate quick searches within log files. It shows how to configure and analyze logs related to an issue such as high request volumes from North Korea. This scenario demonstrates the efficiency of Logger in identifying potential threats or issues during operations. In summary, this article provides practical steps on setting up alerts for compliance and operational use cases using ArcSight Logger, with a particular focus on IT Ops scenarios where quick response is crucial for maintaining service quality and business continuity. The text discusses using a software tool (presumably ArcSight) for monitoring network configurations and events on devices that one does not manage directly. It explains how to navigate the interface to find configuration modification events, which can be triggered by specific terms or actions like adding a new term in a web search. The goal is to understand event significance without being an expert in networking or firewalls. The text then provides practical steps for generating reports on device configurations using standard and customizable report templates. For example, how to filter events related to the firewall configuration ('dmzfw1') by selecting appropriate criteria in a custom report. The process involves accessing a favorites explorer, choosing specific filters like 'Destination Host Name' containing 'dmzfw1', and running the report with chosen storage group settings. Lastly, the text describes how to use the live event viewer for real-time analysis during an IT Operations demonstration, though no action is taken regarding Mike or his boss at this stage of the scenario. The text provides instructions for using ArcSight Logger to analyze and monitor network traffic and application logs in real-time. It details how to configure and use the tool to search for specific events, such as errors or NetFlow data related to Microsoft SQL Servers, by entering appropriate search terms like "raa" for Ruby Application Archive log files or "netflow dpt=1433" for network traffic directed towards a SQL Server. The process includes adjusting settings and modifying fields to suit the type of data being analyzed and exporting results in various formats for further use. This information is crucial for troubleshooting, security monitoring, and understanding system performance within an organization's IT infrastructure. This summary discusses how to visualize data from SQL Servers using a Logger tool (likely HP ArcSight), focusing on the least frequent sourceAddresses instead of the usual TOP sources. The process involves adjusting a search query to focus on less common addresses, which can be automatically updated based on user settings and time frames. Additionally, it mentions configuring chart settings, exporting results, and utilizing regex for more detailed analysis of raw events in NetFlow data. The document provides a guide on using HP ArcSight Logger for specific tasks such as finding failed logins, discovering fields in RAW events, and masking credit card numbers. Key steps include searching through raw events, utilizing the Discover Fields feature to identify relevant keywords (like 'login' and 'failed' for login attempts), and applying the Logger Regex Helper to extract necessary data like usernames or credit card numbers from the raw logs. The document also explains how Logger automatically generates columns (e.g., ccnum) based on extracted information, providing a summarized view of each event with minimal effort. Additionally, it clarifies the significance of the first digit in credit card numbers as per their type: 3 for Travel & Entertainment cards (like American Express or Diners Club), 4 for Visa and similar debit/cash cards, 5 for MasterCard and branded debit/cash cards, and 6 for Discover. This passage is about how to create a masked report on credit card numbers, specifically American Express cards that start with "34" or "37". A tool called Logger is used to hide most of the card number digits, leaving only the first few digits visible. The goal is to provide a summary report for people who shouldn't see full credit card numbers but need information about them. To create this report: 1. Select and copy the part of the card number you want to keep (the "firstnum"). 2. Use Logger software to mask all other digits of the card numbers in your list. 3. Prepare a new report with these partially visible card numbers, including the selected first digit. 4. Generate the report using the Go! PDF feature and distribute it as needed. This method ensures confidentiality while still providing valuable information about credit card types.