HP ArcSight Logger Use Case Demonstration Scripts

Summary:

### Summary of HP ArcSight Logger Software Capabilities: The HP ArcSight Logger software is designed to facilitate log analysis, focusing on network data related to SQL server ports (specifically port 1433). This tool allows users to visualize dynamic charts based on user settings, enabling them to track the most popular or rare source addresses. The software provides several features for generating reports from raw event logs: 1. **Dynamic Charting:** Users can create and update pie charts dynamically according to their specific criteria regarding source addresses. These charts are interactive and provide real-time insights into network activity. 2. **Regex Parsing:** The Logger supports the use of regular expressions (regex) for extracting detailed information from raw log data, such as identifying round-trip averages greater than 1 millisecond when analyzing network latency issues. This feature helps in parsing specific fields to enhance analysis and troubleshooting performance issues. 3. **Export Options:** Users have the flexibility to export their findings in various formats like PDF or CSV, which is particularly useful for generating reports tailored to different needs and compliance requirements. 4. **Advanced Search Capabilities:** The Logger software allows users to perform targeted searches on specific ports (e.g., network time protocol at port 123) within the organization’s network environment. This helps in identifying popular data transfer channels, which is crucial for security audits and performance monitoring. 5. **API Integration:** The ArcSight Logger API version 1.0.0.0.1 supports integration with other systems through a client interface written in VB.NET. It facilitates logging into the system using predefined credentials and performs functions such as event searching, report generation, and user investigations. This API is demonstrated to work efficiently within a demo environment setup for demonstration purposes. ### Conclusion: The HP ArcSight Logger software offers an array of tools that simplify log analysis tasks, including network data extraction, real-time charting, regex parsing, and advanced reporting functionalities. These features make it highly versatile in handling various scenarios from basic dynamic chart visualization to complex log data manipulation for detailed performance troubleshooting. The API integration capability further expands its utility by allowing seamless interaction with other systems, making HP ArcSight Logger a powerful solution for organizations looking to enhance their security operations through effective log analysis and management.

Details:

The document provided is an overview of demonstration scripts for HP ArcSight Logger, detailing various use cases and emphasizing its confidentiality. Key points include: 1. **Confidentiality Notice**: The information within this document is proprietary to Hewlett-Packard Company or its affiliates (HP) and should be treated as confidential. Recipients are obligated to maintain the information's confidentiality and not disclose it without authorization from HP. 2. **Disclaimer of Warranties and Liability**: The document contains information about current HP products, sales, and service programs which may change at HP’s discretion. HP does not guarantee the accuracy or completeness of the information provided, nor does it assume any liability for its use. 3. **Definitions**: "Solution" refers to the proposed products and services, with no implied guarantees that they will meet specific requirements. The terms "partner" or "partnership" indicate a collaborative relationship between parties without implying formal legal or contractual ties. 4. **Use of the Document**: Intended for evaluation purposes only, this document is provided in hope that HP may receive business from the recipient. It should not be reproduced or disclosed to others without permission. 5. **Termination**: The agreement is conditional upon mutual signed written documentation, superseding any previous understandings or agreements. 6. **Use Cases**: The document includes sections on Security Use Case (pp 5-7), Compliance Use Case (pp 10-12), IT Operations Use Case (pp 13-15), Application Development Use Case (pp 16-18), NetFlow Use Case (pp 17-19), Raw Events and Regex Use Case (pp 19-21), Additional Use Cases (pp 21-24), and Logger API Use Case (pp 24-25). This document serves as a guide for understanding how HP ArcSight Logger can be applied in different scenarios, while strictly adhering to the terms of confidentiality and use restrictions. This document outlines steps for configuring Internet Explorer and Firefox to access HP ArcSight Logger, including adding specific sites to trusted zones. It also explains how to handle security warnings when accessing iPackager. The demonstration involves investigating a user who recently left the company by reviewing custom login banners and dashboard panels, which show information like failed logins and top destination ports. Users can customize these panels visually using options such as changing formats or adjusting displayed entries. This text is about a system called Logger that has different dashboards for various purposes like compliance and network operations. Users can customize these dashboards according to their interests and roles. Some examples of what these dashboards might display are compliance-related items, network traffic data, and security events. The interface allows users to perform searches within the logs using terms or specific conditions, helping them find relevant information quickly and efficiently. This document outlines a series of steps for using an ArcSight Logger tool to conduct a search query involving FTP events and user activities related to "dgchung" or "dchung." The process involves modifying the initial search terms, utilizing built-in graphical charting for visualization, exporting results, and generating detailed reports. 1. **Initial Search Setup**: Start with a basic query using "dgchung". To broaden the scope, add "(dgchung OR dchung)" to include any variations of the term. This adjustment allows for more comprehensive search results related to the investigation. 2. **Adding Specific Conditions**: Incorporate "ftp" into the search string and use the pipe command (|) to narrow down the results specifically for FTP-related events. If no hits are initially obtained, it's expected as part of the simulation for an analyst's initial phase of exploration. 3. **Utilizing Search Helper**: The Logger tool provides a search helper that suggests commands and assists with query refinement. For example, adding "sourceHostName contains 'finance'" can help identify relevant events occurring on finance servers. 4. **Charting Results**: Use the built-in graphical charting to visualize activities. By default, it may display summary charts based on event names. Adjust this by selecting different chart types or configuring settings for better interpretation of the data. 5. **Exporting Data**: Export results in various formats such as PDF, CSV, and Excel, enabling versatile reporting options. This feature allows detailed analysis to be shared and archived easily. 6. **Generating Reports**: Create custom reports based on specific queries or user inputs. For instance, modifying a User Investigation report to include "chung" instead of "admin" can reveal relevant activities including role grants, audit log clearing, and suspicious article sharing related to the investigation subject. 7. **Utilizing Reporting Features**: Explore other reporting options within Logger, such as exporting reports in different file formats or configuring run-time parameters for quick report generation without extensive search setup. 8. **Customization and Organization**: Use the Favorites Explorer feature to group and organize frequently accessed reports or queries for easier access and understanding of specific investigation aspects. This step-by-step guide demonstrates how to effectively use the ArcSight Logger tool for detailed investigations, utilizing its built-in features for data visualization, reporting, and query refinement. The provided text outlines a scenario from HP ArcSight Logger regarding regulatory compliance, specifically focusing on PCI (Payment Card Industry) compliance. It discusses how the system allows for managing different log retention requirements, automated log review, and real-time alerting to compliance issues through personalized dashboards and customizable login banners. Key features mentioned include: 1. **Custom Login Banner**: Users can display a custom banner describing company policies on Logger's login page, which is optional. This feature aims to enhance user awareness of the company’s policy during logins. 2. **Role-Based Access Control**: The system ensures that users only view relevant data and events based on their roles, enhancing privacy and compliance management. 3. **Compliance Insight Packages (CIPs)**: HP ArcSight provides CIPs for various regulatory standards like PCI, Sarbanes-Oxley, ISO 27002, and NIST 800-53. These packages include pre-built reports that simplify compliance demonstrations by providing citations from the specification and explanations of how the reports support compliance efforts. 4. **Drill-Down Capabilities**: Reports have the ability to drill down into detailed elements of the report through icons along the top, offering multiple format views and scheduling options for ad-hoc or automatic email delivery. 5. **Automated Alerts**: Logger includes preconfigured alerts for various compliance controls that can be modified or created anew based on specific requirements. These alerts are designed to detect issues in real-time as they occur. 6. **User-Generated Reports**: Users have the capability to create their own reports, including drilldown reports tailored to personal needs and roles within the organization. In summary, this scenario demonstrates how HP ArcSight Logger helps organizations manage regulatory compliance efficiently through its customizable features, role-based access controls, preconfigured insights, automated alert systems, and user-friendly reporting tools. ArcSight Logger is a system designed for monitoring and analyzing security events such as alerts triggered by systems like PCI compliance requirements, SNMP, Syslog, and more. Alerts can be configured to trigger based on specific conditions set by users, which could include various metrics or occurrences over time. The setup allows for multiple destinations for the alert, including email, SNMP, Syslog, and a correlation engine called Express/ESM. In terms of configuration and management, once logged in as an administrator, navigating to Configuration and then Alerts from the main Logger menu provides access to configure these alerts. Users can set conditions such as specific occurrences within a time frame or based on filters that they have built for different scenarios like PCI compliance requirements. Storage settings are also configurable through the interface, allowing users to define retention periods for various types of logs according to their specific business needs and regulatory compliance requirements. This feature includes grouping storage rules for different log types, making maintenance more efficient by automatically assigning incoming log streams to appropriate groups based on type or relevance. For IT Operations use cases, Logger helps in quickly diagnosing issues like a web server downage by allowing quick searches through the system using relevant fields and settings such as time windows and specific search terms. In this scenario, understanding the significance of events involving devices not typically managed by the user is crucial for effective troubleshooting. Changes to configurations or behaviors can be identified through additional searches adding related terms, which helps in understanding if these issues are due to external threats like denial-of-service attacks originating from countries like North Korea. In summary, ArcSight Logger serves as a versatile tool that facilitates both proactive security monitoring and responsive IT operations by providing detailed logging of events, quick search capabilities for diagnostics, and configurable alerting mechanisms tailored to meet specific compliance standards or operational needs. The text discusses how different team members, such as those on the network team and server team, have specialized knowledge related to their respective areas (networking, ports, protocols, addresses; servers, processes, profiles, directory systems). It introduces the concept of categorization in a system called "Connector," which simplifies event interpretation by using a common format that is easy for anyone to understand. This makes it easier to build filters and reports based on predefined categories even if one does not have extensive knowledge in networking or firewalls. The text provides an example where, after identifying the need to detect failed firewall activity related to a specific web server (web1.arcnet.com), users can easily add this search term to their query by using logical operators and run the search through the system's interface. This method is more efficient than manually searching through logs for relevant events. It also explains how to access reports from the Logger menu, where users can customize them according to specific needs or preferences after selecting appropriate filters. The example uses a configuration event report related to a firewall (dmzfw1) and demonstrates how to run this report with customized filter criteria. Additionally, the text highlights the use of real-time monitoring capabilities within the Logger for immediate analysis of events affecting the web server. This can be done by entering specific search terms directly in the Live Event Viewer during ongoing searches or queries. Lastly, it mentions how to efficiently manage multiline logs from application development processes and integrate them into the system's logging mechanism. This text provides a summarized guide for using ArcSight Logger to analyze different types of logs such as Ruby Application Archive (RAA) log files and NetFlow events. For RAA log files, it recommends logging in as an admin, entering "raa" into the search field, selecting the MultiLine AppDev fieldset, and adjusting the search time if necessary. The goal is to analyze multi-line log files related to application development environments. For NetFlow logs, the process involves logging in as an admin, entering "netflow dpt=1433" into the search field, selecting the NetFlow fieldset, and focusing on events destined for a SQL server port (port 1433). The user can then visualize top or rare source addresses using dynamic chart settings. Overall, these steps guide users through basic log analysis tasks such as adjusting search parameters, choosing appropriate fields, and visualizing data using charts. This passage discusses the capabilities of HP ArcSight Logger software, specifically focusing on its ability to analyze network data and generate reports from raw event logs. The software allows users to visualize data using pie charts that update dynamically based on user settings. It provides options for exporting results in various formats such as PDF or CSV, catering to different reporting needs. The passage also demonstrates how to use the Logger to search specifically for netflow data related to destination ports, allowing users to identify the most popular ports used within an organization's network environment. This is exemplified by a hypothetical example where port 123 (network time protocol) is highlighted as being particularly popular. Additionally, the passage introduces the use of regex (regular expressions) for extracting and parsing specific fields from raw event data. It explains how to utilize this feature to focus on events with network latency issues, specifically looking for round-trip averages greater than 1 millisecond. The process involves using a Regex helper within Logger to extract meaningful names for parsed variables, enhancing the analysis of RTA (Round Trip Average) values contained in these raw logs. Finally, the passage concludes by emphasizing the flexibility and versatility of HP ArcSight Logger through various use cases that demonstrate its capability to handle diverse network data scenarios, from simple dynamic charting to complex regex-based log parsing for targeted performance troubleshooting. This document discusses using Logger, a software tool from ArcSight, to analyze raw events such as login attempts and failed logins. The process involves several steps: 1. Navigating to the "Analyze, Search" page in Logger. Enter keywords related to login failures or other relevant terms. 2. Using the Discover Fields function to identify fields within the RAW events that match the search criteria. These are then highlighted for easy identification. 3. If needed, change the search time window to the last hour and select all available fields using the "All Fields" fieldset. 4. In the Events panel, click on the Show RAW: All icon to display all raw event logs. Unhide the Field Summary if hidden by clicking on the Expand Field Summary icon. Ensure the Field Summary is updated for synchronization with the events table. 5. Click on discovered fields such as "Username" to see detailed analysis including counts, percentages, and sorting based on the analysis results. 6. Use a real-time chart feature to visualize top usernames related to login attempts or failures. This can be adjusted dynamically if needed. 7. For more specific analysis, search for SHA1HEX data by entering it into the Logger interface and adjusting the time window as required. 8. In the Events panel, click on Show RAW: All to display all raw events again. Use the Logger Regex Helper in conjunction with masking capabilities to isolate credit card numbers from these events. 9. Double-click the field name Number_3 within the Regex Helper to rename it to "ccnum". After renaming, apply this change and confirm using OK and Go!. The Logger will automatically add a column named ccnum for each event, displaying isolated credit card numbers. 10. Utilize the masking feature of Logger to obscure credit card numbers in reports, leaving only the first digits visible as per requirements. This allows preparation of a report suitable for distribution without exposing sensitive information. 11. Export the final chart with top ccnum values after adjusting the search terms and clicking Go!. This can be exported directly as a PDF document for further use or distribution. The document provides a guide for using the ArcSight Logger API version 1.0.0.0.1, which supports features from v5.2. It outlines how to access and interact with the Logger through an executable (ArcSightLoggerSEDemo.exe) written in VB.NET. This client interface allows users to log into the system using pre-populated IP address, port, and credentials for a demo environment. The API supports various functionalities including searching events and running reports, all of which are documented and supported. The demonstration starts with logging in, followed by a simple search interface that can be used to perform searches based on default terms or custom terms. Results from the SEARCH function include detailed event information, though they are limited for demonstration purposes. Users can also explore reporting capabilities, where they can select report groups and run specific reports. The API is demonstrated with examples such as searching for "dgchung" or running a User Investigation report targeting user "chung". The application closes by logging out of the session and invalidating the cookie.