ESM200
ESM200
Student Guide
Use of this material to deliver training without prior written permission from Micro Focus is prohibited.
ESM200-70 – ArcSight Enterprise
Security Manager (ESM)
Administrator and Analyst
7.0.0 patch 1
Student Guide
Revision: A
© Copyright 2019 Micro Focus
The information contained herein is subject to change without notice. The only warranties for
Micro Focus products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting
an additional warranty. Micro Focus shall not be liable for technical or editorial errors or
omissions contained herein.
This is a Micro Focus copyrighted work that may not be reproduced without the written
permission of Micro Focus. You may not use these materials to deliver training to any person
outside of your organization without the written permission of Micro Focus.
This material (“Material”) may contain branding from Hewlett-Packard Company (now HP Inc.)
and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now
offered by Micro Focus, a separately owned and operated company. Any reference to the HP
and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett
Packard Enterprise/HPE marks are the property of their respective owners.
Student Guide
Table of Contents
Objectives
- Use the Event Lifecycle as a framework to become familiar with how ArcSight resources
interact with event data
- Use workflow management tools to provide real-time incident response and escalation
tracking
- Cases
- Annotations
- User Management
- Build and modify basic reporting within ESM to provide metrics data
Course agenda (1 of 2)
Topic Duration Day
Course agenda (2 of 2)
Topic Duration Day
Module 10 – User administration Thursday
http://ctp.cbtrain.microfocus.com/ ESM1.Acme.com
WWW ctp/login.do
… …
ESM1.Acme.com
Customer feedback
A great part of our success is because of YOU and your feedback!
▪ You will receive a course evaluation survey
▪ Feedback is vital to improving our course offerings
▪ Please complete the evaluation
Net Promoter Score (NPS) Customer Satisfaction
8, 7 Satisfactory 3 (Neutral)
6, 5, 4, 3, 2 Unacceptable 2 (Disagree)
Slide 10
Certificate of completion
10
Questions
11
Objectives
Upon successful completion of this module, you will be able to:
Topics
What is ArcSight ESM
• Technical Definition
• Problem it Solves
• How it fits into a modern day SOC
Process
• Incident Remediation
• Policy Compliance
• Metrics Reporting
Technology
• Components that make up ESM
• The event flow into ESM
• How new technologies integrate with ESM
People
• SOC Users
• ArcSight SMEs
• Stakeholders
Improved data collection and Scan and correlate event data in real- Data intelligence and event correlation
enrichment to increase event threat time to detect threats affecting the with a rule-based engine allow for
knowledge enterprise known threat detection
• Real-time data correlation from multiple input sources (integration with ADP)
• Powerful event correlation of up to 75,000 events per second
• Simplified SOC workflow and triage management through ArcSight Command Center
• Rule development and continued improvement of rule-based threat detection engine
HPE CONFIDEN9
TIAL
▪ People
- Highly Skilled individuals who work at the SOC
Technology
▪ Process
- A series of mature, repeatable steps for
accomplishing something
Process
▪ Technology
People - Tools that provide data or responses to
accomplish the SOC’s objectives
10
Management
Stakeholders
Business Users
ArcSight SMEs
L3
Administrator Author
L2
SOC Users
Analyst
L1
Operator
12
Stakeholders
Business Users
ArcSight SMEs
L3
Profile:
Administrator Author • Junior Security Team Member
Job:
• Triage Events of Interest
• Follow SOPs
L2
Analyst
Tasks:
• Monitor for Events of Interest
• Triage Events of Interest
• Update Workflow
L1
Command Center
• Create Cases
Operator • Provide SOP Feedback
13
Management
Stakeholders
Business Users Profile:
• Mid Level/Senior team member
• SME in a specific area in the SOC
ArcSight SMEs
Job:
L3
Update/Resolve Cases
• Provide SOP Feedback
SOC Users
Operator
14
•
Stakeholders
Console
Administrator Author Tasks:
• Maintain/Update
content/UseCases
• Develop New Usecases per
security Requirements
L2
• Maintain/Update SOPs,
SOC Users
Analyst
Documentation
• Work with Administrator to bring
in necessary log sources
• Work With Management to
understand the SOCs security and
L1
compliance goals
Operator
15
Slide 16
Stakeholders
• Knowledge of Ports/Protocols
Console
Tasks:
L3
Operator
16
Stakeholders
• Understands in corporate
compliance and security policies
• Understands SOC Operations
Business Users Command Center
Job:
• Works with other stakeholders to
ArcSight SMEs
compliance goals
Email
Administrator Author
Tasks:
• Secure funding and resources
necessary to achieve SOC security
and compliance goals
L2
Analyst • Develop
• Review ArcSight Reports and
Metrics to determine/Confirm
compliance
L1
Operator
17
Context
Logs
Objectives
Events of Interest
19
Other Processes:
Incident Response
Policy Compliance
Metrics Reporting
20
CEF
1. Collect
- Polling
- Listening (port)
2. Normalize Correlation Eng.
- Parse (CSV, REGEX, SQL, XML…) → CEF
- Categorize – Device Vendor, Product, DECID
- Zone tag – Network Model
- Options – Filter, Aggregate, DSM…
22 3. Forward / Cache – 70% / 30%
Correlation
Audit
Serverr Monitoring
Events
23
Device SmartConnector
24
Win
Win
Win
Win
25
Console
SmartConnector
Device
Raid 5
NFS
26
Application
O/S
Win O/S
27
Application
Logger
NYC
Application
Logger
Dallas
Application Logger
LA
28
Application HQ
Logger
NYC
Application
Dallas
Remote
Bunker
Application
Logger
LA
29
30
31
ESM Resources
Active Actors
Users
Channels Assets Cases Connectors
Stages
Customers
Search
Filters
Dashboards
Saved
Searches
Files
ESM Manager
Rules
Filters
Reports
Integration
Commands
Knowledge
Query Pattern
Base
Viewers Discovery
Lists
Notifications
34
Packages
35
36
ArcSight Architecture
Connectors Event Manager CORRe Console Command Investigate
Broker Center
ADP ESM ESM User Interfaces Investigate/Remediate Capabilities
38
ArcSight Architecture
Connectors Event Manager CORRe Console Command Investigate
Broker Center
ADP ESM ESM User Interfaces Investigate/Remediate Capabilities
Log Sources
Network System System Application
39
ArcSight Architecture
Connectors Event Manager CORRe Console Command Investigate
Broker Center
ADP ESM ESM User Interfaces Investigate/Remediate Capabilities
Log Sources
Network System System Application
40
ArcSight Architecture
Connectors Event Manager CORRe Console Command Investigate
Broker Center
ADP ESM ESM User Interfaces Investigate/Remediate Capabilities
Log Sources
Network System System Application
Connector(s)
Event Broker
Logger
ADP
41
ArcSight Architecture
Connectors Event Manager CORRe Console Command Investigate
Broker Center
ADP ESM ESM User Interfaces Investigate/Remediate Capabilities
Log Sources
Network System System Application • Collects Raw Logs
Logger
ADP
42
ArcSight Architecture
Connectors Event Manager CORRe Console Command Investigate
Broker Center
ADP ESM ESM User Interfaces Investigate/Remediate Capabilities
Log Sources
Network System System Application
ADP
43
ArcSight Architecture
Connectors Event Manager CORRe Console Command Investigate
Broker Center
ADP ESM ESM User Interfaces Investigate/Remediate Capabilities
Log Sources
Network System System Application
Connector(s)
ArcSight Architecture
Connectors Event Manager CORRe Console Command Investigate
Broker Center
ADP ESM ESM User Interfaces Investigate/Remediate Capabilities
Log Sources
Network System System Application
• Broker
Event Provides Event Flow Visualizations and Health
status monitor ing of managed nodes
45
ArcSight Architecture
Connectors Event Manager CORRe Console Command Investigate
Broker Center
ADP ESM ESM User Interfaces Investigate/Remediate Capabilities
• Completes normalization of
Connector(s) Events
CORRe
• Correlates Normalized
Event Broker Events
46
ArcSight Architecture
Connectors Event Manager CORRe Console Command Investigate
Broker Center
ADP ESM ESM User Interfaces Investigate/Remediate Capabilities
Log Sources
Network System System Application
Manager
• Events are compressed at 10:1 ratio
Logger
ADP
47
ArcSight Architecture
Connectors Event Manager CORRe Console Command Investigate
Broker Center
ADP ESM ESM User Interfaces Investigate/Remediate Capabilities
Console
• Administrators may need access as
Connector(s) well depending on ESM version
CORRe
Logger
ADP
ADP
48
ArcSight Architecture
Connectors Event Manager CORRe Console Command Investigate
Broker Center
ADP ESM ESM User Interfaces Investigate/Remediate Capabilities
• Web-based
Manager interface allowing:
• Limited content creation
• Storage Management Console
Connector(s) • Peer Management
• CORRe
Content Sync
Command Center
Event Broker • Keyword/Field-Based Search
Logger
ADP
49
ArcSight Architecture
Connectors Event Manager CORRe Console Command Investigate
Broker Center
ADP ESM ESM User Interfaces Investigate/Remediate Capabilities
Manager
• Next generation high-speed
search and hunt capabi lity Console
• Connector(s)
Based on Vertica
CORRe
• Provides Search 10x fa ster than
Command Center
competition
Event Broker
• Provides an intuitive UI and
visualization capabilitie s
Logger
• Seamless integration with 3rd party Investigate
ADP
data lake solutions (Hadoop)
50
ArcSight Connectivity
Connectors Event Manager CORRe Console Command Investigate
Broker Center
ADP ESM ESM User Interfaces Investigate/Remediate Capabilities
Manager
Console
Connector(s)
CORRe
Command Center
Event Broker
User Interfaces
Logger
ADP Investigate
51
ArcSight Connectivity
Connectors Event Manager CORRe Console Command Investigate
Broker Center
ADP ESM ESM User Interfaces Investigate/Remediate Capabilities
Manager
Console
Connector(s)
CORRe
Command Center
Event Broker
User Interfaces
Logger
ADP Investigate
52
Summary
53
55
Objectives
Upon successful completion of this module, you will be able to:
▪ Use ArcSight Command Center to gain information about the ESM deployment
Topics
What is ArcSight Command Center
• Technical Definition
The Interface
• Menus
• Features/Limitations
People
• SOC Users
• ArcSight SMEs
• Stakeholders
Definition
Definition
Menus
Menus
Menus
Menus
Menus
Menus
Menus
Menus
Menus
Menus
Features/Limitations
Resource Capabilities Resource Capabilities
Active Channels Read/Write Events ArcSight Command Center only
Filters Read/Write Content ArcSight Command Center only
Management
Field Sets Read/Write*
Peers ArcSight Command Center only
Fields Read*
Saved Searches ArcSight Command Center only
Data Monitors Read
Search Filters ArcSight Command Center only
Dashboards Read
Storage and ArcSight Command Center only
Rules Not Available Archives
List Not Available Log Retrieval ArcSight Command Center only
Queries Not Available License ArcSight Command Center only
Query Viewers Read Stats/Site map ArcSight Command Center only
18
SOC Users
• Access Dashboards/Reports
Management
Stakeholders
quickly
• Create and use Active Channels
• Integrate with Investigate
Business Users
ArcSight SMEs • Create/Manage Cases
L3
Administrator Author
L2
SOC Users
Analyst
L1
Operator
20
• Access Dashboards/Reports
quickly
ArcSight SMEs • Create and use Active Channels
• Make Administration Changes
to:
Management
Stakeholders
• Storage
• Archiving
Business Users • Event Search
• Manage Peer
Relationships
ArcSight SMEs
Administrator Author
L2
SOC Users
Analyst
L1
Operator
21
Management
Stakeholders
Business Users
ArcSight SMEs
L3
Administrator Author
L2
SOC Users
Analyst
L1
Operator
22
24
Objectives
▪ Use shortcuts
▪ Command window from console’s bin directory
- Windows: Arcsight console
- Unix: ./arcsight console
Navigator Inspect/Edit
panel panel
Viewer
panel
Navigator panel
▪ Resources
▪ Packages
▪ Use Cases
Viewer panel
float panel
Open resources
10
Inspect/Edit panel
multiple tabs open
11
Help feature
12
Knowledge Base
13
File Resource
14
Reference Pages
15
Console preferences
16
Module summary (1 of 2)
17
Slide 18
Module summary (2 of 2)
18
19
Objectives
What is schema?
▪ Data fields
▪ Over 400 data fields
▪ Divided into 17 groups
▪ Common Event Format CEF
10
11
13
14
▪ Navigator Panel
- Yellow lightning bolt shows
“Continuously evaluate” channels
- Static channels have no bolt
15
ArcSight Event
Schema and Lifecycle
16
17
18
Event Normalization
▪ Transforms raw event data into a Common Event Format
1199
20
21
• Agent
• Device
• Source
• Destination
• Attacker
• Target
• Original Agent
• Final Device
▪
ArcSight
Forwarding
Connector
22
ArcSight
Forwarding
Connector
23
Phase 5
Phase 4
Phase 3
Phase 2
Phase 1
24
25
▪ Devices generate event data and send event data to the ArcSight SmartConnector
▪ ArcSight SmartConnector normalizes event data
- Extracts values from log data
- Maps values to corresponding ArcSight event fields
- Evaluates and makes comparisons on normalized events
26
Juxtaposing...
1 2 3 4 5 6 7 8
Src IP Src Port Dest IP Dest Port D/T Stamp Payload Action Rule
Number
27
▪ Values entered into the schema after the normalization process is complete
Device
Source IP Source Destination IP Destination
Receipt Name
Address Port Address Port
Time
CP FW In
Jan 3 2008 Action: drop
144.32.56.211 1422 10.1.25.155 1152
22:15:09 Service:2744
4 (Rule5)
28
29
Categorization Examples
Object Behavior Technique Device Group Outcome Significance
• A security information management solution reported a hostile, failed brute force attack
targeting the login of a service
31
32
DMZ
CPFWNY105
W2KNY101 Checkpoint FW-1
IIS Webserver 63.240.60.146
10.0.21.21 10.0.21.1 192.168.242.10 –
NAT: 63.240.60.149 192.168.242.100
192.168.242.1
LINNY103 10.0.113.3
Apache DHCP
10.0.21.40
NAT: 63.240.60.147
CORP
WNTNY205 WNTNY206
Exchange File & Print
10.0.113.24 10.0.113.9
33
34
35
36
37
Priority Rating
▪ Takes into account Priority Formula Factors and Agent Severity
▪ Displayed in Priority column of Active Channel
▪ Easy-to-identify events that need immediate attention
▪ Color-coded and numbered
38
39
40
42
43
Dashboards
• View problem areas on your network using pie-charts, bar charts, or tables
Query Viewers
• High-level summaries of network activity to investigate events
Event Search
• Extracts events across multiple ESM and Logger peers
44
45
46
47
Phase 5 – Workflow
Escalate incidents to other users
48
ESM Workflow
• Make immediate investigations
• Inform and escalate incidents to users
• Track responses
• Various Workflow Resources
• Annotations
• Cases
• Stages
• Notifications
• Knowledge Base
• Reference Pages
49
50
51
Reporting Tools
• Capture views or summaries of event data
• Use Queries and Trends to gather data
• Three types
• Focused Reports
• Standard Reports
• Delta Reports
52
53
54
Module 6 Summary
In this module, you learned that:
• Active Channels – allow selection of all events
• Fields Sets – subset of the total events in the Schema
• Schema – logical table of all events received
• Event Lifecycle – Seven Phases
55
Objectives
Upon successful completion of this module, you will be able to:
• Recognize what a filter is, the types, and how to create them
• Apply filters to a connector and active channels
• Debug filters
Types of filters
Filter editor
▪ Filter creation and modification
- Filter condition statements are
constructed using Boolean logic
- Conditions editor is known as
Common Conditions Editor (CCE)
- Can be displayed as a tree (top) or
Summary (bottom)
and or not
10
▪ In the Active Channel Editor, under the Filter tab, you can specify an unnamed
condition that is applied only to the current active channel
▪ All events coming into the active channel are evaluated against these conditions, but
the conditions are not reusable by any other resource
11
12
13
▪ Work Around
- Data Stream Analysis InActiveList()
Add explicit conditions in Inline Filter
For example: targetAddress = 10.10.111.129
Or
Build a Query and Query View using the
filter with InActiveList() condition.
Active Channel
*name
Filter Inline Filter
*Start
*End
*ET or MRT
14
Debugging Filters
15
Active Channel
*name
Filter *Start
*name *End
*ET or MRT
Field Set
Field Set
Events
16
Integration Commands
17
Slide 18
Lab Exercises
18
Objectives
Upon completion of this module, you should be able to:
Data Monitors
10
11
12
13
▪ Displays most recent events, which are categorized by Priority, Name, Protocol, and
Category
14
15
16
▪ Event Correlation
▪ Event Reconciliation
▪ Moving Average
▪ Session Reconciliation
▪ Statistics
18
Data Monitor
*name
Filter
Moving
Average
Dashboard
*name
19
20
21
22
23
24
▪ System Monitor
- Displays measurements based on ESM Manager’s internal systems, Java classes, and
attributes
▪ System Monitor Attribute
- Displays specific attributes of a given internal ArcSight Java class
▪ Rules Partial Match
- Displays Rules that have partial matches and the total number of partially matched events
within a specified time frame
26
▪ Displays measurements based on ESM Manager’s internal systems, Java classes, and
attributes
27
28
29
Dashboards
30
Data
Monitor Dashboard
Filter
*name *name
Type
Data Viewer
Monitor Panel Display
Filter
*name Or Command
Type Center
31
Dashboards Layouts
Data monitors/Query Viewers included in Dashboards can drilldown into Active
Channels for further investigation
32
33
34
Module summary
35
Objectives
Upon completion of this module, you should be able to:
- Rule behavior
Rules Overview
▪ Simple ▪ Join
Rule Conditions
Rules Aggregation
10
11
Case
Create or Cases
add to
RULE
Name Send Notification
Match Count & Time Acknowledgement?
Aggregation Unique
Filter Aggregation
Identical
Trigger?
Set Event Fields
Set Event Fields!
Active List
12
Rule Triggers
13
Lightweight Rules
▪ Provide simpler, faster, less resource-
intensive rule processing
- Processed earlier in the event flow than
standard rules
- Intended for populating and modifying active
lists and session lists
Add Active
List
Remove Active
LW
Filter List
Rule
Add
Session
List
Session
Terminate List
15
16
Pre-persistence Rules
18
19
20
Active Lists
A configurable data store that can hold information derived from events or other
sources
22
▪ Event-based
▪ Fields-based
▪ Key Fields
23
24
Active List
Filter 1 Rule 1 *Name
Add Audit Event
Remove
Rule Trigger Action TTL
Add to Active List
TTL t/o
Rule Trigger Action Filter 2 Rule 2
Remove from Active List
Filter Condition
InActiveList()
Data
Filter 3
Filter Condition Monitor
NOT InActiveList()
25
26
▪ Main Benefits
- Cumulative values calculated consistently
by multiple rules and events in parallel
- Better performance reading a value,
computing new values in a rule, and
storing it back
27
▪ Restrictions
- Only available in fields-based Active Lists
- Numeric fields cannot be used as key fields
- Manual edit – List entries for numeric subtypes (value entered is the final value)
- Not Supported – Numeric subtypes in multi-mapped Active Lists
- Trends cannot act on these lists
28
29
Session Lists
31
32
33
34
35
Module summary
▪ Rules are programmed procedures that evaluate events against a set of conditions and patterns
▪ To process events at a given time, Rules can be
- Real-time
- Scheduled
▪ Actions are automatic procedures executed when all Rule conditions and aggregation
requirements are met
▪ Rule Triggers identify when Rule actions should be carried out
▪ An Active List is a configurable data store that can hold information derived from events or
other sources
- Create, read, and remove entries within Active Lists dynamically
▪ Session Lists – Store data similar to Active Lists and terminate entries instead of removing them
36
Lab Exercises
37
Objectives
Upon successful completion of this module, you will be able to:
▪ Define a report
Report Workflow
▪ Report data (within a Query resource)
can include data from:
Determine
• Active lists
Input Data
• Session lists
• Notifications
• Cases Reports Select/Develop
Workflow Reports
• Assets
• Events Analyst
• Trends Run/Distribute
Reports
▪ Select standard report or modify/develop
report
▪ Run report
- Optionally schedule execution
- Determine distribution and archiving
Running Reports
Archived reports
Focused report
10
Delta report
11
12