Investigate 2.10 Demo Script

Summary:

This document appears to be a user manual or guide related to the software tool ArcSight Investigate, specifically version 2.10, detailing its functionality, enhancements, and how to perform various tasks for security incident investigation. The steps outlined are designed to help users efficiently search, categorize, visualize, and analyze data related to authentication attempts on a specific host, with a focus on events involving McAfee products in April 2018. ### Key Points from the Document: **Purpose of ArcSight Investigate:** - The software is used for security incident investigation, enabling users to quickly identify and categorize relevant data related to authentication attempts on specific hosts. **Enhancements in Version 2.10:** - New feature called "Host Profiler" allows users to profile hosts outside the network, which helps in detecting potential security incidents by tracking host connections to known malicious domains like Facebook. **Key Features of ArcSight Investigate 2.10:** - **Advanced Search Templates**: Facilitate rapid visualization of critical security event information across millions of events and time frames without long wait times. - **Host Profiler**: Enhances the ability to profile hosts, aiding in detecting possible security incidents by monitoring connections to known malicious domains. - **Improved Error Handling**: Offers better error messages and clearer instructions for executing searches with modifications when errors occur. - **User Interface Enhancements**: Simplifies navigation through categorization features that automatically build category-based searches, improving focus on relevant events. **Steps for Investigation:** 1. **Initial Search Setup**: Start by defining a search query like "Source address equals 10.0.111.24" with an appropriate year-to-date date range. 2. **Focusing on McAfee Events**: Narrow down the search to include only McAfee-related notifications for April 2018. 3. **Identifying Potential Malware**: Focus on fields related to files, especially those involving a file with a questionable name run by user 'dpool' from the temp folder. 4. **Analyzing Device and Hostname Data**: Compare destination hostnames with predefined lists for potential malicious or benign status. 5. **Using Host Profiler**: Check communication patterns using "Host Profiler" to understand if the workstation is isolated or part of an ongoing issue. 6. **Exporting Results**: Save important searches and export results as needed for further analysis, informing future intelligence and automation in SIEM systems. **Conclusion:** - The investigation demonstrates how ArcSight Investigate can be used to trace potential malware sources through network communication patterns and profile hosts using "Host Profiler." It highlights the importance of detailed analysis and continuous monitoring in detecting and mitigating security threats. ### Summary: The document serves as a comprehensive guide for leveraging ArcSight Investigate 2.10 to conduct effective security incident investigations, emphasizing its new Host Profiler feature and advanced search capabilities. The steps provided are practical examples of how to use the software to identify, categorize, visualize, and analyze data related to authentication attempts on specific hosts, ensuring a more proactive approach to cybersecurity management.

Details:

This document provides a demonstration script for ArcSight Investigate version 2.10, showcasing its intuitive search capabilities. The script outlines various use cases and features including setting up searches, utilizing basic search commands like typing 'St' or '1', and advanced features such as saving searches to refer back later. Key highlights include the system's ability to differentiate between letters (like in 'Ste') and numbers (like '12'), automatically suggesting related field names or data types based on input. It also demonstrates how the software adapts its suggestions from strings, integers, floating point numbers, and IP addresses, showing versatility in search queries. The script concludes with a mention of saving searches for future reference, highlighting ArcSight Investigate's user-friendly interface and flexibility. ArcSight Investigate is a powerful tool for investigating network events, allowing users to search for specific patterns or values across their networks efficiently. The software supports subnet searching, which is particularly useful for managing and analyzing large sets of data related to subnets with variable length subnet masking (VLSM). This feature enables investigators to quickly identify relevant events by specifying a range like '10.0.111.0/24' or even broader such as '/16' or '/14'. The interface is user-friendly, minimizing the need for complex syntax such as regular expressions and allowing searches based on simple keywords or saved search templates denoted by '#'. These saved searches can be recalled easily whenever needed, serving as a foundation for new investigations. In the context of a security operation center (SOC) with an Enterprise Security Manager (ESM), ArcSight Investigate can be integrated directly from ESM for immediate analysis. For example, if there's suspicion that a specific host might be compromised based on network activity patterns identified by McAfee AV, one can initiate a search focused on this particular workstation IP address (10.0.111.24) and compare its traffic with other similar workstations in the organization to establish a baseline behavior profile. The process involves retrieving all recent events for the suspected host, then applying filters to narrow down the scope of the investigation based on protocol usage and destination addresses. By examining outbound data volume and interesting destination hosts, investigators can identify irregularities or potential malicious activity that might not be apparent from initial observations alone. Visualizations in ArcSight Investigate help make this process more intuitive and efficient by offering prebuilt analytics to quickly assess scenarios. This summary is about using ArcSight Investigate to analyze network traffic and identify potential security issues. The process involves several steps, including setting up visualizations to understand the data better. Here's a breakdown of the key points: 1. **Setting Up Visualizations**: Using built-in analytics, visualizations are generated based on previous search results. These visualizations show network traffic details such as bytes out by source and destination addresses, which can help identify anomalies. 2. **Analyzing Traffic Patterns**: By examining the "Bytes out by Source Address" chart, it's observed that most traffic comes from a single host (10.0.111.24), suggesting potential security issues. Further analysis of "Bytes out by Destination" reveals two external addresses receiving significant data, pointing to possible unauthorized access or data leakage. 3. **Zooming in on Anomalies**: Investigate 2.10 introduces chart clustering, allowing analysts to zoom in and out of visualizations easily. If the chart is already zoomed in (showing many colors), clicking "Reset Zoom" ensures proper visibility. 4. **Creating Custom Visualizations**: Instead of using prebuilt charts, custom visualizations can be created by selecting specific parameters like destination ports or protocol activities. For example, a vertical bar chart showing bytes out by source address highlights anomalies more clearly when the average aggregation is changed to a sum for focused analysis. 5. **Investigating User Activity**: The final step involves using Investigate to map network addresses back to users who were logged in during the observed traffic patterns. This helps understand the responsible user or users and can be particularly useful for workstations with dynamically assigned IPs. Overall, this process demonstrates how ArcSight Investigate allows for detailed analysis of network data through interactive visualizations and mapping activities to specific users, highlighting potential security issues and unauthorized access points within an organization's network. The provided instructions and steps outline the process for using ArcSight Investigate to analyze authentication attempts on a specific host (10.0.111.24) during a particular time frame (year to date in this case). Here's a summary of the key actions and their objectives: 1. **Perform an initial search** by clicking 'Search' after ascertaining which users performed authentication attempts, either successfully or unsuccessfully, on the given host at the time of interest. This should yield nearly 400 events. 2. **Filter the results**: Scroll across to the "Source Address" field and filter the search using the value 10.0.111.24. Any relevant values in cells can be used as a filter or copied for further use. Right-click and select "Get Authenticated Users" to narrow down the search to particular values of interest. 3. **Handling Errors**: If an error message appears, click on ‘x’ to close it and execute the search again with appropriate modifications like changing the time range to 'Year to Date' or adjusting the date range accordingly. 4. **Use Categorization for Efficiency**: Observe how categorization simplifies the process by automatically building a category-based search through a simple click of the mouse. This helps in focusing on relevant events efficiently. 5. **Search for Specific User Activity**: Scroll to display events related to the user of interest ('dpool') and further investigate their online habits by scrolling to the "Destination User Name" field. 6. **Compare with Look Up Lists**: Use categorization again to compare destination addresses (e.g., TOR exit nodes) with predefined lists for potential malicious or benign status, noting that all communication is over FTP which raises concerns about security. 7. **Visualize and Export Results**: Highlight the visualizations created from multiple result sets, suggesting they can be exported as PDFs to attach to ongoing investigations like ESM cases. 8. **Root Cause Analysis**: Utilize ArcSight Investigate's capability to focus on important events in history by performing a search for all events related to the host during April 2018 and expanding the date range if necessary. This helps understand the root causes of issues. 9. **Exporting Results**: Ensure that the saved search is used, which involves setting up a query like "Source address equals 10.0.111.24" with an appropriate year-to-date date range. The results can be exported as needed for further analysis and to inform future intelligence and automation in SIEM systems. These steps demonstrate the effectiveness of ArcSight Investigate in quickly identifying, categorizing, and visualizing relevant data related to authentication attempts on a specific host, which is crucial for comprehensive investigations and root cause analyses. In this investigation, we focused on events related to McAfee and specifically narrowed down our search results for April 2018 to include only McAfee-related notifications. We identified a file scan that failed, suggesting the presence of a potentially malicious file on a workstation. The source address was 10.0.111.24 from a device vendor named Blue Coat. To further investigate this issue, we updated our search to include only McAfee events for the same date range and focused on fields related to files. We created a new field set containing file information and noted a specific file with a questionable name that had been run by user 'dpool' from the temp folder. This file was still present on the workstation, indicating potential malware activity. We then analyzed device actions and destination hostnames. While many destinations were typical commercial sites, we noticed an unusual hostname "fundacjaedukacjiszkolnej.org.pl". Further investigation revealed this site was accessed via IP with a suspicious .php page pointing to possible malicious content. This indicated a potential infection from a drive-by attack. To understand if the workstation was isolated or part of an ongoing issue, we used Host Profiler to analyze communication patterns. The initial profile for the last 24 hours did not return results, but changing the time window to "All Time" showed that only Workstation 24 had accessed this host. This confirmed a contained infection and indicated further action should be taken to block access to fundacjaedukacjiszkolnej.org.pl. In conclusion, our investigation revealed an instance of potential malware on a workstation, traced its source through network communication patterns, and used Host Profiler to understand the scope of impact within the organization. This case highlights the importance of detailed analysis and continuous monitoring in detecting and mitigating security threats. This document outlines a demonstration using Investigate 2.10 for security incident investigation, highlighting its key features and improvements since previous versions. It introduces a new Host Profiler Demo to enhance the ability to profile hosts outside the network, which aids in detecting possible security incidents by tracking host connections to known malicious domains like "ww.facebook.com". The demonstration showcases how to use advanced search templates for rapid visualization of critical security event information across millions of events and time frames without long wait times. The document also provides a revision history detailing changes from version 1.0 (May 31, 2017) through the latest version 6.0 (May 7, 2018), including updates for new features in Investigate 2.10 and improvements to use cases. It mentions trademark information of Micro Focus and company details.