Threat Central Demo Script 1

Summary:

The provided document is a demonstration script for HP's Threat Central platform, designed to help users understand and navigate the platform effectively. It starts by explaining the purpose of the demo, which should be performed on the hosted production instance at https://threatcentral.io/tc/login/form. The script includes instructions for logging in securely using challenge / response codes, emphasizing the importance of authentication measures. After logging in, users are guided to click on the Dashboard icon to explore the platform's features. Threat Central is a threat intelligence gathering and sharing platform that provides real-time updates through its dashboard, broken down by industry, attack types, top attackers, and threat levels. It includes an interactive notification wall for staying updated with case notifications, advanced functionalities like sending information directly to HP Security Research, and integration capabilities with ArcSight ESM. The document outlines key features such as searching for indicators, creating cases, reviewing case details, using the dashboard, managing user profiles, accessing online help, and utilizing APIs for integration. The script also provides instructions for integrating Threat Central with ArcSight ESM. This involves finding and opening a specific ".ARB" file related to the integration, reviewing a provided solution guide, logging out, and handling sensitive information accordingly under the label "HPE Confidential."

Details:

The provided document outlines a demonstration script for HP's Threat Central, which is designed to help users understand and navigate the platform effectively. It begins by explaining the purpose of the demonstration, stating it should be performed on the hosted PRODUCTION instance of Threat Central at https://threatcentral.io/tc/login/form. The document emphasizes that no changes or additions should be made to this production environment, only viewing functions are allowed. The script then moves into detailing the login process which includes entering credentials and using challenge / response codes for additional security. It highlights the importance of authentication measures in protecting sensitive information within Threat Central. After logging in, users are instructed to click on the Dashboard icon to begin exploring the platform's features. This introduction sets a secure yet informative tone for the use case demonstration script. Threat Central is a platform designed for threat intelligence gathering and sharing, serving as a central point for collecting and reviewing global threats across various sectors. The interface provides real-time updates through its dashboard, which breaks down information by industry, attack types, top attackers, and threat levels. This centralized approach allows users to have an up-to-date view of the current threat landscape globally. Upon accessing Threat Central, users are introduced to the default dashboard that reflects the evolving global threats in real-time. The dashboard is segmented into different categories such as industry, attack types, top attackers, and threat levels, providing a detailed analysis of the current situation. We will delve deeper into this feature later but for now, it's important to understand how information is structured and displayed across Threat Central. The platform includes an interactive notification wall accessed by clicking on the notifications icon located on the left side of the interface. This section functions similarly to social networking platforms where relevant content appears in reverse chronological order with recent entries at the top. Notifications within this section include updates about cases, such as changes in threat levels or scores, addition of hyperlinks, and new actors involved in a case since the user's last interaction with it. Clicking on any specific case brings up detailed information including indicators, incidents, actors, and other attachments associated with that particular case. Users can also "watch" cases they find relevant to stay updated when changes occur. This feature helps streamline the process of making sense out of new information by unifying all related updates into a single view for easy consumption. Threat Central also offers advanced functionalities such as sending pertinent information directly to HP Security Research for further investigation and inclusion in ESM active lists based on user subscriptions. The platform employs STIX-like terminology, which includes indicators, actors, tactics, techniques, and procedures (TTPs), reflecting its alignment with standardized threat reporting formats like STIX 1.1. This consistency aids users who are experienced with similar investigative practices in recognizing and navigating the interface effectively. Creating new cases or indicators within Threat Central involves specific actions. To create a new case, one would manually enter relevant information such as indicators and other details needed for analysis. Alternatively, there is an import feature that allows for the addition of cases via CSV, Excel, or XML in STIX format. A demonstration should involve creating a new indicator by selecting attack types, giving it a name and description, specifying observable types like IP addresses, and deciding whom to share the information with through user communities. It's crucial not to save any dummy data during this demo process to ensure no disruption of the production environment. The document outlines how to navigate and utilize the Threat Central platform within HPE's cybersecurity framework. Key features include searching for indicators, creating cases, reviewing case details, using the dashboard for strategic threat visualization, managing user profiles, accessing online help, and utilizing APIs for integration with other systems. This comprehensive tool is designed to enhance situational awareness and response capabilities in handling cyber threats across various industries and types of attacks. This text provides instructions for integrating a system called "ArcSight ESM" (Enterprise Security Manager) with another product known as "Threat Central." Here's a simplified summary of the steps involved: 1. **Accessing Integration Content**: You need to find and open a specific file named ".ARB" which is related to the integration between ArcSight ESM and Threat Central. Additionally, you should review a provided solution guide that outlines how these two systems can be connected. 2. **Logging Out**: Once you have accessed the necessary content for integration, follow these steps:

• Click on your user login name located at the top of the interface.

• From the dropdown menu, select "Logout" to end your session.

3. **Security Notice**: The information provided here is considered confidential and should be handled accordingly, adhering to specific use restrictions as indicated by the label "HPE Confidential." This document serves as a guide for users who need to set up or troubleshoot an integration between ArcSight ESM and Threat Central, ensuring that they have access to necessary resources and are aware of how to handle sensitive information.