Investigate 2.00 Demo Script v5 - 2018.03.03

Summary:

This ArcSight Investigate demonstration script outlines how to leverage the Intuitive Search feature for quick and efficient data searches within network events. It covers dynamic field name suggestions based on user input (e.g., transforming from potential usernames or hostnames to IP addresses), advanced searching capabilities, and ease-of-use through intelligent field recognition and dynamic suggestions. The script provides a detailed guide on using ArcSight Investigate to analyze a specific workstation's network traffic against others in the same subnet, highlighting potential anomalies such as unusual traffic patterns, protocols used, or destination addresses. This method involves setting up custom searches, applying filters, and generating visualizations like charts to compare data effectively, aiding in detecting abnormal behavior or security incidents. The script concludes with a discussion on the software's advanced features and its evolution from version 1.0 to 5.0 for improved usability and branding.

Details:

ArcSight Investigate 2.0 Demonstration Script V5 - 03/03/2018 provides a guide on using the Intuitive Search feature of ArcSight Investigate to facilitate quick and efficient data searches. The demonstration covers various scenarios demonstrating how the system adapts its search suggestions based on user input, highlighting features such as dynamic field name suggestions (e.g., transforming from potential usernames or hostnames to IP addresses) and enabling users to save searches for future reference. Key aspects include: 1. **Intuitive Search**: The script introduces how the system becomes more responsive with each keystroke by suggesting relevant fields based on partial input, handling both letters and numbers appropriately (e.g., transforming from potential usernames/hostnames to port numbers or IP addresses). 2. **Advanced Searching Capabilities**: Users can start a new search, save results, and reference previous searches within the system, which supports complex queries without requiring knowledge of regular expressions or logical operators like ANDs and ORs. 3. **User Experience**: The demonstration emphasizes ease-of-use and efficiency in data exploration through intelligent field recognition and dynamic suggestions tailored to user input, making it an attractive feature for advanced investigations. This document provides a detailed guide on how to perform an analysis of network events related to a specific workstation using ArcSight Investigate, part of the enterprise security information and event management (SIEM) solution from IBM. The goal is to compare the behavior of the targeted workstation with other devices in the same subnet or fleet, highlighting potential anomalies such as unusual traffic patterns, protocols used, or destination addresses. The process begins by setting up a search for events related to the specific workstation IP address 10.0.111.24 using a saved search titled "Workstation Subnet Events." This pre-built search is then customized to focus on data from all time, ensuring comprehensive review of historical activity. Next, additional filters are applied to narrow down the events based on criteria such as application protocol and destination host names. The analysis includes visualizations like charts showing bytes out by source and destination addresses, which help in understanding traffic patterns more clearly. These visual tools allow for easy comparison with other devices in the network, providing a baseline that can be used to detect abnormal behavior or potential security incidents. In conclusion, ArcSight Investigate's intuitive interface and user-friendly features facilitate quick navigation through large volumes of data, making it an efficient tool for analysts tasked with monitoring and investigating IT infrastructure activities for signs of compromise or unusual activity. The ability to create custom searches, apply relevant filters, and generate visual representations of the collected data is a key strength of this software, enhancing its usefulness in cybersecurity operations. The provided text outlines a method for analyzing network traffic using ArcSight Investigate software. It emphasizes the use of zooming and hovering features to focus in on specific data points, such as identifying anomalies in traffic volume by source address. The analyst can click to zoom in on particular host details or reset the view to check overall trends. The analysis involves examining a main pie chart for bytes out by source address, which reveals that most traffic originates from a single host (10.0.111.24), with other workstations contributing minimally. This observation is flagged as potentially anomalous and noted for further investigation. The text suggests creating new visualizations to drill down into the data more deeply, such as exploring bytes out by destination address and port, which may indicate application-level activities like FTP traffic leaving the organization. The process continues with a deeper examination of traffic from this host (10.0.111.24) in isolation versus an average across all other hosts, highlighting significant discrepancies that could be indicative of unusual activity or potential security issues. The text then guides how to use ArcSight Investigate to map network addresses to users, which can help identify the responsible user(s) for the observed traffic patterns. This method is designed to show how visualizations and data exploration tools in ArcSight Investigate can quickly narrow down complex data sets and reveal potential security issues or areas of interest that might otherwise be missed with manual analysis. The final result should demonstrate anomalies on a specific workstation (10.0.111.24) related to traffic leaving the network, pointing towards an investigation into possible user activity or malware infections affecting this host. This document outlines a method for analyzing network traffic data using ArcSight Investigate, focusing on host behavior around the IP address 10.0.111.24 during October 2017. The process involves setting up and executing custom searches to identify specific events related to this host, as well as exploring destination hosts involved in significant outbound traffic. The first step is to perform a search for all events where the source address matches 10.0.111.24. This can be done using different query formats, and should return around five to six events. The focus then shifts to analyzing the destinations of this traffic, specifically noting two external hosts as significant recipients of data volume (bytes out). Next, a search is conducted for all events from the last week of October related to 10.0.111.24. This saved search should be named "Workstation 24 Events." The destination hostname field is reviewed, and comparisons are made against look-up lists to identify potential network devices or addresses involved in communication. Root cause analysis involves revisiting the initial saved search from October 2017 for any anomalies during this month. This includes a deeper dive into events around mid-October where an unusual cluster of activities is observed. The investigation narrows down to McAfee device events within the same date range, indicating possible malicious activity related to a failed file scan on the workstation. The document concludes with highlighting ArcSight Investigate's ability to quickly focus on significant events and extend investigations over time, providing valuable insights for future intelligence and automation in the SIEM system. This document outlines a procedure for investigating an incident involving an infected host using ArcSight Investigate. Key steps include: 1. Searching for files containing the term "file" and adding the "File Name" field to a new field set. 2. Identifying executable files that could be associated with the infection, likely sourced from a temporary folder on the user's system. 3. Investigating the device vendor as Blue Coat and considering possible sources such as mail or proxy logs. 4. Reviewing web habits around the same time period to understand how the host might have been infected. 5. Checking for denied events and analyzing destination host names, particularly focusing on "fundacjaedukacjiszkolnej.org.pl," which appears unusual. 6. Examining the Request URL field within this context, noting a questionable .php page pointing to possibly malicious content. 7. Confirming via IP that the infection is indeed due to a drive-by attack and involves malware. The document also provides a summary of key aspects from Investigate 2.0: 1. Utilized various fields and types for searches across millions of events. 2. Employed security analytics templates to visualize critical event information quickly. 3. Achieved high-speed searching without long wait times typical in traditional search/hunt tools. Lastly, the document provides a revision history detailing updates from version 1.0 to 5.0, including changes made for improved usability and updated branding.