Investigate 2.00 Demo Script - OLD 1

Summary:

The provided document is a demonstration script for ArcSight Investigate 2.0, highlighting its intuitive search capabilities. Here's a summary of the key points from the script: 1. **Overview**: The script introduces users to the basic functionalities and features of ArcSight Investigate 2.0, emphasizing its intuitive design for efficient data searching. 2. **Intuitive Search**: The demonstration focuses on how the search interface automatically suggests field names and operators based on user input, reducing complexity in complex situations where multiple fields may need to be analyzed. 3. **Predictive Analytics**: Users are shown how predictive analytics templates can visualize security event data, providing actionable insights that can drive proactive measures against cyber threats. 4. **Drive-by Download Infection**: The script details a case study of an infection likely acquired through a "drive by" download malware attack. This involves: - Identifying the source address and vendor details associated with the file in question. - Reviewing device action information for potential malware indicators, which may include unsuccessful attempts to execute malicious files or suspicious network activity. - Conducting a comprehensive search across multiple fields to pinpoint any patterns of suspicious behavior related to the infection. - Using predictive analytics templates to visualize and analyze this data, leading to actionable insights about the attack method and possible affected systems within the network. 5. **Confirmation**: By analyzing URLs and hostnames, it is confirmed that the malware was indeed acquired through a "drive by" download attack. This involves checking for suspicious domains accessed during the infection process, which can help identify potential malicious activities. 6. **New Features in ArcSight Investigate 2.0**: The script highlights several new features and enhancements in version 2.0 that aim to improve user experience and functionality: - Fast search capabilities across large datasets for faster investigation response times. - Enhanced visualization tools and predictive analytics functionalities. - Updates from previous versions, addressing common issues and providing better support for users. 7. **Support and Feedback**: The script provides contact information for further assistance or feedback if users encounter any difficulties during their investigations or have suggestions to improve the software's functionality. This demonstration is valuable for anyone looking to enhance their cybersecurity investigation skills using ArcSight Investigate 2.0, providing a step-by-step guide on how to use the tool effectively in detecting and responding to potential cyber threats like "drive by" download attacks.

Details:

The provided document is a demonstration script for ArcSight Investigate 2.0, highlighting its intuitive search capabilities. Here's a summary of the key points from the script: 1. **Overview**: The script introduces users to the basic functionalities and features of ArcSight Investigate 2.0, emphasizing its intuitive design for efficient data searching. 2. **Intuitive Search**: The demonstration focuses on how the search bar in ArcSight Investigate automatically suggests field names based on what is typed by the user, making searches more streamlined and less technical:

• Users can type partial terms which are expanded into relevant field suggestions such as device custom strings, usernames, domain names, IP addresses, etc.

• The system adapts its suggestions dynamically depending on whether a term is recognized as letters (suggesting entity fields) or digits/special characters (suggesting numeric or special field types).

3. **Search Modifications**: Users can refine their search queries by modifying the suggested fields with operators like 'contains', 'starts with', 'ends with', etc. This flexibility allows for more targeted searches. 4. **Advanced Search Capabilities**: The script also demonstrates how users can save and reference previous searches within new queries, showcasing versatility in data interrogation. 5. **Dynamic Field Suggestions**: Throughout the demonstration, the system provides immediate feedback on what fields are relevant to the current input, reflecting its capability to understand the nature of search terms typed by users. This script serves as a guide for how ArcSight Investigate simplifies complex searches through an adaptive and user-friendly interface, enhancing both efficiency and accuracy in digital investigations. This document outlines a process for using ArcSight Investigate to analyze events related to a specific workstation, IP address 10.0.111.24. The goal is to understand network activity and compare it against other devices in the fleet. Here's a step-by-step summary of the process: 1. **Setup & Background**: A notification from ESM alerts an analyst about potential issues with executable files on a workstation at IP address 10.0.111.24, which is identified as being protected by McAfee AV. 2. **Search for Events**: The user runs the saved search "#Workstation subnet events" to gather all recent events related to the specified workstation. This involves entering the saved search term (represented by '#') and selecting it from a dropdown menu. 3. **Timeframe Selection**: The analyst selects "Year to Date" as the timeframe for the search results, which helps in focusing on data within this specific period. 4. **Filter Application**: A filter is applied to the source address field to include only events related to the workstation's IP (10.0.111.24). This is done by right-clicking on an event and selecting "Use as a filter". All search results are then updated based on this criterion. 5. **Visualization of Data**: Visualizations such as Bytes Out by Source Address and Bytes Out by Destination Address are added to the analysis, helping in understanding the network traffic more clearly. These visualizations allow for quick zooming in and out of time ranges using a range selector tool. 6. **Baseline Comparison**: The analyst compares the workstation's behavior against other devices in the fleet by creating baseline comparisons, which is facilitated through prebuilt security analytics provided by ArcSight Investigate 2.0. This includes adding visualizations like Source Activity and Bytes Out statistics to better understand traffic patterns. 7. **Conclusion**: The process concludes with a note that ArcSight Investigate provides an intuitive interface for analysts to quickly navigate, search, filter, and visualize data relevant to specific events and devices without needing strict syntax or case sensitivity in the search term. This method helps in speeding up investigation processes by narrowing down broad searches effectively. Overall, this document demonstrates how to use saved searches and filters within ArcSight Investigate to analyze network activity related to a particular device, facilitating quicker understanding of anomalies and potential issues through visual aids and baseline comparisons. This summary outlines a method for analyzing network traffic data using visualizations and filters in ArcSight Investigate. Here’s a breakdown of the steps and key points: 1. **Zooming In and Out**: The analyst can use a pie chart visualization to explore bytes out by source address. By clicking, they can zoom in or out to see specific ranges. A reset option is available if needed. 2. **Identifying Anomalies**: Observing that most traffic originates from one host (10.0.111.24), the analyst notes this as a potential anomaly. The percentage of other workstations contributing to traffic is minimal, indicating a significant deviation from normal behavior. 3. **Analyzing Destination Traffic**: Further analysis reveals that most data goes to two external addresses. The analyst suggests checking the application protocol and type of activity (malicious or not) based on destination IPs. 4. **Custom Visualization**: To dig deeper, the analyst creates a new visualization showing bytes out by destination port, highlighting FTP traffic as highly significant due to its high percentage and intended outbound nature. 5. **Comparing Performance**: A custom chart shows a large discrepancy in bytes out between workstation 10.0.111.24 and average workstation performance, indicating an anomalous host with data leaving the organization. 6. **Investigating User Activity**: Using ArcSight Investigate to track network activity from source address 10.0.111.24 to users, the analyst finds that a specific user is responsible for the traffic during the observed behavior. 7. **Summary and Conclusion**: The investigation highlights an anomalous workstation with unusual outbound data behavior linked to a particular user, demonstrating how Investigate can uncover relationships between network addresses and users. This method uses visual cues in software tools like ArcSight Investigate to identify suspicious activities, trace them back to specific entities (users or devices), and understand the nature of their interactions within the network. The provided text outlines a series of steps and actions to be taken within a cybersecurity investigation framework using ArcSight software. The main focus is on investigating an anomalous host behavior associated with the IP address 10.0.111.24, which is linked to a workstation. The process involves several stages including data collection, searching for relevant events, analyzing traffic, and performing root cause analysis. Here's a summarized breakdown of the key steps: 1. **Data Collection**: Begin by setting up a search to retrieve all events related to the IP address 10.0.111.24 over the last week of October. This includes using multiple methods to query the data, such as filtering by source address or hostname. 2. **Focus on Relevant Events**: Once relevant events are identified, focus on those that involve external hosts as destinations in terms of outbound traffic. These would be highlighted for further analysis. 3. **Comparison with Look-up Lists**: Compare the destination addresses (which represent TOR exit nodes) with known lists to check if there are any triggers or alerts from network devices like IPS or threat intelligence feeds. If no responses are triggered, it might indicate benign activity but warrants deeper investigation. 4. **Root Cause Analysis**: Extend the search to include the entire month of October 2017 to understand the historical pattern and behavior of the host in question. This involves using the saved search setup earlier for faster access to relevant data. 5. **File Scan Analysis**: Investigate the file system by looking at events related to files, particularly focusing on executable files that have failed scans potentially linked to malicious activity. The analysis helps identify if there are any suspicious or known malware samples present on the workstation. Throughout this process, key features of ArcSight's functionality such as automated suggestions for field names and operators, predictive search capabilities, and visualization tools are highlighted. These assist in efficiently managing large sets of data and enhancing investigative outcomes. Finally, the integration of findings into a larger security information and event management (SIEM) system is emphasized to leverage intelligence for future proactive measures. This document outlines a demonstration on using Micro Focus ArcSight Investigate to investigate an infection likely acquired through a "drive by" download. Key steps include: 1. Identifying the file's source address and vendor details. 2. Reviewing device action information for potential malware indicators. 3. Conducting a search across multiple fields to pinpoint suspicious activity. 4. Using predictive analytics templates to visualize security event data, leading to actionable insights. 5. Confirming the infection as "drive by" based on URL and host name analysis. 6. Highlighting new features of ArcSight Investigate 2.0, such as fast search capabilities across large datasets. 7. Outlining updates from previous versions and providing contact information for further assistance or feedback.