Various Use Cases 1

Summary:

This document outlines a series of user guides for installing and configuring SmartConnectors to integrate various security tools with their respective management consoles. Here are the summaries for each guide provided in the text: 1. **Qualys Vulnerability Scanner (SmartConnector)** - The guide is designed for users who wish to install Qualys vulnerability scanner on systems that support Java 1.3 or later, and compatible versions of Qualys Vulnerability Scanner such as 4.0, 4.7, 5.0, 6.3, and 6.5. It also supports event collection from McAfee ePolicy Orchestrator (ePO) products like Host Intrusion Protection System (HIPS), VirusScan Enterprise (VSE), Policy Auditor, GroupShield, Rogue System Detection, Agent, and Desktop Firewall across versions 4.0 to 4.6, as well as HIPS and VSE up to version 8.8. 2. **Imperva SecureSphere Web Application Firewall** - This guide is intended for configuring Imperva SecureSphere appliances to collect syslog events, supporting the latest version of the SecureSphere product which is not specified in the text but implied to be the current stable release. 3. **Snort IDS** - The guide focuses on installing the SmartConnector for Snort DB and setting up a device for database event collection, supporting versions 1.7-2.4, 2.6, 2.8, and 2.9 of Snort IDS. 4. **Microsoft Systems Center Operations Manager Audit Collection Services (ACS)** - This guide assists in installing the SmartConnector for Microsoft System Center Operations Manager DB and configuring devices for event collection, supporting versions of Microsoft Operations Manager from 2000 up to 2007 R2, including Forefront Client Security. Each user guide provides specific details on supported products, versions, and platforms, ensuring compatibility with the required security tools and management consoles. These guides are crucial for organizations looking to enhance their cybersecurity infrastructure by integrating various security tools effectively through SmartConnectors. Rity v1.1 SP1 (with MOM 2005) is a software package that includes an ArcSight SmartConnector, which facilitates the import of syslog events from Cisco ASA and FWSM firewalls into the ArcSight System. This connector allows for the monitoring and management of security events generated by these devices, enabling better incident response and threat detection. UC 39 - Oracle Identity Management (or other LDP IAM Solution) involves integrating with an identity and access management solution such as Oracle Identity Management or a similar system to enhance user authentication, authorization, and account provisioning within the organization's IT infrastructure. This helps in maintaining a secure environment by ensuring that only authorized users have access to resources. UC 40 - Double NAT refers to a networking configuration where an IP address is translated through two separate Network Address Translation (NAT) devices or firewalls. The challenge arises in linking the original threat source to the activities that occur after passing through these multiple NAT layers. The vendor's solution can be utilized by developing rules and configurations during demonstrations to facilitate the detection of threats more effectively across the double NAT setup, allowing for better tracking and response to the original sources of threats. These user guides and UC codes provide valuable insights into how organizations can enhance their security infrastructure through integration with various tools and solutions, ensuring comprehensive protection against cyber threats.

Details:

The use case documentation outlines several demonstrations using ArcSight's SIEM/FIM capabilities, specifically focused on data pivoting and log tracking. Here’s a summary of each use case: 1. **Demonstrate everything done across multiple systems (UC 1)**: This involves loading the console and right-clicking on the grid area to select "Event Graph." By using ArcSight's standard replay files, this use case demonstrates how all activities across various systems can be visualized through a single event graph, showcasing interactions between different components of the system. 2. **Simultaneous Logins using Time Proximity (UC 2)**: This is similar to UC1 and also involves loading the console, but in this case, it focuses on visualizing simultaneous logins by different users within a short time frame. It uses ArcSight’s standard replay files and allows tracking of multiple login activities as they occur near each other in time. 3. **Track Activities when a generic service account is used for all users on target (UC 3)**: This use case involves the same methodological setup, using standard replay files to load the console. It specifically targets applications where multiple users log into a system typically via a generic or shared user account (e.g., SYSTEMUSER in the context of web applications). The main objective is to demonstrate how activities can be correlated even when performed by the same user under this condition, utilizing variables like ActorByIPOrAccount.Full Name and session lists for detailed tracking. In each case, ArcSight’s capabilities are utilized to create visual representations of complex events through event graphs, filtered using specific fields and global variables that provide additional context from IDM-related active lists. The use cases also illustrate how data pivoting is achieved by focusing on specific aspects of the logged activities (like login sessions) while disregarding irrelevant details for clarity in graphical representation. The provided text appears to be a detailed description of setting up and configuring an event detection rule in a security system, specifically within the ArcSight platform. The primary purpose of this rule is to detect multiple simultaneous logins from different IP addresses using the same account. Here's a summarized breakdown of the steps and considerations outlined in the text: 1. **Setting Up the Environment**:

• The user is working with an active session, likely logged into the system where they will configure the rule.

• They are preparing to check for events related to logging out, which involves generating a logout event and terminating sessions based on specific criteria (Attacker Address, Device Custom String6 , and Source User Name).

2. **Creating a Rule for Multiple Logins**:

• A new rule named "TEST_MIP" is being created to detect multiple logins from the same account using different IP addresses.

• In the Conditions section:

• The Generator ID is set to ensure that the rule does not trigger itself. This involves copying a long string value from another part of the system and pasting it into the "Generator ID" field within a new condition.

• Criteria for aggregation include unique Attacker Addresses but identical Target Addresses (IPs) and same Target User ID, focusing on cases where multiple users try to log in from the same IP address or IPs linked to a single account.

• The Actions tab is set to use "On First Threshold" Correlation Category, which likely involves taking some action once the threshold of unique but proximate login attempts is met based on the criteria specified.

3. **Monitoring and Testing**:

• A dedicated Active Channel named "USE CASES" is created to visualize events related to this rule and track when it fires.

• The channel is configured to continuously evaluate data over a time frame set as recent (within the last 10 minutes).

• For testing, a filter should be applied in the ArcSight Smart Connector to display specific fields relevant to the event being simulated: Attacker Address (e.g., 10.1.1.1), Target Address (e.g., 10.10.10.10), and possibly other identifying information as required by the rule setup.

This detailed setup is aimed at enhancing security monitoring by detecting suspicious activities such as unauthorized access attempts from multiple IP addresses using a single account, which could be indicative of potential misuse or breaches in system security policies. The provided documentation outlines several user case scenarios and configurations for a correlation rule system, specifically in the context of network security monitoring using ArcSight Smart Connectors. Here's a summary of what is described: **User Case 1 - Same Account with Different Source Addresses:**

• Rule setup involves copying an existing rule named "UC1 – Same Account 2 Source Addr" and renaming it to "UC2 – Same IP Multiple Accounts." This rule should aggregate events where the source address is identical but the target user ID differs. The aggregation should focus on unique target user IDs while keeping the source addresses consistent.

• In testing, set the attacker's initial address to 10.1.1.1 and the target user ID to USER 1. Changing these to 10.1.1.2 and USER 2 respectively will trigger the rule as expected.

• Enhancements could include adding a trusted list feature that skips triggering if the attacker's address is on this pre-defined whitelist.

**User Case 2 - Same IP Address Used by Multiple Accounts:**

• This scenario involves setting up a rule to detect multiple accounts using the same IP address, focusing on unique target user IDs with identical source addresses. The rule should be configured in such a way that it detects when different users are logging into systems from the same IP through an aggregation process where only the user ID differs but not the source address.

• Similar to User Case 1, this involves creating and configuring a new rule by copying another existing one (e.g., UC3 – Same Account Diff GEO Codes), adjusting it for identical IPs across different accounts.

**User Case 3 - Different Geo Locations Using the Same Account:**

• This user case focuses on detecting when a user logs into multiple geographical locations using the same account ID, tracking which country codes are unique within a specified time frame before auto-expiring this list every four hours. The rule should track different geo attributes (8 in total) and ensure that only the geo code changes while keeping the account ID identical to trigger an alert.

• To test, set up events with the attacker's address as 206.116.23.54 initially and USER 2 as the target user ID. Adjusting these parameters as described should activate the rule.

In each case, the documentation provides detailed steps on how to configure and test rules using ArcSight Smart Connectors, including setting up dummy events with specific field values that are crucial for triggering the appropriate rules based on unique criteria such as source addresses or country codes. The provided information outlines several processes related to alert escalation, notifications, user creation, and data monitoring within a system or software environment. Here's a summary of the key points: 1. **Alert Escalation**:

• A SIEM (Security Information and Event Management) tool is capable of automatically escalating alerts if no response is received from the initial analyst ('Analyst1') after a set period, such as 10 minutes. In this case, the alert would be sent to a second analyst ('Analyst2'). This feature is crucial for managing alert workflows effectively.

2. **Notifications**:

• The process involves creating a user account and assigning it to a notification group. This setup allows for configuring different types of notifications such as SMTP (Simple Mail Transfer Protocol), SMPP (Short Message Peer-to-Peer), and SNMP (Simple Network Management Protocol). These can be tailored according to specific needs, including elimination of false positives through white/black listing checks.

• Users are assigned to notification groups, with escalation times set for the groups based on response time from analysts. If no reply is received within the specified time frame, notifications are sent to higher-level analysts.

• Once a user is part of a notification group and their account is configured, they can be notified when specific events occur according to pre-defined rules or triggers.

3. **Data Monitoring**:

• A data monitor is created to track the number of different countries from which users are logging in. This helps in understanding geographical distribution of user activity and detecting unusual login patterns that might indicate security breaches or unauthorized access attempts.

4. **User Creation and Configuration**:

• Users must first create an account, followed by assigning them to a notification group for alert notifications. Configurations include setting up different types of notifications such as SMTP, SMPP, and SNMP.

5. **Testing Events in the System**:

• A test event was conducted with specific field settings: Name (Test Alert Event), Category Object (/Host/Operating System), Source Address (206.116.23.54), Source User ID (Bad Guy 1), Target Address (199.248.65.119), and Target User ID (App User 1) with Device Product (Oracle).

• Within 30 seconds, the settings were updated to change the Target User ID to App User 2 and Device Product to SQL for further testing purposes. This test focused on monitoring changes in Device Product and Target User ID as critical parameters for rule validation.

6. **Reporting**:

• Reports are used to capture views or summaries of data, which can be printed or viewed through the ESM Console or ArcSight Web viewer in various formats. The architecture supports more complex multi-element reports that help in trend analysis and strategic decision making based on gathered data insights.

These processes and features collectively contribute to enhancing security operations by providing proactive alerting mechanisms, detailed user activity monitoring, and automated reporting capabilities within the system environment. This document describes various aspects of an application used for reporting, which integrates multiple queries with a report template to generate reports on event data, cases, notifications, and assets. The interface includes a navigator (left panel) that allows users to navigate through hierarchical folders, which can be grouped according to user preference while controlling access using Access Control Lists (ACLs). The application supports several use-cases including IP addresses/ranges grouping by network segment, asset relations visualization, applications and people/accounts management. Correlation rules are applied system-wide but deployment is controlled via ACLs. It also allows the creation of sub-administrators to delegate access controls within specific containers. The app offers extensibility through API/SDK for provisioning new accounts, adding and configuring log event-generating devices, manipulating policies, group/tag structure, general settings, integrating with external data sets such as blocklists or reputation services provided by third parties or maintained locally. Data can also be exported from the system using various methods. The provided text discusses various aspects related to integration commands within the ESM (Enterprise Security Manager) Console, specifically focusing on using them for triggering alerts, running scripts, and integrating with external tools such as Google Earth. It explains how these commands can be used to enhance security operations by allowing access to additional tools or applications directly from the console. The text outlines several functionalities including: 1. **Integration Commands**: These are a set of tools that allow invoking scripts and tools from various parts of the ESM Console, providing snap-in views for other applications like ArcSight NSP and third-party integrations. This centralizes security operations by enabling access to these tools directly within the console's interface. 2. **Triggering Alerts**: The use cases mentioned (UC 4 to UC 9) likely refer to a series of steps or procedures that, when followed together, enable users to set up and trigger alerts using the integrated commands. These alerts could be based on predefined rules or conditions configured within the ESM Console. 3. **Running Scripts**: This involves executing pre-defined scripts through the integration framework, which can automate tasks related to security monitoring and response. The script execution might involve leveraging data from various fields and resources available in the ESM system for context-sensitive processing. 4. **Google Earth Integration**: Specifically mentioning Google Earth, this integration allows visualization of events or locations directly within the Google Earth interface, providing a geographical perspective on the events being monitored by ArcSight ESM. This is achieved through right-click interactions and can be set up as part of rule creation for dynamic mapping and analysis during investigations. 5. **Remediation Actions**: The text references ARCsight Threat Response Manager (TRM), which provides a suite of investigative and remediation actions to address threats effectively. It suggests that the integration commands enable TRM functionalities, aiding in comprehensive threat management and response strategies. In summary, this text is focused on how ArcSight ESM's integration commands can be utilized for enhanced security operations by connecting with external tools like Google Earth, which are then used for real-time monitoring, alert generation, and efficient threat management through automated scripts and visualizations within the console itself. The provided text discusses two main aspects related to network security and data handling in the context of ArcSight Event, Sensor, and Manager (ESM) and Threat Research Module (TRM). Firstly, it describes how the integration of ESM with TRM can provide real-time protection against network compromises. By using ESM's capabilities to identify compromised conditions on the network and then utilizing TRM for correlation and actions such as investigating IP addresses or quarantining nodes, significant damage is minimized in case of a compromise. The text provides examples of how these tools work together, including selecting an IP address in ESM to investigate its node with TRM and automatically quarantining a node based on rules set up within ESM that trigger actions through the ArcSight TRM CounterAct Connector. Secondly, it addresses writing custom parsers for unique or specialized log formats using FlexConnectors. This involves creating a configuration file for FlexConnectors to handle specific types of logs. The example given describes a simple configuration file setup which uses regular expressions and tokens to parse IP addresses, timestamps, request types, URLs, HTTP versions, return codes, and other data from logs. The text also mentions that more detailed information can be found in the "Flex Developers Guide," suggesting that developers should refer to this guide for further instructions on configuring such connectors and writing custom parsers. This configuration file is crucial as it dictates how events are parsed and what fields are extracted from log entries, thereby impacting the effectiveness of incident detection and response in cybersecurity operations. This text appears to be related to anomaly detection within a system or network, possibly utilizing data from an Access Log (specified by `event.deviceProduct=__stringConstant(Access Log)`) and considering events that deviate from predefined profiles. The system uses specific thresholds for severity levels, where high severity is defined as any HTTP status code between 400-599, medium severity is between 300-399, and low severity is between 100-299. Anomaly detection involves monitoring the data to identify deviations from typical behavior patterns, which are categorized based on predefined thresholds: mild (±33 to ±65) and severe (≥66). If such deviations are detected, alerts are triggered for further investigation. Correlation data monitors are used to evaluate event streams by calculating statistics and moving averages, aiming to identify anomalies or inconsistencies. This includes the "Event Correlation" which compares flows from two different systems like a firewall and an IDS, enhancing the accuracy of reported attacks across multiple platforms. The "Event Reconciliation" feature matches events between sensors such as a firewall and an IDS; it is designed for scenarios where events might be missed by one system without being detected by another, thus providing a more comprehensive view of network activity and potential threats. Overall, these features are part of the anomaly detection process in the context described, using predefined thresholds and statistical analysis to flag potentially malicious activities or configuration changes. The passage discusses various technical concepts in cybersecurity and data monitoring, including firewalls, Intrusion Detection Systems (IDS), Moving Average, Session Reconciliation, Statistics, and statistical methods such as average, standard deviation, skew, kurtosis, moving average. It also addresses specific user experience codes UC 31-UC 32 with potential solutions for dealing with too few events or events outside the normal temporal window. Additionally, it mentions product integrations, specifically focusing on Qualys Guard SaaS Vuln integration. Key points: 1. Firewalls and IDS: A firewall accepting a matched IDS attack is considered a successful attack, while one without matching IDS is considered normal. 2. Moving Average data monitor: It helps to remove short-term fluctuations and show long-term trends by displaying the moving average of events based on selected data fields. 3. Session Reconciliation data monitor: This correlates events within a relevant time period like VPN login, using session start and end parameters set during creation. The session list feature provides scalable collection of session data. 4. Statistics data monitor: It offers more statistical methods beyond Moving Average, including average, standard deviation, skew, kurtosis, and moving average. 5. User experience codes UC 31-UC 32: These relate to insufficient events or events occurring outside the typical time frame, suggesting potential solutions like using After Hours filter or active lists for capturing login patterns. 6. Product integrations: Specifically mentions Qualys Guard SaaS Vuln integration as part of broader cybersecurity measures. The passage does not provide a detailed analysis or evaluation but outlines the different aspects and functionalities related to firewall operations, data monitoring, statistical analysis, and software integrations within the context of enhancing security and operational efficiency. The document provides a series of user guides for installing and configuring SmartConnectors to integrate various security tools with their respective management consoles. Here are the summaries for each guide: 1. **Qualys Vulnerability Scanner (SmartConnector)** - This guide is intended for users looking to install the Qualys vulnerability scanner, specifically on platforms that support Java 1.3 or later and compatible versions of Qualys Vulnerability Scanner including 4.0, 4.7, 5.0, 6.3, and 6.5. It supports event collection from McAfee ePolicy Orchestrator (ePO) products such as Host Intrusion Protection System (HIPS), VirusScan Enterprise (VSE), Policy Auditor, GroupShield, Rogue System Detection, Agent, and Desktop Firewall across versions 4.0 to 4.6, and HIPS and VSE up to version 8.8. 2. **Imperva SecureSphere Web Application Firewall** - The guide provides information for configuring Imperva SecureSphere appliances to collect syslog events. It supports version 6.2 of the SecureSphere product. 3. **Snort IDS** - This guide covers installing the SmartConnector for Snort DB and setting up a device for database event collection, supporting versions 1.7-2.4, 2.6, 2.8, and 2.9 of Snort IDS. 4. **Microsoft Systems Center Operations Manager Audit Collection Services (ACS)** - The guide is intended to assist in installing the SmartConnector for Microsoft System Center Operations Manager DB and configuring devices for event collection. It supports versions of Microsoft Operations Manager from 2000 up to 2007 R2, including Forefront Client Security. Each document provides specific details on supported products, versions, and platforms, ensuring compatibility with the required security tools and management consoles. Rity v1.1 SP1 (with MOM 2005) is a software package that includes an ArcSight SmartConnector, which facilitates the import of syslog events from Cisco ASA and FWSM firewalls into the ArcSight System. This connector allows for the monitoring and management of security events generated by these devices, enabling better incident response and threat detection. UC 39 - Oracle Identity Management (or other LDP IAM Solution) involves integrating with an identity and access management solution such as Oracle Identity Management or a similar system to enhance user authentication, authorization, and account provisioning within the organization's IT infrastructure. This helps in maintaining a secure environment by ensuring that only authorized users have access to resources. UC 40 - Double NAT refers to a networking configuration where an IP address is translated through two separate Network Address Translation (NAT) devices or firewalls. In such environments, the challenge arises in linking the original threat source to the activities that occur after passing through these multiple NAT layers. The vendor's solution can be utilized by developing rules and configurations during demonstrations to facilitate the detection of threats more effectively across the double NAT setup, allowing for better tracking and response to the original sources of threats.