Scribd
Upload
68 views20 pages

Lab 3 Network and Asset Model PDF

This document provides instructions for modeling a network and assets in ArcSight. It describes creating zones to represent different parts of the network, such as servers, internal systems, production systems, development systems and DMZs. It also describes creating a network group and network, and associating the zones. Finally, it describes creating an asset group and individual assets with attributes like addresses, operating systems and comments. The overall aim is to gain experience working with ArcSight's network and asset modeling capabilities.

Uploaded by

Pradeep Kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
68 views20 pages

Lab 3 Network and Asset Model PDF

This document provides instructions for modeling a network and assets in ArcSight. It describes creating zones to represent different parts of the network, such as servers, internal systems, production systems, development systems and DMZs. It also describes creating a network group and network, and associating the zones. Finally, it describes creating an asset group and individual assets with attributes like addresses, operating systems and comments. The overall aim is to gain experience working with ArcSight's network and asset modeling capabilities.

Uploaded by

Pradeep Kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

Security and Privacy Services

ArcSight ITS Training


Lab 3 – Network and Asset Model
8 August 2013
Lab 3.1 – Network and Asset Model

Table of Content
SECTION 1 - LAB OBJECTIVES ................................................................................................................................3
SECTION 2 - PREPARATION.....................................................................................................................................4
SECTION 3 - NETWORK MODELLING ...................................................................................................................8
SECTION 4 - ASSET MODELING ...........................................................................................................................14
SECTION 5 – APPLY YOUR NETWORK TO THE CONNECTOR ..................................................................16
SECTION 6 – REVIEW RESULTS ...........................................................................................................................20

Legend

Notation or important step or note. For example, the objective for each section.

Observation for the preceding step.

Deloitte Confidential and Proprietary Page 2 of 20


Lab 3.1 – Network and Asset Model

Section 1 - Lab objectives


The objective of this lab is as follows:

 Work with network modeling


 Understand categorization
 Work with Asset modeling

Deloitte Confidential and Proprietary Page 3 of 20


Lab 3.1 – Network and Asset Model

Section 2 - Preparation

Section Objectives
In this section you will observe how events appear when they are not
modelled.

2.1 – Pre-Network and Asset Model

 Navigate to the Active Channels resource tab (Ctrl + Alt + A) and right click on
<your name>’s Active Channels. Create a new active channel.
 In the panel, configure it as below:

 Under the filter click on Define


 When you get the filter, right click on Event and select New Condition -> Target -
> Target Address
 In the panel click on the equals sign and change the operator to InSubnet
 Add your CIDR address to the network. For example, if you network is 10.1.0.0/16,
you would configure it as illustrated below:

Deloitte Confidential and Proprietary Page 4 of 20


Lab 3.1 – Network and Asset Model

 Click on OK after you are done.


 Your Active Channel should look like this

Deloitte Confidential and Proprietary Page 5 of 20


Lab 3.1 – Network and Asset Model

 Click on OK
 You should now see the Active Channel build

Right click on the Target Address column and select Columns -> Add/Remove Column
-> Target -> Target Zone Name

Deloitte Confidential and Proprietary Page 6 of 20


Lab 3.1 – Network and Asset Model

Repeat for the following fields:

 Target -> Target Geo Country Code


 Target -> Target Geo Country Flag URL
 Threat -> Model Confidence

Observe
You should see that some of the fields are either not filled in, or are the
default entries (e.g. RFC1918). This demonstrates that the zone is not
being properly populated.

Deloitte Confidential and Proprietary Page 7 of 20


Lab 3.1 – Network and Asset Model

Section 3 - Network Modelling

Section Objectives
Gain experience with how to work with ArcSight’s Network Model.

3.1 - Preparation
 Log into ArcSight
 Click on “Ctrl + Alt + S” to open the Asset tab
 Review the default structure

Network values used in this training are as follows:

Username Company Network

Student 1 <replace with your company> 10.1.0.0/16

Student 2 <replace with your company> 10.2.0.0/16

Student 3 <replace with your company> 10.3.0.0/16

Student 4 <replace with your company> 10.4.0.0/16

Student 5 <replace with your company> 10.5.0.0/16

Student 6 <replace with your company> 10.6.0.0/16

Student 7 <replace with your company> 10.7.0.0/16

Student 8 <replace with your company> 10.8.0.0/16

Student 9 <replace with your company> 10.9.0.0/16

Student 10 <replace with your company> 10.10.0.0/16

Student 11 <replace with your company> 10.11.0.0/16

Student 12 <replace with your company> 10.12.0.0/16

Deloitte Confidential and Proprietary Page 8 of 20


Lab 3.1 – Network and Asset Model

3.2 - Create a zone


Create a Zone Group that reflect's your companies name. For example, create “Mark Co
Zone Group”. Within the group create the following zones (where x.x. is your network):

Zone Start Address End Address Categories

ServerNet_x.x.0.0 x.x.0.1 x.x.0.254 /System Asset Categories/Criticality/High

InternalNet_x.x.2.0 x.x.2.1 x.x.2.254 /System Asset


Categories/Criticality/Medium

ProdNet_x.x.42.0 x.x.42.1 x.x.42.254 /System Asset Categories/Criticality/High

DevNet_x.x.73.0 x.x.73.1 x.x.73.254 /System Asset Categories/Criticality/Low


/Site Asset Categories/Business Impact
Analysis/Business Role/Development

DMZ_x.x.1.0 x.x.1.1 x.x.1.254 /System Asset Categories/Criticality/Very


High
/Site Asset
Categories/Classification/Restricted
/Site Asset Categories/Business
Role/Security Devices/DMZ Ranges

DMZ_x.x.100.0 x.x.100.1 x.x.100.254 /System Asset Categories/Criticality/Very


High
/Site Asset
Categories/Classification/Restricted
/Site Asset Categories/Business
Role/Security Devices/DMZ Ranges

Deloitte Confidential and Proprietary Page 9 of 20


Lab 3.1 – Network and Asset Model

3.3 – Create a Network


Under the Network Tab, right click on “All Networks” and create a Group for your
company. In the example below, there is sample network being created (highlighted):

Create a group for your network.

Deloitte Confidential and Proprietary Page 10 of 20


Lab 3.1 – Network and Asset Model

Once the group has been created, right click on the group and select New Network. Enter
the name for your network and under the location select Deloitte Tokyo

Deloitte Confidential and Proprietary Page 11 of 20


Lab 3.1 – Network and Asset Model

Click on the Zones tab

Deloitte Confidential and Proprietary Page 12 of 20


Lab 3.1 – Network and Asset Model

Click on Add and add the zones you created in this section:

This will tag the zones to the right network.

Deloitte Confidential and Proprietary Page 13 of 20


Lab 3.1 – Network and Asset Model

Section 4 - Asset Modeling

Section Objectives
Gain experience with how to work with ArcSight’s Asset Model.

4.1 - Creating assets


Create an Asset Group. For example, create “Bob’s Asset Group”. Create series of Assets
with the following values and add it to the created asset group:

Address OS Comments

dc1. <your x.x.2.3 W2003 Domain Classification: Secret


company>.com controller

sap.<yourcompany>.com x.x.0.1 – 50 (Asset Sun Solaris Classification: Secret


Range)
Application vendor: Oracle
Data Role Confidentiality: Customer
Open ports: TCP 21, 22, 23, 25, 443,
1521

Db1. <your x.x.42.2 Sun Solaris Classification: Secret


company>.com
Application vendor: Oracle
Data Role Confidentiality: Customer
Open ports: TCP 21, 22, 23, 25, 80,
443, 1521

Db2. <your x.x.42.3 Sun Solaris Classification: Secret


company>.com
Application vendor: Oracle
Data Role Confidentiality: Customer
Open ports: TCP 21, 22, 23, 25, 80,
443, 1521

Devdb1. <your x.x.73.89 Sun Solaris Classification: Secret


company>.com
Application vendor: Oracle
Role (Business): Development
Open ports: TCP 21, 22, 23, 25, 80,
443, 1521

Fw1. <your x.x.1.1 Nokia Classification: Top Secret


company>.com

Dmz1 Bob range x.x.100.1 – - Classification: Confidentiality


x.x.100.254 Restricted

Deloitte Confidential and Proprietary Page 14 of 20


Lab 3.1 – Network and Asset Model

Location: Toronto
System Asset (Category) Criticality:
High

Deloitte Confidential and Proprietary Page 15 of 20


Lab 3.1 – Network and Asset Model

Section 5 – Apply your network to the


Connector
Section Objectives
Learn how to apply the network and asset model to the
SmartConnector to be tagged. In this case, once you apply your
network to the Connector, you should see that the geo code, zone
name etc., are now populated.

Navigate to the Connectors resource (Ctrl + Alt + E) and expand the Replay Connectors
group:

Deloitte Confidential and Proprietary Page 16 of 20


Lab 3.1 – Network and Asset Model

Right click on the Instructor’s Replay and click on Configure. You will get a panel that
looks like the following:

Deloitte Confidential and Proprietary Page 17 of 20


Lab 3.1 – Network and Asset Model

Click on the Networks tab:

Deloitte Confidential and Proprietary Page 18 of 20


Lab 3.1 – Network and Asset Model

Click on Add and add the network you just created. Use the top and down arrow, to ensure
that the network is higher than the Local network (or Local may fire before yours):

Click on Apply and OK

Note: It may take two to three minutes for the events to be re-zoned after this change.

Deloitte Confidential and Proprietary Page 19 of 20


Lab 3.1 – Network and Asset Model

Section 6 – Review results


Section Objectives
See how events are tagged after the network and asset model has
been populated.

Open the Active Channel that was created in Section 2. Check the zone and geo coding
and see if the events are now being tagged correctly. You should see the corrected Zone
Name and the Japanese flag appear under the Geo Flag URL.

Deloitte Confidential and Proprietary Page 20 of 20

You might also like