iThreat Demo Install Guide v1.1

Summary:

**Summary of "iThreat Demo" Version 4.0 Release Note:** The provided release note outlines the installation steps for "iThreat Demo" version 4.0, dated back to 2007 but revised by Colby Deroff and Brian Wolff. The document consists mainly of a detailed guide on how to install the demo package within an ArcSight environment, along with specific instructions about importing packages, moving rules, and enabling response rules for effective functionality in detecting insider threats. **Installation Steps:** 1. **Copy the necessary packages**: Retrieve the following from `\\kenny\salesdemo\4.0\solnDemos\iThreat`: - ArcSight-InsiderThreatSolution-2.0.1.5244.arb - iThreatSolutionDemo4.0.1.arb - iThreat_Investigation_Reports.arb 2. **Start and open ArcSight Manager and Console**. 3. **Import packages**: Use the "Packages" tab to import: - First, import `ArcSight-InsiderThreatSolution-2.0.1.5244.arb`. - Then, import `iThreatSolutionDemo4.0.1.arb`. 4. **Extract and navigate**: In the ArcSight console, go to specific directories to extract and find resources: - Navigate to `Navigator \ Resources \ Files \ Shared \ All Files \ ArcNet Files \ SolutionDemos`. - Right-click on `get iThreat_Demo4.0.1.zip` and unzip it to the ArcSight home directory. 5. **Move rules**: Transfer `Insider Threat rules folder` from `/Rules/Shared/All Rules/ArcSight Solutions/Insider Threat` to `/Rules/Shared/All Rules/Real-time Rules`. 6. **Enable response rules**: Activate and verify the following two rules: - `NRM – Quarantine Attacker Address` - `CounterAct – Disable User Account - Target User` 7. **Install report patch**: Use the package utility to install `iThreat_Investigation_Reports.arb`. 8. **Locate events and reports**: Find event files under `iThreat\` with five event files, and refer to the demo script for further details on supported content related to reports. **Additional Notes:** - Ensure all response rules are enabled for optimal performance of iThreat scenarios. - Validate that specified rules are active as per the provided instructions. This guide ensures a smooth installation process with detailed steps, ensuring the successful deployment and functionality of the "iThreat Demo" version 4.0 within an ArcSight environment.

Details:

The provided document is a release note and installation guide for "iThreat Demo" version 4.0, dated back to 2007 with revisions by Colby Deroff and Brian Wolff. Here's a summarized overview of the content along with the steps to install the demo: ### Release Notes Summary:

• **Revision 1 (2007-04-24):** Initial release, authored by Colby Deroff.

• **Revision 2 (2007-06-26):** Added screen shots of installation documentation, authored by Brian Wolff.

### Installation Steps: 1. **Copy the Packages:**

• Copy the following packages from `\\kenny\salesdemo\4.0\solnDemos\iThreat`:

• ArcSight-InsiderThreatSolution-2.0.1.5244.arb

• iThreatSolutionDemo4.0.1.arb

• iThreat_Investigation_Reports.arb

2. **Start the ArcSight Manager and Console:**

• Launch ArcSight Manager and open the console.

3. **Import Packages:**

• Use the "Packages" tab to import:

• The solution package first (`ArcSight-InsiderThreatSolution-2.0.1.5244.arb`).

• Then, import the demo package (`iThreatSolutionDemo4.0.1.arb`).

4. **Navigate and Extract:**

• Go to `Navigator \ Resources \ Files \ Shared \ All Files \ ArcNet Files \ SolutionDemos`.

• Right-click on `get iThreat_Demo4.0.1.zip` and open it.

• Unzip the archive to the ArcSight home directory.

5. **Move Rules:**

• Drag and drop the `Insider Threat rules folder` from:

`/Rules/Shared/All Rules/ArcSight Solutions/Insider Threat` To: `/Rules/Shared/All Rules/Real-time Rules`. 6. **Enable Response Rules:**

• Enable and validate two response rules:

• `NRM – Quarantine Attacker Address`

• `CounterAct – Disable User Account - Target User`

7. **Install Report Patch:**

• Use the package utility to install `iThreat_Investigation_Reports.arb`.

8. **Events and Reports:**

• Events files are located in the replay agent under `iThreat\*`, with 5 event files.

• Refer to the demo script for supported content related to reports.

### Additional Notes:

• Ensure response rules are enabled for proper functioning of iThreat scenarios.

• Enable and validate the specified rules as mentioned in the additional notes section.

This document provides a step-by-step guide on how to install the iThreat Demo version 4.0, including necessary configurations and enabling specific rules.