Securonix Risk and Threat Intelligence 4 Action

Summary:

This document is a configuration guide for integrating Securonix's Risk and Threat Intelligence platform with ArcSight Enterprise Security Manager (ESM). Key points include: 1. **Overview**: Securonix is an identity integration tool that supports bi-directional integration with ArcSight ESM for versions 5.0.1.6642.2 and later, as well as version 4.x. 2. **Integration Features**: The guide outlines how to set up policy alerts from Securonix being sent to ArcSight via syslog CEF, direct integration within the ArcSight Console's Web Portal, and forwarding identity information to ArcSight also in syslog CEF format with custom content (requires separate licensing). 3. **Configuration Steps**: - Generate a token in Securonix for authentication by ArcSight. - Create a role and assign necessary privileges for SIEM connectivity within the Access Control settings. - Create a user account for SIEM connectivity in Securonix through its Web Browser interface. 4. **Action Connector Configuration**: Instructions on installing the Securonix integration package into ArcSight ESM, including logging in with sufficient privileges and importing/installing the content package. 5. **Support Information**: For issues not resolvable by ArcSight support, contact Securonix support via phone or email. Customers should open tickets through a specific URL. 6. **Port Requirements**: Ensure proper connectivity on specified ports between Securonix and ArcSight components for successful integration. The document also provides technical details such as: - Integration commands for logon analysis, terminated employees, unauthorized locations, and user identity data visualization. - Configuration of the Securonix target within ArcSight, including setting up event data integration with customizable fields. - Use of specific commands (e.g., "Securonix-User-Information", "Securonix-User-Risk-Score", "User Logon") to overlay source MAC address and user identity information onto IP and user-based events. - A sample arcsight.properties file for modifying event field preferences for Securonix policy events forwarded to ArcSight. Overall, the document serves as a guide for integrating Securonix's threat intelligence with ArcSight, providing detailed steps on configuration, command usage, data integration, and rule implementation.

Details:

The document is a configuration guide for integrating Securonix's Risk and Threat Intelligence platform with ArcSight Enterprise Security Manager (ESM). Key points include: 1. **Overview**: Securonix is an identity integration tool that offers behavior analysis, advanced correlation, risk profiling, workflow, and investigation capabilities through its 4.0 version released on March 31, 2014. It supports bi-directional integration with ArcSight ESM for versions 5.0.1.6642.2 and later, as well as Securonix version 4.x. 2. **Integration Features**: The guide outlines how to set up policy alerts from Securonix being sent to ArcSight via syslog CEF, direct integration within the ArcSight Console's Web Portal, and forwarding identity information to ArcSight also in syslog CEF format with custom content (requires separate licensing). 3. **Configuration Steps**:

• A token must be generated in Securonix for authentication by ArcSight; this involves creating a new connection type 'ArcSight CEF' within the console, generating a token, and copying the URL.

• Create a role and assign necessary privileges for SIEM connectivity within the Access Control settings.

• Similarly, create a user account for SIEM connectivity in Securonix through its Web Browser interface.

4. **Action Connector Configuration**: This guide also provides instructions on installing the Securonix integration package into ArcSight ESM, including how to log in with sufficient privileges and import/install the content package from the console. 5. **Support Information**: For issues not resolvable by ArcSight support, contact Securonix support via phone (1855-SEC-ONIX) or email (

(mailto:support)). Customers should open tickets through

(http://support.securonix.com). 6. **Port Requirements**: Ensure proper connectivity on specified ports between Securonix and ArcSight components for successful integration. This document is primarily technical, detailing the setup and configuration process for using Securonix with ArcSight ESM to enhance security operations and threat management capabilities. The document outlines the integration of Securonix Risk and Threat Intelligence with ArcSight. Key components include: 1. **Integration Commands**: Included in the package is the "Securonix Risk and Threat Intelligence Integration Command," which allows for logon analysis by terminated employees, logon from unauthorized locations, and user identity data visualization through customizable fields such as Employee ID, Login Name, Email, Department, etc. 2. **Configuring a Target**: Instructions are provided on how to configure the Securonix target within ArcSight. This involves navigating to the Resources tab in the Navigator panel, selecting Integration Commands, then targeting the "ArcSight Partner Sample Content folder" and opening the "Securonix group." Adjusting the IP address to match your Securonix device is necessary. 3. **Using an Integration Command**: This involves right-clicking on events in active channels or other configured viewers, selecting "Integration Commands → Securonix2," then choosing the desired command from the available options. The system will open a browser window passing credentials for "SIEMUSER" and using the destination user's information. 4. **Optional/Licensed Content**: Additional content is offered through HP Enterprise Security or Securonix, including more detailed rules and use cases specific to IP-based events related to misuse of accounts. This content can be accessed by contacting sales teams at HP or Securonix directly. 5. **Event Data Integration**: Securonix identity integration extends standard event data with customizable fields for full user visibility and critical alerting, particularly useful for "Successful Login by Terminated Account" events. These integrations are facilitated through a multi-database connector that populates 20 customizable fields into active lists. 6. **Rules and Global Variables**: A set of base rules and use cases is provided to overlay source MAC address and user identity information onto IP and user-based events. This includes specific commands for adding entries such as "Securonix-User-Information," "Securonix-User-Risk-Score," "User Logon," etc., using predefined Device Event Class IDs. 7. **Appendix A – Sample arcsight.properties file**: This provides event field modifications for Securonix policy events forwarded to ArcSight, adjusting parsing formats and preferences according to CEF formatted inputs. Overall, the document serves as a guide for integrating Securonix's threat intelligence with ArcSight, providing detailed steps on configuration, command usage, data integration, and rule implementation. This document contains preferences and configurations for various resource types and attributes used in a security information and event management (SIEM) system, specifically tailored for NetscreenVPN, Microsoft Windows, Unix, DNS Server, PIX, Sourcefire Management Console Streamer, RealSecure Server Sensor, and WebGateway devices. The configurations include account name preferences for different operating systems, IP address preferences, message preferences, and exclusion fields based on device type. Additionally, it defines attributes parsed from a CEF (Common Event Format) input file, with default values and additional customizations as needed.