0% found this document useful (0 votes)
62 views128 pages

ESM200

Uploaded by

raghava
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
62 views128 pages

ESM200

Uploaded by

raghava
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 128

ESM200-70 – ArcSight

Enterprise Security Manager


(ESM) Administrator and
Analyst 7.0.0 patch 1
For versions: 7.x
Revision: A

Student Guide

Use of this material to deliver training without prior written permission from Micro Focus is prohibited.
ESM200-70 – ArcSight Enterprise
Security Manager (ESM)
Administrator and Analyst
7.0.0 patch 1

Student Guide

Revision: A
© Copyright 2019 Micro Focus
The information contained herein is subject to change without notice. The only warranties for
Micro Focus products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting
an additional warranty. Micro Focus shall not be liable for technical or editorial errors or
omissions contained herein.
This is a Micro Focus copyrighted work that may not be reproduced without the written
permission of Micro Focus. You may not use these materials to deliver training to any person
outside of your organization without the written permission of Micro Focus.
This material (“Material”) may contain branding from Hewlett-Packard Company (now HP Inc.)
and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now
offered by Micro Focus, a separately owned and operated company. Any reference to the HP
and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett
Packard Enterprise/HPE marks are the property of their respective owners.

ESM200-70 – ArcSight Enterprise Security Manager (ESM) Administrator and


Analyst 7.0.0 patch 1
For versions: 7.x
Revision: A

Student Guide
Table of Contents

Module 1 – ESM Overview ................................................................................................. 1-1


Module 2 – ESM Command Center .................................................................................... 2-1
Module 3 – ESM Console .................................................................................................... 3-1
Module 7 – ESM Filters ....................................................................................................... 7-1
Module 8 – Data Monitors and Dashboards ....................................................................... 8-1
Module 9 – Rules and Lists ................................................................................................. 9-1
Module 14 – ESM Reports ................................................................................................14-1

Micro Focus Education v ESM180-70


© Copyright 2019 Micro Focus
This page is intentionally left blank.

Micro Focus Education vi ESM180-70


© Copyright 2019 Micro Focus
Module 0 - Course Overview

Objectives

Upon completion of this course, you will be able to:

- Discuss where ArcSight ESM fits in a modern day SOC

- Describe the basic architecture of an ArcSight ESM installation

- Articulate how ArcSight ESM uses both context and content

- Use the Event Lifecycle as a framework to become familiar with how ArcSight resources
interact with event data

- Identify, analyze, and report on event data using ArcSight ESM

- Install, troubleshoot, and update ArcSight context and content

- Install, troubleshoot, and update ArcSight Context and Content

- Use workflow management tools to provide real-time incident response and escalation
tracking

- Cases

- Annotations

- User Management

- Build and modify basic reporting within ESM to provide metrics data

- Establish ESM peering across multiple ESM instances to

- Identify events quickly

- Create quick status reports

- Provide basic content management

Micro Focus Education 0-1 ESM200-70

© Copyright 2019 Micro Focus


Module 0 – Course Overview

Course agenda (1 of 2)
Topic Duration Day

Module 1 – Overview Monday

Module 2 – ArcSight Command Center Monday

Module 3 – ArcSight Console Monday

Module 4 – Event acquisition, normalization, and enrichment Monday

Module 5 – ArcSight content Tuesday

Module 6 –Event schema, fieldsets and active channels Tuesday

Module 7 – Filters Tuesday

Module 8 - Data Monitors and dashboards Wednesday

Module 9 – Rules and Lists Wednesday


6

Course agenda (2 of 2)
Topic Duration Day
Module 10 – User administration Thursday

Module 11 – Notifications Thursday

Module 12 – Workflow/Case Management Thursday

Module 13 – Queries and Query Viewers Thursday

Module 14 – Reports Friday

Module 15 – Content Management Friday

Module 16 – Event Search Friday

Micro Focus Education 0-2 ESM200-70

© Copyright 2019 Micro Focus


Module 0 – Course Overview

Cloud Training Platform (CTP) - Topology

http://ctp.cbtrain.microfocus.com/ ESM1.Acme.com
WWW ctp/login.do

Student01 AVM Student01 ESM1.Acme.com

… …
ESM1.Acme.com

Student12 AVM Student12

Customer feedback
A great part of our success is because of YOU and your feedback!
▪ You will receive a course evaluation survey
▪ Feedback is vital to improving our course offerings
▪ Please complete the evaluation
Net Promoter Score (NPS) Customer Satisfaction

Scale (0 – 10) Remarks Scale (0 – 5)

10 Great Job 5 (Strongly Agree)

9 Good Job 4 (Agree)

8, 7 Satisfactory 3 (Neutral)

6, 5, 4, 3, 2 Unacceptable 2 (Disagree)

1, 0 No value 1 (Strongly Disagree)

Micro Focus Education 0-3 ESM200-70

© Copyright 2019 Micro Focus


Module 0 – Course Overview

Slide 10

Certificate of completion

A great part of our success is because of YOU


and your feedback!
Please complete the course evaluation
- You will receive an email reminder from Micro Focus
Education
- Follow the link provided and complete all
questionnaires
- You will receive the Certificate of Completion email
upon submitting the evaluation

10

Questions

▪ Course Registration Contact:


- [email protected] - Americas
- [email protected] - EMEA
- [email protected] - APJ
▪ Enterprise Security Learning Management System:
- Security LMS
▪ Other training delivery methods
- eLearning
- Virtual Instructor-led
▪ Any Questions?

11

Micro Focus Education 0-4 ESM200-70

© Copyright 2019 Micro Focus


Module 1 – ESM Overview

Objectives
Upon successful completion of this module, you will be able to:

▪ Discuss what ArcSight ESM is and how it fits into a SOC

▪ List the problems ESM can solve

▪ Discuss basic processes to make an ESM installation successful

▪ Describe the basic ArcSight components (10’ - 100,000’ view)

▪ Identify basic user roles within an ArcSight Installation

Micro Focus Education 1-1 ESM200-70

© Copyright 2019 Micro Focus


Module 1 – ESM Overview

Topics
What is ArcSight ESM
• Technical Definition
• Problem it Solves
• How it fits into a modern day SOC

Process
• Incident Remediation
• Policy Compliance
• Metrics Reporting

Technology
• Components that make up ESM
• The event flow into ESM
• How new technologies integrate with ESM

People
• SOC Users
• ArcSight SMEs
• Stakeholders

What is ArcSight ESM


4

Micro Focus Education 1-2 ESM200-70

© Copyright 2019 Micro Focus


Module 1 – ESM Overview

What is a SOC and what does it do?

Identify and Create Effectively


Investigate solutions/SOPS acknowledge,
unknown that alert to triage, and
threats known threats address events
of interest

Information is needed for the SOC to do its job

Micro Focus Education 1-3 ESM200-70

© Copyright 2019 Micro Focus


Module 1 – ESM Overview

What Do We Need to Address These Challenges?


Data Enrichment and Powerful Real-Time Correlation Solution

Enriched Data Powerful Correlation Quick Detection

Improved data collection and Scan and correlate event data in real- Data intelligence and event correlation
enrichment to increase event threat time to detect threats affecting the with a rule-based engine allow for
knowledge enterprise known threat detection

Micro Focus Education 1-4 ESM200-70

© Copyright 2019 Micro Focus


Module 1 – ESM Overview

ArcSight Enterprise Security Manager (ESM)


Solution Overview
• Enriched data from multiple sources provides more than 400+ event data points
• Increases event data points by more than 4x for through threat detection

• Real-time data correlation from multiple input sources (integration with ADP)
• Powerful event correlation of up to 75,000 events per second

• Support for large enterprises through multi-tenancy with centralized console


• Ability to enforce central roles, rights, and responsibilities permissions matrix

• Simplified SOC workflow and triage management through ArcSight Command Center
• Rule development and continued improvement of rule-based threat detection engine

HPE CONFIDEN9
TIAL

So what is needed to successful?

▪ People
- Highly Skilled individuals who work at the SOC

Technology
▪ Process
- A series of mature, repeatable steps for
accomplishing something
Process

▪ Technology
People - Tools that provide data or responses to
accomplish the SOC’s objectives

10

Micro Focus Education 1-5 ESM200-70

© Copyright 2019 Micro Focus


Module 1 – ESM Overview

People: Classic ArcSight Roles

Management

Stakeholders
Business Users

ArcSight SMEs
L3

Administrator Author
L2

SOC Users

Analyst
L1

Operator

12

People: ArcSight Roles


Management

Stakeholders

Business Users
ArcSight SMEs
L3

Profile:
Administrator Author • Junior Security Team Member

Job:
• Triage Events of Interest
• Follow SOPs
L2

• Route case to expert/SME


SOC Users

Analyst
Tasks:
• Monitor for Events of Interest
• Triage Events of Interest
• Update Workflow
L1

Command Center
• Create Cases
Operator • Provide SOP Feedback

13

Micro Focus Education 1-6 ESM200-70

© Copyright 2019 Micro Focus


Module 1 – ESM Overview

People: ArcSight Roles

Management

Stakeholders
Business Users Profile:
• Mid Level/Senior team member
• SME in a specific area in the SOC
ArcSight SMEs
Job:
L3

• Investigates Incidents/Cases that


have been forwarded to them
Administrator Author
Console
Tasks:
*Also Could be known as • Investigate Events of Interest
• Follow Workflow
Operator/Analysts •
L2

Update/Resolve Cases
• Provide SOP Feedback
SOC Users

Analyst Command Center • May Build/Maintain limited


content
L1

Operator

14

People: ArcSight Roles Profile:


• Senior team member
Management


Stakeholders

Knowledge of SQL and Boolean


Logic
• Knowledge of security and
compliance goals
Business Users
Job:
• Evaluate, Develop, and Manage
ArcSight SMEs

*Also Could be known as ArcSight Content to fulfill security


Analyzer Administrators requirements
L3

Console
Administrator Author Tasks:
• Maintain/Update
content/UseCases
• Develop New Usecases per
security Requirements
L2

• Maintain/Update SOPs,
SOC Users

Analyst
Documentation
• Work with Administrator to bring
in necessary log sources
• Work With Management to
understand the SOCs security and
L1

compliance goals
Operator

15

Micro Focus Education 1-7 ESM200-70

© Copyright 2019 Micro Focus


Module 1 – ESM Overview

Slide 16

People: ArcSight Roles Profile:


• Mid-level/Senior team member
• Knowledge of UNIX
Management

Stakeholders
• Knowledge of Ports/Protocols

Business Users Job:


• Manage User Access
• Manage ESM Health
ArcSight SMEs

Console
Tasks:
L3

• Monitor/Maintain ESM Health


Administrator Author • Monitor/Maintain Connector
Health
Command Center • Bring in new data sources
• Manage Archiving processes
• Manage User Access
L2

• Update system configuration


Documentation
SOC Users

Analyst • Update/Patch ESM and


Connectors
L1

Operator

16

People: ArcSight Roles Profile:


• Management Position (pref.
senior)
Management

Stakeholders

• Understands in corporate
compliance and security policies
• Understands SOC Operations
Business Users Command Center
Job:
• Works with other stakeholders to
ArcSight SMEs

obtain resources/funding needed


to achieve SOC security and
L3

compliance goals
Email
Administrator Author
Tasks:
• Secure funding and resources
necessary to achieve SOC security
and compliance goals
L2

• Work with Author to develop


Requirements for Usecases
SOC Users

Analyst • Develop
• Review ArcSight Reports and
Metrics to determine/Confirm
compliance
L1

Operator

17

Micro Focus Education 1-8 ESM200-70

© Copyright 2019 Micro Focus


Module 1 – ESM Overview

Process: Finding Events of Interest

Context
Logs

Objectives

Events of Interest

19

Other Processes:

Incident Response

Policy Compliance

Metrics Reporting
20

Micro Focus Education 1-9 ESM200-70

© Copyright 2019 Micro Focus


Module 1 – ESM Overview

ESM Basic Topology


SmartConnector CORRe DB
Device

CEF
1. Collect
- Polling
- Listening (port)
2. Normalize Correlation Eng.
- Parse (CSV, REGEX, SQL, XML…) → CEF
- Categorize – Device Vendor, Product, DECID
- Zone tag – Network Model
- Options – Filter, Aggregate, DSM…
22 3. Forward / Cache – 70% / 30%

ESM Topology – Multiple Connectors – Correlation Audit


and Monitoring Events
Device SmartConnectors
Raid 10

Correlation
Audit
Serverr Monitoring
Events
23

Micro Focus Education 1-10 ESM200-70

© Copyright 2019 Micro Focus


Module 1 – ESM Overview

ESM Topology – Syslog Listener

Device SmartConnector

24

ESM Topology – Windows Unified Connector


Devices
SmartConnector

Win

Win

Win
Win

25

Micro Focus Education 1-11 ESM200-70

© Copyright 2019 Micro Focus


Module 1 – ESM Overview

ESM Topology – Command Center, Console & Archiving


Command Center
Browser

Console
SmartConnector
Device

Raid 5

NFS

26

ESM Topology – ArcSight Management Center (ArcMC)


Devices
ArcMC

Application

O/S

Win O/S

27

Micro Focus Education 1-12 ESM200-70

© Copyright 2019 Micro Focus


Module 1 – ESM Overview

ESM Topology – Logger Manager – Remote Branches


Devices SmartConnectors

Application
Logger

NYC
Application
Logger
Dallas

Application Logger
LA
28

ESM Topology – Disaster Tolerant


Devices SmartConnectors

Application HQ
Logger
NYC
Application

Dallas
Remote
Bunker
Application
Logger
LA
29

Micro Focus Education 1-13 ESM200-70

© Copyright 2019 Micro Focus


Module 1 – ESM Overview

EMS & Event Broker

30

ESM Distributed Correlation Clusters

31

Micro Focus Education 1-14 ESM200-70

© Copyright 2019 Micro Focus


Module 1 – ESM Overview

ESM Resources
Active Actors
Users
Channels Assets Cases Connectors
Stages

Customers
Search
Filters
Dashboards
Saved
Searches
Files
ESM Manager

Rules
Filters

Reports
Integration
Commands
Knowledge
Query Pattern
Base
Viewers Discovery
Lists
Notifications

34

Packages

▪ Containers for related resources


- Install or uninstall as a unit
- Import or export as a resource bundle file
- CIPs (Compliance Insight Packages) are created
by ArcSight and distributed as Packaged
resources

35

Micro Focus Education 1-15 ESM200-70

© Copyright 2019 Micro Focus


Module 1 – ESM Overview

Use Cases packages

▪ View, configure, and transport ArcSight provided sets of related resources

36

ArcSight Architecture
Connectors Event Manager CORRe Console Command Investigate
Broker Center
ADP ESM ESM User Interfaces Investigate/Remediate Capabilities

38

Micro Focus Education 1-16 ESM200-70

© Copyright 2019 Micro Focus


Module 1 – ESM Overview

ArcSight Architecture
Connectors Event Manager CORRe Console Command Investigate
Broker Center
ADP ESM ESM User Interfaces Investigate/Remediate Capabilities

Log Sources
Network System System Application

39

ArcSight Architecture
Connectors Event Manager CORRe Console Command Investigate
Broker Center
ADP ESM ESM User Interfaces Investigate/Remediate Capabilities

Log Sources
Network System System Application

40

Micro Focus Education 1-17 ESM200-70

© Copyright 2019 Micro Focus


Module 1 – ESM Overview

ArcSight Architecture
Connectors Event Manager CORRe Console Command Investigate
Broker Center
ADP ESM ESM User Interfaces Investigate/Remediate Capabilities

Log Sources
Network System System Application

Connector(s)

Event Broker

Logger
ADP

41

ArcSight Architecture
Connectors Event Manager CORRe Console Command Investigate
Broker Center
ADP ESM ESM User Interfaces Investigate/Remediate Capabilities

Log Sources
Network System System Application • Collects Raw Logs

• Normalizes and adds context

• Sends events to destination


Connector(s) • ArcSight ESM
• ArcSight Logger
• ArcSight Event Broker
Event Broker • Syslog
• CSV File

Logger
ADP

42

Micro Focus Education 1-18 ESM200-70

© Copyright 2019 Micro Focus


Module 1 – ESM Overview

ArcSight Architecture
Connectors Event Manager CORRe Console Command Investigate
Broker Center
ADP ESM ESM User Interfaces Investigate/Remediate Capabilities

Log Sources
Network System System Application

• Built on Apache Kafka


Connector(s) • Centralizes Event Processing

• Helps Scale your ArcSight Environment


Event Broker
• Opens up Event Data to 3rd Party Systems

Logger • Prerequisite for setting up Investigate

ADP

43

ArcSight Architecture
Connectors Event Manager CORRe Console Command Investigate
Broker Center
ADP ESM ESM User Interfaces Investigate/Remediate Capabilities

Log Sources
Network System System Application

Connector(s)

• Provides a path to compliance for Event


Event Broker Monitoring/Review Regulations

• Provides historical analysis-quality litigation data


that is easily searchable
Logger
ADP • Optimized for high event throughput

• Not really covered in this Course


44

Micro Focus Education 1-19 ESM200-70

© Copyright 2019 Micro Focus


Module 1 – ESM Overview

ArcSight Architecture
Connectors Event Manager CORRe Console Command Investigate
Broker Center
ADP ESM ESM User Interfaces Investigate/Remediate Capabilities

Log Sources
Network System System Application

• Used to manage Connector, Event Broker and


Connector(s)
Logger Configu rations

• Broker
Event Provides Event Flow Visualizations and Health
status monitor ing of managed nodes

• Not covered in this course


LOGGER
ADP

45

ArcSight Architecture
Connectors Event Manager CORRe Console Command Investigate
Broker Center
ADP ESM ESM User Interfaces Investigate/Remediate Capabilities

• Java based technology that is


Log Sources core to the ESM
Network System System Application
• Receives event feeds from
Manager Connectors and Event Broker

• Completes normalization of
Connector(s) Events
CORRe
• Correlates Normalized
Event Broker Events

• Processes all User Requests


Logger • Writes Event Data to
ADP Database

46

Micro Focus Education 1-20 ESM200-70

© Copyright 2019 Micro Focus


Module 1 – ESM Overview

ArcSight Architecture
Connectors Event Manager CORRe Console Command Investigate
Broker Center
ADP ESM ESM User Interfaces Investigate/Remediate Capabilities

Log Sources
Network System System Application

Manager
• Events are compressed at 10:1 ratio

Connector(s) • Optimized for high speed


CORRe performance and storage efficiency

Event Broker • Manager and CORRe are installed


on one Server

Logger
ADP

47

ArcSight Architecture
Connectors Event Manager CORRe Console Command Investigate
Broker Center
ADP ESM ESM User Interfaces Investigate/Remediate Capabilities

• Thick Java based client installed on User Interfaces


Log Sources
desktop
Network System System Applicatio n
• The majority of authoring activity
must be done here
Manager

Console
• Administrators may need access as
Connector(s) well depending on ESM version
CORRe

Event Broker Command Center

Logger
ADP
ADP

48

Micro Focus Education 1-21 ESM200-70

© Copyright 2019 Micro Focus


Module 1 – ESM Overview

ArcSight Architecture
Connectors Event Manager CORRe Console Command Investigate
Broker Center
ADP ESM ESM User Interfaces Investigate/Remediate Capabilities

Log Sources User Interfaces

Network System System Application

• Web-based
Manager interface allowing:
• Limited content creation
• Storage Management Console
Connector(s) • Peer Management
• CORRe
Content Sync
Command Center
Event Broker • Keyword/Field-Based Search

Logger
ADP

49

ArcSight Architecture
Connectors Event Manager CORRe Console Command Investigate
Broker Center
ADP ESM ESM User Interfaces Investigate/Remediate Capabilities

Log Sources User Interfaces


Network System System Application

Manager
• Next generation high-speed
search and hunt capabi lity Console

• Connector(s)
Based on Vertica
CORRe
• Provides Search 10x fa ster than
Command Center
competition
Event Broker
• Provides an intuitive UI and
visualization capabilitie s
Logger
• Seamless integration with 3rd party Investigate
ADP
data lake solutions (Hadoop)

50

Micro Focus Education 1-22 ESM200-70

© Copyright 2019 Micro Focus


Module 1 – ESM Overview

ArcSight Connectivity
Connectors Event Manager CORRe Console Command Investigate
Broker Center
ADP ESM ESM User Interfaces Investigate/Remediate Capabilities

Log Sources User Interfaces

Network System System Application

Manager

Console
Connector(s)
CORRe

Command Center
Event Broker
User Interfaces

Logger
ADP Investigate

51

ArcSight Connectivity
Connectors Event Manager CORRe Console Command Investigate
Broker Center
ADP ESM ESM User Interfaces Investigate/Remediate Capabilities

Log Sources User Interfaces

Network System System Application

Manager

Console
Connector(s)
CORRe

Command Center
Event Broker
User Interfaces

Logger
ADP Investigate

52

Micro Focus Education 1-23 ESM200-70

© Copyright 2019 Micro Focus


Module 1 – ESM Overview

Summary

▪ Learned how ESM solves a problem within a SOC environment


▪ Learned the different Roles that may be involved in ESM
▪ Learned about the ArcSight architecture

53

DEMO & Lab Exercises


▪ Open …\etc\hosts – ping esm1 :& esm2
▪ Open Command center – license must be current
▪ Putty login: to /opt/arcsight/manager/bin
- ./arsight deploylicense
- ./arcsight reenableuser ad
- ./arcsight tempca -i
- /arcsight resetpwd
- ./arcsight manager-reload-config
- Manager Setup: ./arcsight managersetup

55

Micro Focus Education 1-24 ESM200-70

© Copyright 2019 Micro Focus


Module 2 – ESM Command Center

Objectives
Upon successful completion of this module, you will be able to:

▪ Discuss how to navigate to the user interface

▪ Identify the users appropriate users for this interface

▪ Discuss what information can be obtained from this interface

▪ Discuss the help function

▪ Use ArcSight Command Center to gain information about the ESM deployment

Micro Focus Education 2-1 ESM200-70

© Copyright 2019 Micro Focus


Module 2 – ESM Command Center

Topics
What is ArcSight Command Center
• Technical Definition

The Interface
• Menus
• Features/Limitations

People
• SOC Users
• ArcSight SMEs
• Stakeholders

Definition

Micro Focus Education 2-2 ESM200-70

© Copyright 2019 Micro Focus


Module 2 – ESM Command Center

Definition

Menus

Menu Bar • Access to:


Dashboards • Dashboards you granted by
Events your ACL
Reports • Your Home Screen
Cases
Applications
Administration
Stats
Dark/Light Mode
User
8 Site Map

Micro Focus Education 2-3 ESM200-70

© Copyright 2019 Micro Focus


Module 2 – ESM Command Center

Menus

Menu Bar • Access to:


Dashboards • Access Channels your ACL
Events grants you to
Reports • Grants access to Event
Cases Search (Logger Type
Applications Search)
Administration
Stats
Dark/Light Mode
User
Site Map
9

Menus

Menu Bar • Access to:


Dashboards • Run and access reports
Events • Limited configuration using
Reports runtime parameters
Cases
Applications
Administration
Stats
Dark/Light Mode
User
Site Map
10

Micro Focus Education 2-4 ESM200-70

© Copyright 2019 Micro Focus


Module 2 – ESM Command Center

Menus

Menu Bar • Access to:


Dashboards • Create Cases
Events • Manage Cases
Reports • Delete Cases
Cases
Applications
Administration
Stats
Dark/Light Mode
User
Site Map
11

Menus

Menu Bar • Access to:


Dashboards • Integration tools can be
Events added here
Reports
Cases
Applications
Administration
Stats
Dark/Light Mode
User
Site Map
12

Micro Focus Education 2-5 ESM200-70

© Copyright 2019 Micro Focus


Module 2 – ESM Command Center

Menus

Menu Bar • Access to:


Dashboards • Configurations for Peered
Events search/Content Sync
Reports • Access to Log Retrieval
Cases information for Support
Applications Requests
Administration • Modify Event Search
Stats Behavior
Dark/Light Mode • Configure ESM Storage
User • View ESM License
Site Map Entitlements
13

Menus

Menu Bar • Access to:


Dashboards • Usage Stats for ESM
Events
Reports
Cases
Applications
Administration
Stats
Dark/Light Mode
User
Site Map
14

Micro Focus Education 2-6 ESM200-70

© Copyright 2019 Micro Focus


Module 2 – ESM Command Center

Menus

Menu Bar • Access to:


Dashboards • View and Acknowledge
Events Notification Status
Reports • Update Notification Status
Cases
Applications
Administration
Stats
Notifications
User
Site Map
15

Menus

Menu Bar • Access to:


Dashboards • Change User Password
Events • Access Help (admin
Reports dropdown menu)
Cases
Applications
Administration
Stats
Notifications
User
Site Map
16

Micro Focus Education 2-7 ESM200-70

© Copyright 2019 Micro Focus


Module 2 – ESM Command Center

Menus

Menu Bar • Access to:


Dashboards • All menu options lined up
Events in one place
Reports
Cases
Applications
Administration
Stats
Notifications
User
Site Map
17

Features/Limitations
Resource Capabilities Resource Capabilities
Active Channels Read/Write Events ArcSight Command Center only
Filters Read/Write Content ArcSight Command Center only
Management
Field Sets Read/Write*
Peers ArcSight Command Center only
Fields Read*
Saved Searches ArcSight Command Center only
Data Monitors Read
Search Filters ArcSight Command Center only
Dashboards Read
Storage and ArcSight Command Center only
Rules Not Available Archives
List Not Available Log Retrieval ArcSight Command Center only
Queries Not Available License ArcSight Command Center only
Query Viewers Read Stats/Site map ArcSight Command Center only

18

Micro Focus Education 2-8 ESM200-70

© Copyright 2019 Micro Focus


Module 2 – ESM Command Center

SOC Users
• Access Dashboards/Reports

Management

Stakeholders
quickly
• Create and use Active Channels
• Integrate with Investigate
Business Users
ArcSight SMEs • Create/Manage Cases
L3

Administrator Author
L2

SOC Users

Analyst
L1

Operator

20

• Access Dashboards/Reports
quickly
ArcSight SMEs • Create and use Active Channels
• Make Administration Changes
to:
Management

Stakeholders

• Storage
• Archiving
Business Users • Event Search
• Manage Peer
Relationships
ArcSight SMEs

• View Connector Status


L3

Administrator Author
L2

SOC Users

Analyst
L1

Operator

21

Micro Focus Education 2-9 ESM200-70

© Copyright 2019 Micro Focus


Module 2 – ESM Command Center

Stakeholders • Access Dashboards/Reports


quickly

Management

Stakeholders
Business Users
ArcSight SMEs
L3

Administrator Author
L2

SOC Users

Analyst
L1

Operator

22

Demo – Command Center - browser


❑ Login / Logout vs Exit
❑ Help – context sensitive

24

Micro Focus Education 2-10 ESM200-70

© Copyright 2019 Micro Focus


Module 3 – ESM Console

Objectives

Upon successful completion of this module, you will be able to:

- Install the ArcSight ESM Console

- Create a Knowledge Base article in the console and view it in a browser

- Create a new reference file

- Customize the ESM console

- Format date and time

- Add a shortcut key to a resource in the ESM

Micro Focus Education 3-1 ESM200-70

© Copyright 2019 Micro Focus


Module 3 – ESM Console

Installing and configuring the console

▪ Install on Linux, Windows or Mac


- Linux machines: install as non-root user
▪ Transfer settings if have existing installation
▪ Run in default mode or FIPS mode
- FIPS mode: cannot revert to default mode
- FIPS cipher suite:
- FIPS 140-2
- FIPS with Suite B 128 bits
- FIPS with Suite B 192 bits

▪ Choose direct connection or proxy server

Installing and configuring the console

▪ Authenticate to ESM manager


- Password
- Password and SSL
- supports only client keystore for SSL based authentication
- PKCS#11 token as SSL client based authentication not currently supported
- Password or SSL
- Only option to use PKCS#11 authentication
- SSL only
▪ Single user or multiple users
- Single recommended

Micro Focus Education 3-2 ESM200-70

© Copyright 2019 Micro Focus


Module 3 – ESM Console

Starting the console

▪ Use shortcuts
▪ Command window from console’s bin directory
- Windows: Arcsight console
- Unix: ./arcsight console

Working in the console

Navigator Inspect/Edit
panel panel

Viewer
panel

Micro Focus Education 3-3 ESM200-70

© Copyright 2019 Micro Focus


Module 3 – ESM Console

Toolbar commands • network model


• use case
• nslookup
• ping
• portinfo
local commands • traceroute
channel control • web search
notifications • who is

navigator panel Inspect/edit panel


viewer panel categorize event
scheduled jobs

Navigator panel

▪ Resources
▪ Packages
▪ Use Cases

Micro Focus Education 3-4 ESM200-70

© Copyright 2019 Micro Focus


Module 3 – ESM Console

Viewer panel
float panel
Open resources

10

Inspect/Edit panel
multiple tabs open

11

Micro Focus Education 3-5 ESM200-70

© Copyright 2019 Micro Focus


Module 3 – ESM Console

Help feature

12

Knowledge Base

13

Micro Focus Education 3-6 ESM200-70

© Copyright 2019 Micro Focus


Module 3 – ESM Console

File Resource

▪ Acts as a common secure share


repository to store information
▪ Can contains scripts, utilities, data files,
templates, graphics and any general purpose
files
▪ Allows permission to Read/Write or no
access

14

Reference Pages

▪ Pointers to an internal or external web page:


- Resource Groups
- Individual Events
- Vulnerabilities
▪ Right-click accessible from resource tree or viewer
grid

15

Micro Focus Education 3-7 ESM200-70

© Copyright 2019 Micro Focus


Module 3 – ESM Console

Console preferences

16

Module summary (1 of 2)

In this module, you learned that


- The ESM console is a client application
- Used to identify, investigate, and review security data collected and correlated
- Contains three main panels
- Navigator panel - locate, view, and use ESM resources
- Viewer panel - displays events, assets and search results
- Inspect/Edit panel - view event properties and modify ESM resources attributes

17

Micro Focus Education 3-8 ESM200-70

© Copyright 2019 Micro Focus


Module 3 – ESM Console

Slide 18

Module summary (2 of 2)

- Access help three different ways


- Consists of a navigation panel and topic display window
- ESM reference resources
- Knowledge Base enables you to post site-specific data, such as protocols, to a web viewer
- File Resource can contain non-ESM objects, which users can access to obtain information
- Reference pages are pointers to an internal or external web page
- Console preferences are set using the 8 panes in the preferences dialog box

18

Demo – Console – Java program


❑ Login / Logout vs Exit
❑ Preferences – setting and saving – local and to manager
❑ Help – context sensitive
❑ Search – double click to editor – Find in Navigator – Graph View
❑ Navigating – Hidden Links
❑ Double Click – Viewer vs Editor
❑ Active Channel
❑ Query Viewer
❑Dashboard

19

Micro Focus Education 3-9 ESM200-70

© Copyright 2019 Micro Focus


Module 3 – ESM Console

This slide left intentionally black.

Micro Focus Education 3-10 ESM200-70

© Copyright 2019 Micro Focus


Module 6 – Active Channels. Field Sets and
Schema

Objectives

▪ Upon successful completion of this module, you will be able to

- Describe an Active Channel

- Describe what a field set is

- Describe the ArcSight Event Schema

- Describe the Event Life Cycle

Micro Focus Education 6-1 ESM200-70

© Copyright 2019 Micro Focus


Module 6 – Active Channels, Field Sets and Schema

What is schema?
▪ Data fields
▪ Over 400 data fields
▪ Divided into 17 groups
▪ Common Event Format CEF

Event data fields

Event schema group Icon description


Event (root) Event ID: internal routing identifier
Category Categories: Object, Behavior, Outcome, Technique, Device Group,
SIgnificance
Threat Priority formula: green (very low), blue (low), yellow (medium), orange
(high) & red (very high)
Agent Describes SmartConnector that reported the event to the ESM manager
Device Describes sensor that reports event to SmartConnector
Source The origin of the network traffic; Paired with destination
Destination The receiver of the network traffic; Paired with source
Attacker Asset that initiated the action; paired with target
Target Intended focal point of the action represented by the event

Micro Focus Education 6-2 ESM200-70

© Copyright 2019 Micro Focus


Module 6 – Active Channels, Field Sets and Schema

Event schema: devices and assets


▪ Terms EMS uses to identify items on your network
▪ Network Node – physical location with unique network address
▪ Endpoint – reference or description of a network node
- Includes IP address
- Fully qualified host name
- MAC address
▪ Sensor – detects activity
- Produces stream of event data
- Produces a stream of network node descriptions
▪ Asset – network node with unique identifier (IP or MAC address, host name, zone, or external ID)

Schema: devices and connectors


Device
▪ Network node
▪ Reports to SmartConnector
▪ Can be individual sensor or software that collects, then reports

Micro Focus Education 6-3 ESM200-70

© Copyright 2019 Micro Focus


Module 6 – Active Channels, Field Sets and Schema

What is a field set?


▪ A field is a collection of one or more columns
▪ Way to limit columns displayed
▪ Collection of columns or fields = field set
▪ Save and apply field sets
▪ Over 400+ fields
▪ Pre-defined, user-defined, shareable and modifiable
▪ Sortable fields and unsortable

10

Date and Time Stamps


▪ ESM uses multiple fields to tag date and time of each even t
- Start
- End
- Device Receipt
- Agent Receipt
- Manager Receipt

11

Micro Focus Education 6-4 ESM200-70

© Copyright 2019 Micro Focus


Module 6 – Active Channels, Field Sets and Schema

What is an Active Channel?


▪ Like tuning into a TV channel
▪ See only information defined by parameters
▪ Can stream events
▪ Three Channel Types
- Event Active Channel – can be continuously refreshed or a snapshot
- Rules Verify Channel – replay events for testing rules
- Resource Channel – status of certain resources

13

Dynamic and Static Active Channels

▪ Continuously evaluate ▪ Evaluate once at attach time


- Runs a query at a pre-defined refresh interval - Single query against the ArcSight Data Store
- Results are constantly refreshing as each query - Results are static
completes
- Intended to inspect historical events
- Intended for real-time monitoring

14

Micro Focus Education 6-5 ESM200-70

© Copyright 2019 Micro Focus


Module 6 – Active Channels, Field Sets and Schema

Identifying Dynamic and Static Active Channels

▪ Navigator Panel
- Yellow lightning bolt shows
“Continuously evaluate” channels
- Static channels have no bolt

▪ All Active Channels


- Display events that can be examined
in detail
- Are sortable if the displayed fields allow
- Use Field Sets to determine pre-defined
columns

15

ArcSight Event
Schema and Lifecycle
16

Micro Focus Education 6-6 ESM200-70

© Copyright 2019 Micro Focus


Module 6 – Active Channels, Field Sets and Schema

ArcSight Event Life Cycle


Event Schema – 400+ columns
• Event data collected, normalized, enhanced for monitoring and mining

Event Lifecycle – schema processing in 7 phases


1. Data Collection and initial schema population
- Acquisition, Filtering, Normalization, and Aggregation of Event Data
- Apply Event Categories
- Apply Customer and Zone from Network Model
2. Network Model Lookup and Priority Evaluation Phase
3. Correlation Evaluation
4. Monitoring and Investigation
5. Workflow
6. Incident Analysis and Reporting
7. Storage and Archive

17

ArcSight Event Schema


Foundation event data structure enables event filtering, correlation, selective display and
reporting

18

Micro Focus Education 6-7 ESM200-70

© Copyright 2019 Micro Focus


Module 6 – Active Channels, Field Sets and Schema

Event Normalization
▪ Transforms raw event data into a Common Event Format

Raw data Normalized data

1199

Event Schema Groups


▪ Simplify event field identification and access
- Organize endpoint device and asset data into common field definitions
- Add event categorization and object modelling to enhance evaluation
- Provide navigation reference for resource editors and right-click menus

20

Micro Focus Education 6-8 ESM200-70

© Copyright 2019 Micro Focus


Module 6 – Active Channels, Field Sets and Schema

Event Schema Groups (1 of 3)


▪ Timestamp, event identification
and classification groups
• Event (root)
• Category
• Threat

21

Event Schema Groups (2 of 3)


▪ IP Endpoint Groups

• Agent
• Device
• Source
• Destination
• Attacker
• Target
• Original Agent
• Final Device

ArcSight
Forwarding
Connector

22

Micro Focus Education 6-9 ESM200-70

© Copyright 2019 Micro Focus


Module 6 – Active Channels, Field Sets and Schema

Event Schema Groups (3 of 3)


File State, Request, Workflow and Custom Groups
▪ File
▪ Old File
▪ Request - HTML
▪ Event Annotation
▪ Device Custom
▪ Flex

ArcSight
Forwarding
Connector

23

Seven Phases Event Lifecycle – Overview


1. Data Collection and Event Processing
2. Network Model Lookup and Priority Evaluation
3. Correlation Evaluation
4. Monitoring and Investigation
5. Workflow
Phase 7
6. Incident Analysis and Reporting
7. Storage and Archive Phase 6

Phase 5

Phase 4

Phase 3

Phase 2

Phase 1
24

Micro Focus Education 6-10 ESM200-70

© Copyright 2019 Micro Focus


Module 6 – Active Channels, Field Sets and Schema

Phase 1 – Data Collection and Event Processing


▪ ArcSight Connector functions
- Converts raw event data into normalized events
- Tags each normalized event with event categories – Customer and Zone
- Filters and aggregates normalized, categorized events
- Sends base events to ESM Manager

25

Collection and Normalization of Event Data

▪ Devices generate event data and send event data to the ArcSight SmartConnector
▪ ArcSight SmartConnector normalizes event data
- Extracts values from log data
- Maps values to corresponding ArcSight event fields
- Evaluates and makes comparisons on normalized events

26

Micro Focus Education 6-11 ESM200-70

© Copyright 2019 Micro Focus


Module 6 – Active Channels, Field Sets and Schema

Event Data Normalization - Example 1


Sample feeds sent to ESM Manager

NIDS Sensor Firewall


Source IP address Source IP address

Source port Source port

Destination IP address Destination IP address


1-5
Destination port Destination port

Date/Time stamp Date/Time stamp

Payload <not reported by


6 this device>
<not reported by Action
this device>
<not reported by Rule applied in
7&8
this device> security policy

Juxtaposing...
1 2 3 4 5 6 7 8
Src IP Src Port Dest IP Dest Port D/T Stamp Payload Action Rule
Number

27

Event Data Normalization - Example 2


▪ Raw event being received by the Connector

- Jan 3 2008 22:15:09: CP FW In Action: drop Service:27444 (Rule5) from


144.32.56.211/1422 to 10.1.25.155/1152

▪ Values entered into the schema after the normalization process is complete

Device
Source IP Source Destination IP Destination
Receipt Name
Address Port Address Port
Time

CP FW In
Jan 3 2008 Action: drop
144.32.56.211 1422 10.1.25.155 1152
22:15:09 Service:2744
4 (Rule5)

28

Micro Focus Education 6-12 ESM200-70

© Copyright 2019 Micro Focus


Module 6 – Active Channels, Field Sets and Schema

Event Normalization – Example


Privileged User Monitoring

29

Applying Event Categories


▪ SmartConnectors use the Event Category Model to describe normalized events
▪ Based on Lookup – Device Vendor, Device Product and Device Event ID

Category Object entity being targeted

Category Behavior what is being done to the object

Category Outcome result of the Behavior on the object

Category Technique nature of the behavior represented


Category Device
type of device generating the event
Group
Category
relative security risk of the event
Significance
30

Micro Focus Education 6-13 ESM200-70

© Copyright 2019 Micro Focus


Module 6 – Active Channels, Field Sets and Schema

Categorization Examples
Object Behavior Technique Device Group Outcome Significance

/Host/Application/Service /Access NA /Firewall /Failure /Informational

• Traffic was blocked at a firewall

/Host/Application/Service /Auth/Verify NA /IDS/Network /Failure /Informational/W


arning

• A network/application based intrusion detection system detected a failed login attempt on a


service
/Host/Application/Service /Auth/Verify NA /Operating /Success /Normal
System

• The operating system reported a user successfully logging into a service

/Host/Application/Service /Auth/Verify /BruteF/Login /Security /Failure /Hostile


Information
Mgr

• A security information management solution reported a hostile, failed brute force attack
targeting the login of a service

31

Customer and Zone Look Up in Network Model


▪ Normalized events are tagged with usage-related labels
- Customer – an organization containing one or more networks
- Zone – contiguous block of IP addresses within a network
▪ Helps ArcSight Manager identify source and destination of events

32

Micro Focus Education 6-14 ESM200-70

© Copyright 2019 Micro Focus


Module 6 – Active Channels, Field Sets and Schema

Network Model Customer and Zone Example



RTRNY105
Cisco Router
63.240.60.1

DMZ
CPFWNY105
W2KNY101 Checkpoint FW-1
IIS Webserver 63.240.60.146
10.0.21.21 10.0.21.1 192.168.242.10 –
NAT: 63.240.60.149 192.168.242.100
192.168.242.1
LINNY103 10.0.113.3
Apache DHCP
10.0.21.40
NAT: 63.240.60.147
CORP

WNTNY205 WNTNY206
Exchange File & Print
10.0.113.24 10.0.113.9
33

Customer and Zone – Example


▪ Privileged User Monitoring

34

Micro Focus Education 6-15 ESM200-70

© Copyright 2019 Micro Focus


Module 6 – Active Channels, Field Sets and Schema

Filtering and Aggregating Events


▪ Filtering – deletes events
▪ Aggregating - merges events with similar values to a single aggregated event
▪ ArcSight Connector sends base events to ESM Manager

35

Phase 2 – Network Model Lookup & Priority Evaluation


ESM Manager
• Tags base events with Network Modeling information and priority levels
• Evaluates base events
• Sends prioritized base events to the ESM CORR Engine Storage

36

Micro Focus Education 6-16 ESM200-70

© Copyright 2019 Micro Focus


Module 6 – Active Channels, Field Sets and Schema

Priority Formula Factors


Generates numerical values between 0 (low) and 10 (high)
• Model Confidence – degree asset is modelled in ESM
• Relevance - event impact on an asset
• Severity - score assigned to the attack
• Asset Criticality - measures criticality of the attacked asset

37

Priority Rating
▪ Takes into account Priority Formula Factors and Agent Severity
▪ Displayed in Priority column of Active Channel
▪ Easy-to-identify events that need immediate attention
▪ Color-coded and numbered

0, 1, 2 Green – very low priority


3, 4 Blue - low priority
5, 6 Yellow - medium priority
7, 8 Orange - high priority
9, 10 Red - very high priority

38

Micro Focus Education 6-17 ESM200-70

© Copyright 2019 Micro Focus


Module 6 – Active Channels, Field Sets and Schema

Priority Formula Evaluation – Example


▪ Priority calculated by Manager
▪ Displayed in Active Channel 1 - 10

39

Phase 3 – Correlation Evaluation


ESM Correlation Engine
• Discovers relationships between events
• Infers significance of their relationships
• Prioritizes events
• Creates correlation event
• Provides a framework for taking action

40

Micro Focus Education 6-18 ESM200-70

© Copyright 2019 Micro Focus


Module 6 – Active Channels, Field Sets and Schema

Tools Used to Correlate


▪ Filters – conditions to reduce the number of events processed
▪ Rules – evaluate events against condition sets and initiate responses
- Pre-persistent
- Lightweight
- Simple
- Join
▪ Data Monitors - summarize events in a tabular or graphical format
- Event Based
- Non-Event Based
- Correlation
▪ Software add-ons
- ArcSight Pattern Discovery -- scans millions of events to find event matches previously overlooked
- ArcSight Interactive Discovery -- displays relationships between events using pre-built interactive
graphics
41

Correlation Events – Example


Lightning bolt signifies correlated events

42

Micro Focus Education 6-19 ESM200-70

© Copyright 2019 Micro Focus


Module 6 – Active Channels, Field Sets and Schema

Phase 4 – Monitoring and Investigation


Investigate and monitor Events

43

Monitoring and Investigation Tools


Active Channels
• Displays streams of event information to track patterns in real-time

Dashboards
• View problem areas on your network using pie-charts, bar charts, or tables

Event Graph Data Monitors


• Transform multiple network security data in Active Channels into graphics

Query Viewers
• High-level summaries of network activity to investigate events

Event Search
• Extracts events across multiple ESM and Logger peers

44

Micro Focus Education 6-20 ESM200-70

© Copyright 2019 Micro Focus


Module 6 – Active Channels, Field Sets and Schema

Monitoring and Investigation – Example


Identity Investigation Active Channel

45

Monitoring and Investigation – Example


Identity Investigation Event Graphs

46

Micro Focus Education 6-21 ESM200-70

© Copyright 2019 Micro Focus


Module 6 – Active Channels, Field Sets and Schema

Monitoring and Investigation – Example


Identity Investigation Dashboards

47

Phase 5 – Workflow
Escalate incidents to other users

48

Micro Focus Education 6-22 ESM200-70

© Copyright 2019 Micro Focus


Module 6 – Active Channels, Field Sets and Schema

ESM Workflow
• Make immediate investigations
• Inform and escalate incidents to users
• Track responses
• Various Workflow Resources
• Annotations
• Cases
• Stages
• Notifications
• Knowledge Base
• Reference Pages

49

ESM Workflow – Example

50

Micro Focus Education 6-23 ESM200-70

© Copyright 2019 Micro Focus


Module 6 – Active Channels, Field Sets and Schema

Phase 6 – Incident Analysis and Reporting


• Communicates status of your network security
• Discover new incident patterns
• Analyze output data using interactive graphics

51

Reporting Tools
• Capture views or summaries of event data
• Use Queries and Trends to gather data
• Three types
• Focused Reports
• Standard Reports
• Delta Reports

52

Micro Focus Education 6-24 ESM200-70

© Copyright 2019 Micro Focus


Module 6 – Active Channels, Field Sets and Schema

Reporting Tools – Example

53

Phase 7 – Storage and Archive


CORR-Engine storage management
▪ Event Active Retention
▪ Event Archives

Active Offline and


All normalized events
Retention Online Archives

54

Micro Focus Education 6-25 ESM200-70

© Copyright 2019 Micro Focus


Module 6 – Active Channels, Field Sets and Schema

Module 6 Summary
In this module, you learned that:
• Active Channels – allow selection of all events
• Fields Sets – subset of the total events in the Schema
• Schema – logical table of all events received
• Event Lifecycle – Seven Phases

55

Micro Focus Education 6-26 ESM200-70

© Copyright 2019 Micro Focus


Module 7 – ESM Filters

Objectives
Upon successful completion of this module, you will be able to:

• Recognize what a filter is, the types, and how to create them
• Apply filters to a connector and active channels
• Debug filters

Micro Focus Education 7-1 ESM200-70

© Copyright 2019 Micro Focus


Module 7 – ESM Filters

What are filters?

▪ Boolean conditions that select events


- Based on Field values and/or Variable values
- Asset – Using Asset ID
- Asset Category – Using Asset ID
- Field Value(s) – Using Active List or Session List

▪ Applied in 2 ArcSight components


- ESM Manager
- Connectors

Filters in ESM Manager

▪ Determine events ESM Manager will process based on Filter conditions


▪ Used by various resources during Event Lifecycle phases
- In Rules and Data Monitors during the Correlation phase
- In Active Channels and Query Viewers during the Monitoring and Investigation phase
- In Reports and Queries during the Reporting and Analysis phase

Micro Focus Education 7-2 ESM200-70

© Copyright 2019 Micro Focus


Module 7 – ESM Filters

Applying filters in connectors

▪ Filters out events that match conditions


- These events are not forwarded to the
destination
▪ Non-matching events are forwarded to the
destination

Types of filters

Micro Focus Education 7-3 ESM200-70

© Copyright 2019 Micro Focus


Module 7 – ESM Filters

Filter editor
▪ Filter creation and modification
- Filter condition statements are
constructed using Boolean logic
- Conditions editor is known as
Common Conditions Editor (CCE)
- Can be displayed as a tree (top) or
Summary (bottom)

and or not

Common Conditions Editor

Micro Focus Education 7-4 ESM200-70

© Copyright 2019 Micro Focus


Module 7 – ESM Filters

Filters in Active Channels


▪ Filters can be used by many ESM Resources
- Get a powerful resource set when combining them with Active Channels
▪ Benefits
- Display a stream of historical or live events defined by Filter conditions
- Narrow down your displayed Events, improve your searches and save time

Filters in Active Channels

▪ Filters can be applied several ways in Active channels


- Filter resource
- Unnamed local filter condition
- Inline filters
- Event-based filters in Investigate command

Micro Focus Education 7-5 ESM200-70

© Copyright 2019 Micro Focus


Module 7 – ESM Filters

Filters in Active Channels – Resources

▪ When you create an Active Channel, you can


select a Filter resource from a list of existing
named filters
▪ Conditions expressed in that Filter are
applied to all events coming into this Active
Channel

10

Filters in Active Channels – Unnamed local filter condition

▪ In the Active Channel Editor, under the Filter tab, you can specify an unnamed
condition that is applied only to the current active channel
▪ All events coming into the active channel are evaluated against these conditions, but
the conditions are not reusable by any other resource

11

Micro Focus Education 7-6 ESM200-70

© Copyright 2019 Micro Focus


Module 7 – ESM Filters

Filters in Active Channels – Inline Filters

▪ Apply a limited set of conditions to individual columns in a grid


▪ Are added to a local filter condition using an AND operator
▪ Used to further refine the current conditions already set for the channel

12

Filters in Active Channels – Investigate


Analyze in Channel
▪ Event-based filters in Investigate
command
- Right-click an event attribute in an
Active Channel view
- Choose Analyze in Channel –
There are filtering options that
vary based on the data involved

13

Micro Focus Education 7-7 ESM200-70

© Copyright 2019 Micro Focus


Module 7 – ESM Filters

Visualizing Inline Filters

▪ Work Around
- Data Stream Analysis InActiveList()
Add explicit conditions in Inline Filter
For example: targetAddress = 10.10.111.129
Or
Build a Query and Query View using the
filter with InActiveList() condition.

 Active Channel
*name
Filter Inline Filter
*Start
*End
*ET or MRT

14

Debugging Filters

▪ Test whether a selected Filter matches a


certain type of event
▪ Identify conditions that do not match the
event details

15

Micro Focus Education 7-8 ESM200-70

© Copyright 2019 Micro Focus


Module 7 – ESM Filters

Putting it All Together


Shown as a Manual Input Flow Chart shape
 = Contains Internal CCE
*ET or MRT = Time Stamp End Time or MRT
*Start = Start Time
*End = End Time

 Active Channel
*name
Filter *Start
*name *End
*ET or MRT
Field Set

Field Set
Events

16

Integration Commands

▪ Perform additional investigation tasks on


events in Active
Channel grid
▪ Access investigation options, such as
- Nslookup
- Ping
- Traceroute
- Web Search
- Whois
- Logger Search

17

Micro Focus Education 7-9 ESM200-70

© Copyright 2019 Micro Focus


Module 7 – ESM Filters

Slide 18

Lab Exercises
18

Micro Focus Education 7-10 ESM200-70

© Copyright 2019 Micro Focus


Module 8 – Data Monitors and Dashboards

Objectives
Upon completion of this module, you should be able to:

▪ Identify Data Monitor types and functions

▪ Access and Use Dashboards

▪ Modify Dashboard Data Monitor Layouts

Micro Focus Education 8-1 ESM200-70

© Copyright 2019 Micro Focus


Module 8 – Data Monitors and Dashboards

Event Lifecycle Phases

1. Data Collection and Event Processing 5. Workflow


2. Network Model Lookup and Priority 6. Incident Analysis and Reporting
Evaluation
7. Storage and Archive
3. Correlation Evaluation
4. Monitoring and Investigation

Data Monitors

▪ Drive display elements within Dashboards


▪ Evaluate event streams and system health stats
- Gather data when enabled
▪ Consolidate events with common elements
▪ Summarize event data graphically
▪ Provide different types of analysis
▪ The same data monitor can be displayed in multiple dashboards or displayed differently
in the same dashboard
- Chart or table displays

Micro Focus Education 8-2 ESM200-70

© Copyright 2019 Micro Focus


Module 8 – Data Monitors and Dashboards

Data Monitor Types

▪ Event based – Graphic or tabular event summaries


▪ Correlation – Statistical values and moving averages
▪ Non-event based – System health component summaries

Event Based Data Monitors


7

Micro Focus Education 8-3 ESM200-70

© Copyright 2019 Micro Focus


Module 8 – Data Monitors and Dashboards

Types of Event-based Data Monitors

▪ Asset Category Count


▪ Event Graph
▪ Geographic Event Graph
▪ Hierarchy Map
▪ Hourly Counts
▪ Last “n” Events
▪ Last State
▪ Top Value Counts (Bucketized)

Event-based Data Monitors – Asset Category Count

▪ Counts and displays the number of events


that occur per Asset Category

Micro Focus Education 8-4 ESM200-70

© Copyright 2019 Micro Focus


Module 8 – Data Monitors and Dashboards

Event-based Data Monitors – Event Graph

▪ Displays a real time diagram of selected


event activity

10

Event-based Data Monitors – Geographic Event Graph

▪ Displays a real time geographic map of selected event activity

11

Micro Focus Education 8-5 ESM200-70

© Copyright 2019 Micro Focus


Module 8 – Data Monitors and Dashboards

Event-based Data Monitors – Hierarchy Map

▪ Displays an image made up of proportionally


sized panels
- Each panel represents a group of events
▪ These events are selected by group fields
that are selected in the Source Node
Identifier

12

Event-based Data Monitors – Hourly Counts

▪ Displays total count of events on an hourly


basis along with their priority

13

Micro Focus Education 8-6 ESM200-70

© Copyright 2019 Micro Focus


Module 8 – Data Monitors and Dashboards

Event-based Data Monitors – Last N Events

▪ Displays most recent events, which are categorized by Priority, Name, Protocol, and
Category

14

Event-based Data Monitors – Last State

▪ Displays complex values in simple, rapidly observable graphic results


- Green, red, and yellow signal lights or checkmarks, exclamation symbols, asterisks

15

Micro Focus Education 8-7 ESM200-70

© Copyright 2019 Micro Focus


Module 8 – Data Monitors and Dashboards

Event-based Data Monitors – Top Value Counts (Bucketized)

▪ Displays events with maximum values for a


selected data field
- Displays the total number of events and event
severity

16

Types of correlation Data Monitors

▪ Event Correlation
▪ Event Reconciliation
▪ Moving Average
▪ Session Reconciliation
▪ Statistics

18

Micro Focus Education 8-8 ESM200-70

© Copyright 2019 Micro Focus


Module 8 – Data Monitors and Dashboards

Explaining Data Monitor Correlation

Data Monitor 
*name
Filter
Moving
Average

Dashboard
*name

19

Correlation Data Monitors – Event Correlation

▪ Provides flow volume correlation between


two different event streams
▪ Helps confirm attacks reported by different
systems

20

Micro Focus Education 8-9 ESM200-70

© Copyright 2019 Micro Focus


Module 8 – Data Monitors and Dashboards

Correlation Data Monitors – Event Reconciliation


▪ Correlates events
between two sensors
using Filters and matching
fields

21

Correlation Data Monitors – Moving Average

▪ Displays moving average of events based on


a selected data field

22

Micro Focus Education 8-10 ESM200-70

© Copyright 2019 Micro Focus


Module 8 – Data Monitors and Dashboards

Correlation Data Monitors – Session Reconciliation

▪ Correlates events based on their occurrence within a relevant time period


▪ Typically used to watch network devices involving long term concerns

23

Correlation Data Monitors – Statistics

▪ Enables you to select other statistical


methods in addition to moving average
▪ Additional statistical methods
- Average
- Standard deviation
- Skew
- Kurtosis

24

Micro Focus Education 8-11 ESM200-70

© Copyright 2019 Micro Focus


Module 8 – Data Monitors and Dashboards

Types of non-event based Data Monitors

▪ System Monitor
- Displays measurements based on ESM Manager’s internal systems, Java classes, and
attributes
▪ System Monitor Attribute
- Displays specific attributes of a given internal ArcSight Java class
▪ Rules Partial Match
- Displays Rules that have partial matches and the total number of partially matched events
within a specified time frame

26

Non-event Based Data Monitors – System Monitor

▪ Displays measurements based on ESM Manager’s internal systems, Java classes, and
attributes

27

Micro Focus Education 8-12 ESM200-70

© Copyright 2019 Micro Focus


Module 8 – Data Monitors and Dashboards

Non-event Based Data Monitors – System Monitor Attribute

▪ Displays specific attributes of a given internal ArcSight Java class

28

Non-event Based Data Monitors – Rules Partial Match

▪ Displays Rules that have partial matches and


the total number of partially matched events
within a specified time frame

29

Micro Focus Education 8-13 ESM200-70

© Copyright 2019 Micro Focus


Module 8 – Data Monitors and Dashboards

Dashboards

30

Dashboards are driven by Data Monitors


Data Monitor shown as a flowchart predefined process shape
Correlation
Data 
Filter Monitor
Data *name
Monitor Type
Filter
*name
Type

Data
Monitor Dashboard
Filter
*name *name
Type

Data Viewer
Monitor Panel Display
Filter
*name Or Command
Type Center
31

Micro Focus Education 8-14 ESM200-70

© Copyright 2019 Micro Focus


Module 8 – Data Monitors and Dashboards

Dashboards Layouts
Data monitors/Query Viewers included in Dashboards can drilldown into Active
Channels for further investigation

32

Monitoring Events Using Dashboards

▪ Display system and network conditions as reported by data sources


▪ Visualize event flow and analysis, utilizing drill-down capabilities

33

Micro Focus Education 8-15 ESM200-70

© Copyright 2019 Micro Focus


Module 8 – Data Monitors and Dashboards

Stock Content Dashboard Resources


▪ ArcSight Administration – system health and performance monitoring of Connectors, ESM instances and
Loggers
▪ Core Security – essential monitoring of Microsoft Windows, firewall, and intrusion detection and
prevention activity
▪ Foundation – standard content packages selected at installation

34

Module summary

In this module, you learned that:


- Data Monitor types and function are
- Event-Based
- Correlation Based
- Non-Event Based
- Dashboards allow
- Navigating, viewing, and drilling down of events
- Modifying Displays

35

Micro Focus Education 8-16 ESM200-70

© Copyright 2019 Micro Focus


Module 9 – Rules and Lists

Objectives
Upon completion of this module, you should be able to:

▪ Create and validate the following:

- Rule behavior

- Brute Force Login Attempt and Successful rules

- Active and Session List integration rules

Micro Focus Education 9-1 ESM200-70

© Copyright 2019 Micro Focus


Module 9 – Rules and Lists

Rules Overview

Two Types of Standard Rules

▪ Simple ▪ Join

Micro Focus Education 9-2 ESM200-70

© Copyright 2019 Micro Focus


Module 9 – Rules and Lists

Real-time and Scheduled Rules


▪ Real-time – Only work with real-time events
▪ Scheduled – Run at scheduled time intervals and work with real-time, batch, and
historical events

Rule Conditions

▪ Created using Common Conditions Editor


▪ Rely on basic Boolean Logic principles

Micro Focus Education 9-3 ESM200-70

© Copyright 2019 Micro Focus


Module 9 – Rules and Lists

Rules Aggregation

▪ Sets required number of event matches


within a specified timeframe
▪ Defines attack patterns

Types of Rule Actions (1 of 2)

▪ Set Event Field


▪ Send to Open View Operations
▪ Send Notification
▪ Execute Command
▪ Execute Connector Command

10

Micro Focus Education 9-4 ESM200-70

© Copyright 2019 Micro Focus


Module 9 – Rules and Lists

Types of Rule Actions (2 of 2)

▪ Export to External System


▪ Create New or Add to Existing Case
▪ Add to or remove from Active list
▪ Add to or terminate Session list
▪ Add or remove Asset Category from Asset

11

Rule Actions, Cases and Notifications

Case
Create or Cases
add to

 RULE
Name Send Notification
Match Count & Time Acknowledgement?
 Aggregation Unique
Filter  Aggregation
Identical 
Trigger?
Set Event Fields
Set Event Fields!

Active List

12

Micro Focus Education 9-5 ESM200-70

© Copyright 2019 Micro Focus


Module 9 – Rules and Lists

Rule Triggers

▪ Identifies when actions should be carried out


▪ Types
- Event
- Threshold
- Time

13

Lightweight Rules
▪ Provide simpler, faster, less resource-
intensive rule processing
- Processed earlier in the event flow than
standard rules
- Intended for populating and modifying active
lists and session lists

Add Active
List

Remove Active
LW
Filter List
Rule
Add
Session
List
Session
Terminate List
15

Micro Focus Education 9-6 ESM200-70

© Copyright 2019 Micro Focus


Module 9 – Rules and Lists

Lightweight Rule Restrictions


▪ Simple event conditions only
- No joins
- No negated event conditions
▪ Aggregation is disabled – data fields are not
aggregated
- Action only on the On Every Event trigger
- Limited to Active List and Session List Actions
- Add to or Remove Entry from Active List
- Add to or Terminate entry in Session List
▪ Does not generate any correlation or audit
events
- Failure logging only

16

Pre-persistence Rules

▪ Match and modify event fields before CORR


storage
- Processed earlier in the event flow than
lightweight and standard rules
- Intended for early populating of base event
fields
- Accelerates analytical processing such as threat-
level calculation

18

Micro Focus Education 9-7 ESM200-70

© Copyright 2019 Micro Focus


Module 9 – Rules and Lists

Pre-persistence Rule Restrictions

▪ Simple event conditions only


- No joins, aggregation, or correlation
- Failure logging only
▪ Action only on the On Every Event trigger
- Limited to “Set Event Field” activity
▪ Event cannot be scheduled or replayed
▪ No modification once persisted to database

19

Enabling and Disabling Rules and Rule Actions

▪ Rules are enabled/disabled from the


Navigator rule resource tree
▪ Rules actions are selectively
enabled/disabled from the rule editor

20

Micro Focus Education 9-8 ESM200-70

© Copyright 2019 Micro Focus


Module 9 – Rules and Lists

Active Lists
A configurable data store that can hold information derived from events or other
sources

22

Active Lists – Types

▪ Event-based
▪ Fields-based
▪ Key Fields

23

Micro Focus Education 9-9 ESM200-70

© Copyright 2019 Micro Focus


Module 9 – Rules and Lists

Active List Attributes

▪ Name – Active List Name


▪ Optimize Data – For large lists, store only
entry hashing, count and timestamps in
memory for faster searching
▪ Capacity – Number of entries
▪ TTL – “Time to live” for entry
▪ Data – List schema fields

24

Manipulating Active Lists

Active List
Filter 1 Rule 1 *Name
Add Audit Event
Remove
Rule Trigger Action TTL
Add to Active List

TTL t/o

Rule Trigger Action Filter 2 Rule 2
Remove from Active List

Filter Condition
InActiveList()
Data

Filter 3
Filter Condition Monitor
NOT InActiveList()

25

Micro Focus Education 9-10 ESM200-70

© Copyright 2019 Micro Focus


Module 9 – Rules and Lists

Cumulative Fields in Active Lists (1 of 2)

▪ Cumulative sub-types are available for numeric data type fields


- SUM
- MAX
- MIN

26

Cumulative Fields in Active Lists (2 of 2)

▪ Main Benefits
- Cumulative values calculated consistently
by multiple rules and events in parallel
- Better performance reading a value,
computing new values in a rule, and
storing it back

27

Micro Focus Education 9-11 ESM200-70

© Copyright 2019 Micro Focus


Module 9 – Rules and Lists

Cumulative Fields in Active Lists

▪ Restrictions
- Only available in fields-based Active Lists
- Numeric fields cannot be used as key fields
- Manual edit – List entries for numeric subtypes (value entered is the final value)
- Not Supported – Numeric subtypes in multi-mapped Active Lists
- Trends cannot act on these lists

28

Time-Partitioned Active List

▪ Captures data partitioned over time using


timestamp field
▪ In-memory cache segregates data sets into
timestamp-based partitions
▪ Latest partition data kept in memory
- Oldest partition first to age-out of list
▪ Time-Partitioned Restrictions
- No multi-mapped lists
- Partially cached must be enabled
- List must be fields-based (not event-based)
- Fields must include (at least) one date field

29

Micro Focus Education 9-12 ESM200-70

© Copyright 2019 Micro Focus


Module 9 – Rules and Lists

Session Lists

▪ Stores data similar to Active Lists


- A configurable data store that can hold information derived from events or other sources

31

Differences between Session Lists and Active Lists

▪ Session List features


- Entries are “terminated” instead of “removed”
- Entries have a start-time, end-time, and creation-time
- Entire session list does not have to be resident in memory
- Data uses partitions because session lists can grow very large over time
- Session lists are optimized for efficient time-based queries

32

Micro Focus Education 9-13 ESM200-70

© Copyright 2019 Micro Focus


Module 9 – Rules and Lists

Session List Configurable Components

▪ Name – Session list name


▪ Overlapping Entries – Optional multiple instances of key pairings
▪ In Memory Cap – Maximum number of entries in memory
▪ Entry Expiration Time – Time after which entries are end-dated if termination event not
received

33

Session List Fields

▪ Fields determine list schema


▪ Data types for fields
- Address
- IP or MAC
- Date
- Numeric
- Double
- Integer
- Long
- Resource Reference
- Asset, Report, Actor, etc.
- String
- Key field

34

Micro Focus Education 9-14 ESM200-70

© Copyright 2019 Micro Focus


Module 9 – Rules and Lists

Manipulating Session Lists


Session List
Filter Rule *name Session
List

Rule Trigger Action Session List


Add to Session List *name

Rule Trigger Action


Terminate Session List

35

Module summary
▪ Rules are programmed procedures that evaluate events against a set of conditions and patterns
▪ To process events at a given time, Rules can be
- Real-time
- Scheduled
▪ Actions are automatic procedures executed when all Rule conditions and aggregation
requirements are met
▪ Rule Triggers identify when Rule actions should be carried out
▪ An Active List is a configurable data store that can hold information derived from events or
other sources
- Create, read, and remove entries within Active Lists dynamically
▪ Session Lists – Store data similar to Active Lists and terminate entries instead of removing them

36

Micro Focus Education 9-15 ESM200-70

© Copyright 2019 Micro Focus


Module 9 – Rules and Lists

Lab Exercises
37

Micro Focus Education 9-16 ESM200-70

© Copyright 2019 Micro Focus


Module 14 – ESM Reports

Objectives
Upon successful completion of this module, you will be able to:

▪ Define a report

▪ Run, view, and save a report

▪ Manage archived reports

Micro Focus Education 14-1 ESM200-70

© Copyright 2019 Micro Focus


Module 14 – ESM Reports

Event Lifecycle Phases

1. Data Collection and Event Processing 5. Workflow


2. Network Model Lookup and Priority 6. Incident Analysis and Reporting
Evaluation
7. Storage and Archive
3. Correlation Evaluation
4. Monitoring and Investigation

Running and viewing reports

▪ Run on-demand or scheduled


- Query and trend data inputs
- Standard or customized templates
- Part of ESM standard content, use as is
or copy and modify
- Save, distribute or discard after viewing
▪ Save formats
- PDF
- HTML
- XLS (Excel Spreadsheet)
- RTF
- CSV
▪ Archive within ESM or export

Micro Focus Education 14-2 ESM200-70

© Copyright 2019 Micro Focus


Module 14 – ESM Reports

Report Workflow
▪ Report data (within a Query resource)
can include data from:
Determine
• Active lists
Input Data
• Session lists
• Notifications
• Cases Reports Select/Develop
Workflow Reports
• Assets
• Events Analyst

• Trends Run/Distribute
Reports
▪ Select standard report or modify/develop
report
▪ Run report
- Optionally schedule execution
- Determine distribution and archiving

Running Reports

Micro Focus Education 14-3 ESM200-70

© Copyright 2019 Micro Focus


Module 14 – ESM Reports

Archiving reports at runtime

▪ Saves generated report to ESM Manager as


Archived
- Click Save Output to Archive (Command Center)
- Click Save Output (ESM console)
- Enter location, name, and expiration date

Archived reports

Micro Focus Education 14-4 ESM200-70

© Copyright 2019 Micro Focus


Module 14 – ESM Reports

Focused report

▪ Same as other reports


▪ Variation of a report
▪ Example:
- run the same report on the different
subdivisions of data
- Don’t have to copy and modify the master
report every time

10

Delta report

▪ A single report that compares two data sets


- Supports single bar chart reports only

11

Micro Focus Education 14-5 ESM200-70

© Copyright 2019 Micro Focus


Appendix A – Lab Guide Questions and Answers

Report job scheduling

▪ Scheduling recurring report jobs is only


accomplished from the ArcSight Console
▪ Reports can be run from ArcSight Command
Center or the ArcSight Console

12

Micro Focus Education A-6 ESM200-70

© Copyright 2019 Micro Focus

You might also like