Searching and Reporting - Failed Logons

Summary:

This document outlines a comprehensive use case for using ArcSight Logger to analyze failed logon attempts on Windows systems, focusing on event identification, categorization, visualization, and reporting. The process involves setting up initial searches with specific criteria, saving these searches for future reference, exploring field summaries, creating visualizations such as charts, adjusting live feeds, building custom dashboards, and finalizing the dashboard setup after adjustments based on feedback or evolving threats. Additionally, examples include searching for destination ports in NetFlow traffic, calculating average bytes, identifying top talkers, and tracking device vendors and products.

Details:

This document outlines a use case for using ArcSight Logger to analyze failed logon attempts, focusing on Windows systems. Here's a summary of the steps and processes involved: 1. **Understanding Failed Logon Attempts**: The first step is identifying the specific event codes that represent failed logons in both Microsoft Windows (e.g., Security:529) and Windows 2008 (e.g., Microsoft-Windows-Security-Auditing:4625). These are used to search for relevant events within ArcSight Logger. 2. **Search/Analyze**: Utilize the ArcSight Logger interface to perform a search using either "Security:529" or "Microsoft-Windows-Security-Auditing:4625". The system will return and display events that match these criteria, allowing for further analysis and categorization. 3. **Categorization**: After retrieving the relevant events, ArcSight automatically categorizes them based on predefined categories like /Authentication/Verify, /Failure, etc., simplifying the process of organizing and prioritizing data without needing to understand individual vendor codes. 4. **Viewing a Live Feed**: Once categorized, you can explore different views or filters to get insights into patterns or specific occurrences related to failed logons across various devices and operating systems. 5. **Dashboards**: For easy visualization of important metrics and trends related to failed logon attempts, create custom dashboards within ArcSight Logger that display relevant data from the search results. 6. **Reporting**: Customize default reports or create new ones by selecting desired fields and configurations. These can be used for presenting findings internally or externally, providing a detailed view of system security incidents such as failed logons. 7. **Pipeline Operators**: For more complex queries and analyses, ArcSight allows the use of pipeline operators to modify search criteria on-the-fly within the same interface without restarting processes. This flexibility helps in refining searches based on specific requirements during analysis or reporting phases. 8. **Selected Examples**: The document provides practical examples that demonstrate how different types of failed logon attempts are identified and categorized using ArcSight Logger, showing versatility across various devices and operating systems like UNIX and Tipping Point beyond just Microsoft Windows platforms. This comprehensive use case guide demonstrates how to efficiently search for, analyze, categorize, and report on failed logon attempts in diverse environments using ArcSight Logger, providing a clear path for administrators and security analysts to monitor and respond to potential threats effectively. This process involves setting up a series of searches and visualizations in a security information and event management (SIEM) tool to track Microsoft authentication failures over time, based on specific criteria related to devices and user activities. The goal is to create a comprehensive overview that can be accessed via a dashboard for quick reference. 1. **Initial Search Setup**: Begin by setting up a search query focusing on Microsoft events where authentication attempts have failed. This involves modifying the initial Unix-based deviceProduct filter to focus on Microsoft devices and filtering for authentication failures using keywords related to verification and failure in security logs. 2. **Saving the Search**: Name the search "Microsoft Authentication Failures" and save it with your initials or other identifier for future use. 3. **Exploring Field Summary**: Use this feature to summarize data quickly, allowing users to focus on specific types of events without manually counting them. This can be expanded by clicking on different fields like deviceEventClassId to refine the search results further. 4. **Creating Visualizations**: Utilize field summary and chart settings to create visual representations such as line charts that show changes in event frequencies over time, or top values charts showing common outcomes or devices involved. These visual aids help in interpreting complex data more easily. 5. **Adjusting Live Feeds**: For ongoing monitoring, use the live event viewer to track security events in real-time, adjusting the search criteria as needed based on new findings or specific interests (e.g., changing from user ID to IP address). 6. **Setting Up Data Monitors and Dashboards**: Create data monitors that automatically update with recent failures, which can then be integrated into a dashboard for quick access during routine checks. For example, set up a monitor to display the last 10 Windows logon failure events across devices, filtering by authentication type and outcome. 7. **Building Custom Dashboards**: Once you have created relevant visualizations through data monitors or saved searches, add them to custom dashboards named after the category of related events under investigation (e.g., "Microsoft Related Events"). This feature allows users to keep tabs on key performance indicators without having to repeatedly run complex queries. 8. **Final Adjustments and Review**: Ensure that all settings and visualizations are adjusted for clarity and usability, then review them with stakeholders if necessary. Make any final adjustments based on feedback or evolving security threats before finalizing the dashboard setup. This text is a guide on how to create and customize reports using a system for analyzing security events, specifically focusing on Microsoft related login failures. The process involves navigating through different tabs and menus within the system to access and modify report settings. It covers creating new queries, customizing existing ones, and running them as reports. Additionally, it explains the use of pipeline operators which are crucial for refining searches by adding clauses based on specified attributes. This document provides examples and summaries of various searches and queries that can be performed using a Logger-like system, focusing on network traffic data such as NetFlow and Blue Coat logs. The examples cover topics like counting events by destination ports, calculating average bytes in and out every 30 seconds, identifying top talkers based on source addresses, searching for specific terms in Google searches via regex, overviewing device vendors and products, and tracking changes to devices or software configurations. For instance: 1. To find the count of destination ports in NetFlow traffic, use `netflow | cef dpt | chart _count by dpt | sort - _count`. 2. To visualize byte counts (in and out) every 30 seconds, use `Netflow| cef bytesIn bytesOut|chart avg(bytesIn),avg(bytesOut) span=30s`. 3. For identifying top source addresses responsible for traffic, especially from a specific device group like the Firewall, you would run `categoryDeviceGroup = "/Firewall" AND categoryBehavior = "/Access" and bytesIn IS NOT NULL | EVAL total_bytes=bytesIn + bytesOut | chart sum(total_bytes) as bytes by sourceAddress | sort – bytes`. 4. To search Blue Coat events for specific terms in Google searches, use `deviceVendor="Blue Coat" | rex "http://www.google.com/search\?q\\=(?<^\\&>

+)" | top term`. 5. The document also provides quick overviews of device vendors and products using commands like `top deviceVendor` and `top deviceProduct`, as well as tracking the versions of connectors in use with command `agent:012 | top deviceVersion`. 6. Specific queries for TippingPoint events, failed logins by user, and NetFlow destination ports are detailed, along with how to track changes in product configurations. 7. Regex examples like `| regex="CEF:0.*?Zara"` demonstrate how to extract specific information from logs. 8. The document concludes with the most common searches and commands used across different devices and behaviors after logging into a Logger system, including transaction tracking and de-duplication for user authentication events.