HP ArcSight Logger Use Case Demonstration Scripts

Summary:

The document provides a comprehensive guide on how to effectively utilize the HP ArcSight Logger for log analysis tasks, specifically focusing on two use cases: discovering usernames from event logs and finding and masking credit card numbers using SHA1HEX data. ### Use Case 1: Discovering Usernames To uncover potential usernames related to "login" and "failed" events, follow these steps in HP ArcSight Logger: 1. Navigate to the **Analyze, Search** page within Logger. 2. Enter "login" or "failed" into the search bar and click Go!. Set a relevant time window if needed. 3. Select the **All Fields** field set. Display all RAW events by clicking on the Show RAW: All icon. 4. Use the Logger Regex Helper to identify any username fields in the raw events, renaming them for clarity (e.g., "Number_3" as "Username"). 5. Apply a saved filter called "Discovered Username Filter" and click Go!. This will add a column named "Username" which displays all extracted usernames. 6. Click on the "Username" field to view the list of discovered usernames. 7. Utilize the blue Chart feature to visualize a real-time chart of top usernames related to login and failed attempts. ### Use Case 2: Finding and Masking Credit Card Numbers To identify recent credit card transactions with SHA1HEX data, follow these steps in HP ArcSight Logger: 1. Navigate to the **Analyze, Search** page within Logger. 2. Enter "sha1hex" into the search bar and click Go!. Adjust the time window as necessary. 3. Select the **All Fields** field set. Display all RAW events by clicking on the Show RAW: All icon. 4. Use the Logger Regex Helper to extract credit card numbers from raw events, renaming fields for better clarity (e.g., changing "Number_3" to "ccnum"). 5. Apply a saved filter called "Demo Credit Card Mask" and click Go!. This will automatically add a column named "ccnum", displaying it for each event. 6. The Logger can mask data by obscuring all but the first digits of the credit card numbers based on specific criteria, which is useful for reporting purposes while preserving critical information. ### Additional Features and Configuration - **Transaction Operation**: This feature helps in grouping events with common values like email QueueID into transactions for easier analysis, applicable to various business or web transactions across different systems. - **Exporting/Importing Content**: The Logger allows exporting alerts, dashboards, filters, parsers, saved searches, and source types for sharing among team members within the organization. - **Interactive Dashboards**: Offers insights into mail events with charts like error, smtp, and queue manager sub-processes, as well as metrics based on transaction IDs. This document serves as a valuable resource for users to leverage HP ArcSight Logger's capabilities in log analysis tasks efficiently while ensuring the protection of sensitive information through features such as data masking and selective content sharing among authorized personnel only.

Details:

This document is a guide for using the HP ArcSight Logger, which provides an overview of various use cases to help users analyze data effectively. The content includes detailed explanations on how to categorize information, detect device-independent login failures across different devices, perform data analysis with HTTPS traffic and web server communications, search through large datasets, enhance security measures, ensure compliance with regulations, optimize IT operations, facilitate application development, and utilize NetFlow for network monitoring. Each section is designed to help users leverage the capabilities of HP ArcSight Logger for specific business needs. This document provides a guide for using HP ArcSight Logger, including configuring Internet Explorer and iPackager settings, and demonstrating how to use Lookup Files for static correlation and enrichment. The demonstration focuses on identifying malicious IP addresses from a Lookup File that have communicated with web servers. The steps include setting up the environment, searching for events involving malicious IPs, and enriching data with contextual information. The provided document outlines how to utilize HP ArcSight Logger's features for enhancing security analysis with lookup operators and saved filters. It explains how to load a saved filter, apply the 'lookup' operator to compare IP addresses against a malicious address list, and subsequently export search results to create new Lookup Files. The document also demonstrates how to use these enhanced files in real-time searches and dashboards for actionable insights into security incidents like SQL injection attacks. The provided text discusses the capabilities of HP ArcSight Logger for event correlation and data analysis within an IT security environment. Key features include: 1. **Static Correlation**: The system allows users to select filters from various events in their environment, enhancing them with contextual data through the use of lookup files. This enables better understanding and analysis of log data across different devices and systems (e.g., Windows, UNIX, Mainframe). 2. **Categorization**: HP ArcSight categorizes events uniformly and consistently, which is beneficial when dealing with multiple device types or adding new ones after a merger or acquisition. This ensures that failed login attempts are properly categorized regardless of the underlying device vendor. 3. **Reporting and Analysis**: The Logger tool supports reporting on various aspects of security incidents such as failed logins, providing detailed analytics like top counts of failed logins per device type and showing comprehensive event summaries across different devices. These reports can be easily modified to accommodate changes in time periods or device types, making them adaptable for regular audits and continuous monitoring. 4. **Data Analysis for HTTPS Traffic**: The Logger offers search functionalities that enable users to analyze traffic types and usage statistically through charts, top lists, rare events, and tails. This helps in identifying patterns and detecting anomalies within the network communications. Overall, HP ArcSight Logger simplifies the process of event correlation across diverse devices and provides robust reporting capabilities for security analysts and operations teams, ensuring that new device integrations or changes do not hinder audit processes. This document outlines a method for analyzing network traffic using Logger, an HP Confidential tool. The process involves searching for specific conditions such as HTTPS (using destinationPort=443) to identify suspicious activities. The analysis is facilitated through the use of indexed fields like destinationPort and various commands including top, tail, rare, and sum. The steps include: 1. Entering a search with the condition destinationPort=443 to find all servers running HTTPS. 2. Adjusting the search time frame to last 24 hours. 3. Using super indexed fields like destinationPort to quickly retrieve thousands of matches. 4. Selecting Security as the field set and reviewing statistical analysis results in the Field Summary overview. 5. Highlighting relevant device details (product, name, sourceAddress) for further investigation. 6. Utilizing the top command to aggregate common events based on fields like source and destination address. 7. Employing the tail command to check least common event occurrences, which can help in detecting unusual activities. 8. Applying the rare command to list the least common events by count value. 9. Summarizing network traffic by summing bytesIn and bytesOut for each deviceProduct across source/destination addresses using the sum command. 10. Reviewing results on a dashboard, allowing for detailed investigation of specific event occurrences. The process helps in understanding and monitoring network activities to detect suspicious or malicious behavior. This document discusses how HP ArcSight Logger can be used to analyze network traffic for unusual activity specific to devices. By querying data from ports like 443 and summing bytesIn and bytesOut, we can determine if there's abnormal traffic on a per-device basis. The analysis can be extended over different time intervals to assess whether this behavior is normal or not. The document also highlights the importance of event normalization and categorization in Logger, which allows for grouping and categorizing network traffic against port 443 within a short period. This helps in quickly analyzing generated network traffic. The use case discussed involves investigating users who recently left the company by examining their login activities through a custom Login Banner feature provided by Logger. The provided text outlines a demonstration of Logger dashboards within ArcSight, a security information and event management (SIEM) tool. The user is guided through accessing their personalized dashboard, which includes panels like Security Dashboard, NetFlow Top Destination Ports, Firewall drops by Source, Network – Port Links Up and Down, and more. Users can customize the display format of these panels to suit their needs, such as switching from pie charts to columns or bars. Additionally, the text mentions several specific dashboards tailored for compliance and network operations, each displaying different types of data relevant to user roles: 1. **Compliance Dashboard**: Focuses on compliance-related items including configuration changes, failed logins, and modifications to user privileges. It can be customized based on specific needs within an organization. 2. **Network Operations Dashboard**: Provides a network-centric view encompassing traffic distribution by destination port, firewall drops from certain sources, link transitions of devices, and Autonomous System Numbers (AS) of destinations. 3. **TippingPoint Dashboard**: Summarizes events from the TippingPoint IDS/IPS/Next Gen Firewall, highlighting critical and major severity attacks by signature and attack categories. The demonstration concludes with a real-world use case where an employee suspected of leaking confidential information is investigated using ArcSight Logger's simple interface for unstructured search, allowing users to input specific terms like "dgchung" without the need for advanced query setup. This text describes a process for conducting a security-related search using a hypothetical software tool called "Logger." The steps involve setting a time window to the last hour, performing a search based on specific criteria, customizing the view of results, and exporting or saving the findings. Here's a summary of the key points: 1. **Setting Search Parameters:**

• Set the search time window to the last hour and click "Go!" to initiate the search.

• If needed, update user activity immediately.

2. **Using Device Vendor Field Summary:**

• Click on "deviceVendor" under a field summary section. Update if "dgchung" by vendor is not visible. View devices and related statistics including events count and percentage where dgchung is present. Close the device overview.

3. **Customizing Field Views:**

• Minimize or hide the automatically built field summary view for more screen real-estate.

• Use a drop-down menu to choose "Fields" and select "Security" field set to tailor the displayed fields according to personal investigation needs, saving custom views for later use.

4. **Advanced Search:**

• Perform an advanced search specifying sourceHostName containing "finance." Use conditions like "Contains" operator to narrow down searches based on hostname elements.

5. **Using Common Conditions Editor:**

• Utilize the Common Conditions Editor within Logger, choosing options like Color Block View for visual query construction and execution. The resulting view shows all dgchung events on finance servers related to Oracle, Microsoft, and Vontu vendors.

6. **Adding Search Conditions:**

• Add terms "ftp" or modify the search criteria using pipe commands to refine results (e.g., adding "| top name"). Note that no hits are expected in this simulation exercise.

• Modify search strings to include specific usernames and conduct further searches based on updated conditions.

7. **Utilizing Logger Features:**

• Utilize the built-in graphical charting for a quick summary of activities related to the person being investigated, such as user creation, role granting, audit log clearing, and sending suspicious articles.

• Adjust chart settings like result charts or change the format of displayed results using pie, column, bar, area, line, stacked column, or stacked bar chart types.

• Export search results for reporting purposes with various formats including saving locally, Logger, PDF, CSV, etc.

8. **Generating Reports:**

• Access reports from the main Logger menu to generate and present findings to management through a SANS-like dashboard display.

This process demonstrates typical steps in conducting forensic investigations using security information and event management (SIEM) tools, where initial searches are broad and refined based on unexpected discoveries during the search phase. This document outlines the features and capabilities of HP ArcSight Logger, including its ability to create customizable reports and dashboards for user investigation, regulatory compliance, and more. Key points include: 1. **Customization**: The Logger allows users to group reports in a Favorites Explorer, making it easier to navigate and manage them. Demonstration reports can be organized into groups for ease of use. 2. **User Investigation**: Users can modify any report within the Logger, including generating specific reports on events involving certain usernames (e.g., replacing "admin" with "chung"). The system supports exporting these reports in various formats such as Adobe PDF, MS Word, and MS Excel. 3. **Compliance Use Case**: Specifically addressing regulatory compliance, this feature includes a customizable Login Banner where users can accept company policies. The Logger provides drill-down capabilities to explore detailed report elements, useful for auditing purposes. 4. **Reporting and Scheduling**: Reports can be run ad hoc or scheduled for automatic delivery via email. This flexibility supports ongoing monitoring of compliance requirements. 5. **Role-Based Access Control**: Users only see relevant data based on their roles, ensuring privacy and security in the reporting process. The document also mentions that ArcSight offers Compliance Insight Packages tailored for specific regulatory standards like PCI (Payment Card Industry), which includes detailed reports and drill-down capabilities to support compliance efforts. The provided text discusses a system for managing PCI compliance, specifically related to providing reports that assist customers in meeting their PCI CIP requirements. The system includes preconfigured alerts within Logger, which can be used by users to monitor and respond to issues as they occur. It also covers the configuration of storage rules and user permissions, emphasizing the importance of role-based access control for compliance use cases. Additionally, it highlights how this tool helps in IT operations scenarios such as investigating a web server outage. The document outlines a process for an analyst using HP ArcSight Logger to detect unusual activity on a web server originating from North Korea. The steps include modifying the configuration to search for events related to modifications made by the user mike, adding terms like "web1.arcnet.com" or "dmzfw1" to narrow down the scope of the search. Once significant events are identified, reports can be customized and automated according to specific needs, making it easier to understand complex data across different devices and teams. The analyst continues monitoring in real-time through the Live Event Viewer while reaching out to Mike and his supervisor for further context on the modifications being made during business hours. The text describes how to use ArcSight Logger for different purposes, such as watching live events and analyzing application development logs or network flow events. It explains steps like logging into a system, entering specific keywords in a search bar, selecting appropriate fields, and exporting results for reporting. These actions help users monitor real-time data, troubleshoot issues, and understand network traffic patterns. The provided text discusses various functionalities and features within HP ArcSight Logger, focusing on dynamic charting, exporting results, and utilizing raw events for analysis. 1. **Dynamic Charting**: The article explains how a simple word replacement in the search query can drastically change the focus of a search or investigation. It also describes how to access and configure pie charts within Logger Pro, including adjusting settings like chart type (pie) and viewing percentages and counts associated with each slice when hovering over them. 2. **Exporting Results**: The text outlines various options for exporting results from Logger, such as saving locally, to the Logger itself, or in formats like PDF or CSV. It mentions that these exports can include different chart types based on user settings, providing flexibility in reporting. 3. **Utilizing Raw Events**: This section is focused on using raw network logs to identify performance issues. The article suggests searching for specific metrics such as round-trip averages (RTA) greater than 1 ms. It introduces the use of Logger Regex helper to extract and analyze fields from raw events, providing a method to give meaningful names to parsed variables and conduct further analysis. The text provides practical steps and tips on how to effectively utilize these features within HP ArcSight Logger, emphasizing its flexibility in data handling and analysis for network performance monitoring and troubleshooting. The provided text outlines two use cases for HP ArcSight Logger, focusing on searching and analyzing raw events to find specific information such as failed logins and masked credit card numbers. **Use Case 1: Finding Failed Logins from RAW Events**

• **Action Talking Points**: To search for failed login attempts in raw events using the new Discover Fields capability in HP ArcSight Logger, follow these steps:

1. Navigate to the Analyze, Search page within Logger. 2. Enter keywords like "not cef login failed attempt" and click Go!. 3. Use the Discover Fields function to identify fields related to failed logins from RAW events. 4. In the Events panel, show all RAW events by clicking on the Show RAW: All icon. 5. Unhide the Field Summary if hidden and ensure it is updated. 6. Click on the discovered Username field, which will display usernames extracted from the RAW events. 7. Use the blue Chart feature to view a real-time chart of top usernames related to "login" and "failed". **Use Case 2: Finding and Masking Credit Card Numbers**

• **Action Talking Points**: To find recent credit card transactions containing SHA1HEX data, follow these steps in HP ArcSight Logger:

1. Navigate to the Analyze, Search page within Logger. 2. Enter "sha1hex" and click Go!. Set the search time window if necessary. 3. Select the All Fields field set. Display all RAW events by clicking on the Show RAW: All icon. 4. Use the Logger Regex Helper to isolate credit card numbers from raw events, including renaming fields for better clarity (e.g., changing "Number_3" to "ccnum"). 5. Apply a saved filter called Demo Credit Card Mask to load and close it, then click Go!. 6. The Logger will automatically add a column named "ccnum", displaying it for each event. This helps in identifying the type of credit card based on its first digit: 3 (Travel & Entertainment), 4 (Visa/Visa-branded), 5 (MasterCard/MasterCard-branded), or 6 (Discover). 7. Logger can mask data as needed, with options to obscure all but the first digits of the credit card numbers for reporting purposes. The document discusses using HP ArcSight Logger software to analyze log data from various machines. It explains how to create reports by masking sensitive information while still providing valuable insights for authorized personnel. The article focuses on a specific demo scenario involving events from POSTFIX, an open-source mail transfer agent (MTA), and emphasizes the importance of the QueueID field in these logs. The demonstration shows how Logger can be used without SmartConnectors to read log files directly through File Receivers, parse events using On-Board Parsers, and group them into higher-level transactions for easier analysis. The demo involves POSTFIX log data which includes a critical field called QueueID. This scenario also demonstrates the process of enabling and disabling Mail Logs File Receivers on the Logger software to ensure that only relevant information is presented in the report without revealing sensitive details. The document provides step-by-step instructions for setting up and configuring the Logger, including how to enable a receiver to read log files into the system and select appropriate parsers tailored to the specific event source type. It also covers operations such as renaming or deleting files once they are processed. The report generated can be further customized by changing field sets and examining raw data through the summary page. The key feature discussed is Logger's transaction operation, which helps in grouping events with common values like email QueueID into transactions for easier analysis. This function can also be applied to define various types of business or web transactions across different systems. The document concludes by encouraging users to utilize online help resources for more detailed information about the transaction operation and how it facilitates better data organization and interpretation within Logger software. The document provides an overview of the functionality within the HP ArcSight Logger tool, specifically focusing on its capabilities for exporting and importing system content such as alerts, dashboards, filters, parsers, saved searches, and source types. It also highlights the ability to export reports, queries, and templates across different sections like reporting. This feature is designed to facilitate the development and sharing of content among multiple users within an organization. The document further explains how to access specific functionalities through a series of clicks: 1. Go to Configuration, Settings, Content. Here, you can find options to export or import various system components mentioned above. 2. Navigate to Dashboards where there's a section discussing the analysis of POSTFIX Mail events with three charts provided for different subprocesses (error, smtp, and queue manager) and metrics like Mail Counts and Mail Transaction Lengths based on transaction IDs. 3. To delve deeper into specific details about these transactions, click on any chart to drill down into event details which supports further investigation by the user without requiring domain expertise in POSTFIX logs. 4. The section "Analyze/Search" discusses using the TRANSACTION operator focusing on the QueueID field to create new columns such as eventcount and transactionid. This feature allows for a more detailed analysis of specific transactions related to mail queue operations. In summary, HP ArcSight Logger enhances user flexibility with built-in parsing capabilities, saved searches, and interactive dashboards that can be easily shared among team members, making it an efficient tool in managing and analyzing complex system data across different departments within the organization.