Investigate Demo Script

Summary:

The document "Use Case Demonstration Scripts for Investigate 1.10" is designed to demonstrate the features and functionalities of HPE's ArcSight Investigate software version 1.10. It focuses on showcasing how intuitive and powerful the search capabilities are within this software through a series of scenarios and actions. **Key Features Demonstrated:** - **Intuitive Search**: The script shows that the software automatically suggests field names based on user input, adapting searches to understand what data is required for analysis. This intelligent auto-suggest feature helps in refining search criteria quickly without extensive knowledge of available fields. - **Data Visualization**: It provides examples of how users can create charts and graphs directly within Investigate using drag-and-drop functionality. These visualizations help in understanding the relationship between various data points, such as source addresses and destination ports, providing quick insights into network traffic patterns without additional software tools or databases. - **Parameterization for Insight**: The script demonstrates how to parameterize searches with specific filters that can be added dynamically during runtime based on user input. This allows Investigate to instantly pivot and filter data in real-time according to the needs specified by the user, thereby enhancing the analytical capabilities without complex coding or database interaction. - **User Interaction Based Analytics**: The tool uses interactive user actions (like clicking fields) for performing analytics, which keeps the processing within the software itself and reduces reliance on external storage systems. This makes it both time-saving and resource efficient. - **Version Specific Updates**: The script is updated specifically for version 3.0 of ArcSight Investigate after its integration with version 1.10, highlighting how the interface has been streamlined to improve usability while maintaining key functionalities. It also includes updates from previous versions like "intuitive use case" and "total bytes use cases." **Summary:** The document is a useful guide for anyone looking to get started with or enhance their understanding of ArcSight Investigate's capabilities, especially in terms of how it can be used to analyze network traffic data. It covers the basics of setting up searches, visualizing results through charts, and utilizing interactive features like parameterization without running separate queries, which are all valuable skills for anyone tasked with analyzing large volumes of network data using this tool.

Details:

**Summary of the Document:** The document titled "Use Case Demonstration Scripts for Investigate 1.10" is intended to showcase the features and functionalities of HPE's ArcSight Investigate software version 1.10. The purpose of this script is to demonstrate how intuitive, efficient, and powerful the search capabilities are in this software through a series of scenarios and actions. **Key Points Discussed:**

• **Overview (Page 1):** Describes that the document provides demonstration scripts for ArcSight Investigate 1.10 and refers to PowerPoint slides for visual aids showing the search flow.

• **Intuitive Search (Pages 2-5):** This section explains how the software automatically suggests field names based on user input, demonstrating its ability to understand and adapt searches. It covers a scenario where users type partial terms like 'Ste' which triggers suggestions related to source/destination usernames, hostnames, domain names, NT domain, or age fields that might contain such strings.

• **Comparing Outbound Data Baseline against User Activity (not detailed in summary):** This section seems to cover a specific use case where the software compares baseline outbound data with user activity to analyze network behavior and security aspects. However, details are not provided here but likely involves more advanced analytics features of Investigate 1.10.

• **Determine Relationship between Source Address and Destination Ports (not detailed in summary):** This section is related to understanding the relationship between IP addresses and ports used during data transfer, which could involve security implications or network performance analysis. The details are not fully disclosed in this summary but suggest a deeper dive into how Investigate can assess and interpret such relationships for enhanced security or operational insights.

• **Actions Taken by McAfee Software, with User Variability, and Analytics (Pages 18):** This section likely discusses how the software integrates with McAfee products to take specific actions based on user behavior analysis, including analytics capabilities that help in improving decision making processes related to network security and performance.

• **Revision History (Page 20):** Provides information about any updates or changes made to this document from its initial version up until August 10, 2017.

The document is primarily a guide for demonstration purposes of software capabilities within the ArcSight Investigate suite and contains no confidential company data but rather technical details and procedural guidelines specific to using the software's features effectively. ArcSight Investigate's intuitive search feature simplifies data exploration by automatically adapting search queries based on user input. The system is designed to handle various types of inputs, from alphabetic characters like letters (e.g., 'Ste') to numeric values and special characters such as digits (like '1'), periods ('.'), or even additional digits that could represent a port number or IP address. The search tool recognizes the nature of the input by dynamically updating its suggestions according to whether the entry is recognized as alphanumeric, numeric with potential for representing integers or floating-point numbers, or potentially part of an IP address or another specific format. This adaptive feature enhances efficiency and accuracy in querying data without requiring users to know exact syntax rules or formatting specifics. The demonstration highlights how intuitive search operates by showing examples of transitioning from searching for names related to 'Ste' (suggestions include usernames, domains, etc.) to identifying potential port numbers when a number is added ('12'), and then suggesting IP address options upon the addition of more digits or another period. This flexibility in adapting searches based on input cues showcases how ArcSight Investigate simplifies complex data queries through an easy-to-use interface. Moreover, the use case demonstrates saving searches and referencing them in subsequent searches, which is facilitated by the system's ability to recognize saved search terms denoted by a '#' sign. This feature allows users to build upon previous findings efficiently without starting from scratch each time. The example provided involves creating baselines of data volume across all users and comparing specific user activities against this baseline, highlighting how intuitive search can be applied in practical scenarios like identifying outliers or unusual activity patterns within an organization. Overall, the demonstration illustrates how ArcSight Investigate's intuitive search leverages intelligent input recognition to provide a more dynamic and user-friendly experience for searching through large volumes of data related to network activities and device hostnames. The text describes how to perform and analyze network traffic using ArcSight Investigate, focusing on specific users' traffic based on 'bytes out.' It explains setting up and running new searches within a user session for network traffic where 'bytes out' is greater than zero, resulting in 2 million results. A baseline chart of the average bytes out across all users was constructed by selecting the Bytes Out field to Y-axis, using the sum aggregation. The Source Username filter was applied across all users to calculate this average. Next, two specific users ('Falv' and 'Harris') were identified as potentially having unusual traffic patterns. Charts for both users were added separately: 'Series 2' (named 'Falv') showed a comparison of the sum of bytes out against the overall average which didn't show up clearly due to small values; 'Series 3' (named 'Harris') displayed significantly higher sums compared to the average across all users. This was achieved by filtering for each user and toggling between different aggregations and filters in the charting tool, illustrating how Investigate can analyze specific traffic patterns without additional searches against the datastore. This summary outlines a process for investigating network traffic data using ArcSight Investigate, focusing on exploring relationships between source addresses and destination ports. The steps involve setting up a new search with specific IP address criteria, performing a year-to-date search to gather relevant events, and then visualizing the relationship through a scatter plot visualization that counts occurrences of each destination port per source address. Key points from the summary include: 1. **Search Setup**: The user begins by setting up a new search with specific IP addresses using the "starts with" filter for both 17.111 and 17.212 subnets, aiming to capture relevant traffic events year-to-date. 2. **Data Collection**: Upon executing the search, over half a million events are returned based on the specified IP address criteria. The user can preview these events by looking at the top and least occurring source addresses. 3. **Search Naming and Visualization**: Renaming the search for clarity (e.g., "source starts with 17.111 or 17.212"), a scatter plot visualization is added to represent how many times each destination port was seen from specific source addresses. The X-axis represents the source address, and the Y-axis counts the occurrences of each destination port. 4. **Parameterization and Filtering**: For more focused analysis, the user can parameterize the search by adding filters for particular destination ports. This interactive feature allows Investigate to highlight relevant data points based on user-defined criteria, facilitating deeper exploration without running additional searches. This summary provides a clear demonstration of how to use ArcSight Investigate to analyze network traffic data and visualize key relationships between IP addresses and port usage, illustrating the tool's flexibility in parameterizing searches for targeted insights. The text provides a description and explanation of how to use ArcSight Investigate for filtering and visualizing data, specifically focusing on network traffic analysis with the example of McAfee software usage. Here's a summary of key points from the text: 1. **Search Setup**: Users can start by searching for "deviceVendor=McAfee" and then charting the device actions. The search results can be parameterized by adding source username as a parameter, which allows users to pivot through individual users if desired, without additional searches against the datastore. 2. **Chart Visualization**: Initially, the chart shows the distribution of all McAfee software actions across different users. Users can customize this view by dragging fields like deviceVersion and deviceAction into specific boxes for further analysis or visualization. The sourceUsername field allows for easy pivotability between users to see how actions vary among them. 3. **Analytics and Filtering**: The chart uses in-memory analytics based on user interactions (clicks) rather than additional searches against the data store. For instance, it can show observed values by toggling a small square in the legend, while proxied values represent percentages of none or permitted actions. This method is efficient as it avoids retrieving more data from the datastore. 4. **Revision History**: The document has undergone revisions, with updates made for version 3.0 after being updated for ArcSight Investigate 1.10 and minor changes in content flow for easier understanding. Previous versions include intuitive use case and total bytes use cases as well. Overall, the text outlines a straightforward method to visualize network data using parameters from previous searches without requiring new data pulls, utilizing fast in-memory analytics based on user actions.