Scribd
Upload
87 views97 pages

Paladion ArcSight Training2

The document provides instructions for installing and configuring the operating system, Oracle database, ArcSight Express All-in-One appliance, ArcSight Console, and applying the ArcSight license. It describes setting preferences in Oracle Enterprise Linux, setting passwords for user accounts, configuring network settings including IP addresses, and disabling the firewall. It also explains installing the ArcSight Console, applying the license file, and configuring the ArcSight ESM database.

Uploaded by

Krishna Gollapalli
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
87 views97 pages

Paladion ArcSight Training2

The document provides instructions for installing and configuring the operating system, Oracle database, ArcSight Express All-in-One appliance, ArcSight Console, and applying the ArcSight license. It describes setting preferences in Oracle Enterprise Linux, setting passwords for user accounts, configuring network settings including IP addresses, and disabling the firewall. It also explains installing the ArcSight Console, applying the license file, and configuring the ArcSight ESM database.

Uploaded by

Krishna Gollapalli
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 97

ArcSight Express Installation

Installing Operating Systems

• ArcSight Express All-in-One has the Oracle Enterprise Linux operating system
installed. Set up the preferences for Oracle Enterprise Linux when you boot the
system for the first time only or when you boot the system after a factory restore.
• The following wizard will help you set the preferences for Oracle Enterprise Linux:
• Click Next on the Welcome screen
PRESENTATION NAME

Continued..

• Read the license agreement. This license agreement is


for Oracle Linux. Select Yes, I agree to the License
Agreement if you agree with it:
PRESENTATION NAME

Continued
PRESENTATION NAME
PRESENTATION NAME
PRESENTATION NAME

• Most components, including ESM Manager and ArcSight


Web, run using an "arcsight“ user account for security
reasons.
PRESENTATION NAME

• Oracle runs as the user “oracle”. Set up a password for


the Oracle user “oracle” in the following screen:
PRESENTATION NAME

• The appliance is set up with the following pre-defined IP


addresses:
• 192.168.35.35 for eth0
• 192.168.36.35 for eth1
PRESENTATION NAME

• Click File->Save to save the changes.


PRESENTATION NAME

• Click the Devices tab. Deselect eth1, eth2, and eth3.


Select eth0 and click the Edit button
PRESENTATION NAME

• Set the IP address, subnet mask, and default gateway in


the Ethernet Device dialog:
PRESENTATION NAME

• The Network will automatically be restarted and you will


see a message "Restarting network. Please wait...".
PRESENTATION NAME

• Choose Disable firewall in the Security Level dropdown


menu and then make sure the ports listed in the note
below are open:
PRESENTATION NAME
PRESENTATION NAME
PRESENTATION NAME
PRESENTATION NAME
PRESENTATION NAME
PRESENTATION NAME

• Important! Log in as user root when you are prompted


with the screen below
PRESENTATION NAME

Configuring the ESM


PRESENTATION NAME
PRESENTATION NAME

• The database user account has already been created for


you with username “arcsight”. Enter a password for this
account:
PRESENTATION NAME

Enter passwords for the SYS and SYSTEM accounts.


• Oracle SYS Password—Password for the Oracle
superuser, SYS.
• Oracle SYSTEM Password—Password for the Oracle
admin account
PRESENTATION NAME
PRESENTATION NAME

• Apply Arcsight license file.


PRESENTATION NAME
PRESENTATION NAME
PRESENTATION NAME
PRESENTATION NAME
PRESENTATION NAME
ArcSight Console Installation
ArcSight Console Installation

To install ArcSight Console, run the self-extracting archive file and click Next in the following screens.
ArcSight Console Installation
ArcSight Console Installation
ArcSight Console Installation
ArcSight Console Installation
ArcSight Console Installation
ArcSight Console Installation
ArcSight Console Installation
ArcSight Console Installation
ArcSight Console Installation
ArcSight Console Installation
ArcSight Console Installation
ArcSight Console Installation
ArcSight Console Installation
ArcSight Console Installation
Arcsight Console
Console

• Provides Graphical user interface for easy Monitoring,


Analyzing and Reporting.

• To set up filters and create customized rules to display


and process events, define notification and escalation
procedures, actions, manages users and sets
permissions etc.
Console

ArcSight Console Elements:

• Navigator Panel
• Viewer Panel
• Inspect/Edit Panel
• Message bar
Navigator Panel

• To access ArcSight Resources


• Resource includes Active channel, Reports, Rules, Agents, Active
lists, Customers, Notifications etc
Viewer Panel

• To View Dashboards, Active Channels , agents and manger status,


Notifications etc.
Inspect /Edit Panel

• To Examine the Details of Events that appears in Active Channel


• To Modify resources like Reports, Active channels, Filters, Rules,
Dashboards etc.
Message Bar

• Displays Error Messages and Notifications from the System


User Preferences

• Console provides the capability to modify the default behavior and


look and feel of the console at run time.
Console Actions

Actions taken within the console can also change default behavior
–Examples
• Showing Column Headers –Text Only, Icon and Text or Icon Only

• Set Slide Show Interval


Property Groups

• Look and Feel


Property Groups

• Date and time format


Property Groups

• Browser settings
Network & Asset Modeling
What is Asset? Zone? Network? Customer?
• Assets represent individual nodes on the network, such as servers,
routers, and laptops
• Asset ranges represent a set of network nodes addressable as a
contiguous block of IP addresses
• Zones represent portions of the network itself and are also
characterized by a contiguous block of addresses
• Networks are helpful when disambiguating two private address
spaces
• Customers describe the internal or external cost centers or separate
business units associated with networks, if applicable to your
business environment
Event in ArcSight ESM Without Asset
Modeling

• No Customer
• No Model Confidence
• No Asset Criticality
• Priority 4
• Attacker Zone default
• Target Zone default
• No Geo Information at all
How ArcSight ESM Enriches Events

Step 1: Add Customer

• Describe the internal or external


cost centers or separate
business units associated with
networks, if applicable to your
business environment
• This means a customer needs
to be created in ArcSight ESM
How ArcSight ESM Enriches Events

Step 1: Add Customer

• Go in the navigator to customers


and add a customer
• You may add additional
information like Address, but
that won’t be used during the
event enrichment process
How ArcSight ESM Enriches Events
Step 2: Add Network

• Networks are helpful when


disambiguating two private
address spaces
• This means a network needs to
be created in ArcSight ESM
• One customer can have several
networks
• Network information won’t be
shown in the event
• It’s the glue between Customer
and Zones
How ArcSight ESM Enriches Events

Step 2: Adding Network

• Go in the navigator to assets


and click on the Network tab
• Add a network
• Choose a Customer (the one
you’ve created)
How ArcSight ESM Enriches Events

Step 3: Add Zone

• Zones represent portions of the


network itself and are also
characterized by a contiguous
block of addresses
• The Zone information will be
shown in the event
• One network can have many
Zones
How ArcSight ESM Enriches Events

Step 3: Adding Zone

• Go in the navigator to Assets


and click on the Zone tab
• Add a Zone
• Choose a Network
How ArcSight ESM Enriches Events
Step 4: Create Asset and Assign it
to Zone

• In the Navigator go to Assets


and create a new Asset
• Assets represent individual
nodes on the network, such as
servers, routers and laptops
• Asset ranges represent a set of
network nodes addressable as a
contiguous block of IP
addresses
• Choose a name, IP address,
zone
How ArcSight ESM Enriches Events

Step 4: Adding an Asset

• Click on Categories
• Add Criticality
How ArcSight ESM Enriches Events
Step 5: Add Network and Customer to the Connector
How ArcSight ESM Enriches Events

• Customer ArcSight UC
• Model Confidence 4
• Asset Criticality 10
• Priority 5
• Attacker Zone populated
• Target Zone populated
How ArcSight ESM Enriches Events

Step 6: Add More Asset Information

• In order to populate the Threat


in an event Vulnerabilities and
Open Ports are required
• A Vulnerability Assessment
Solution should be used for that.
How ArcSight ESM Enriches Events
Step 6: Asset Information After Scan
How ArcSight ESM Enriches Events

After the scan the quality of the


information in the Threat section
is much higher

• Model Confidence 10
• Relevance 10
• Asset Criticality 10
• Priority 5
How ArcSight ESM Enriches Events

Step 7: Create Location

• ArcSight ESM will automatically


populate Geo Information for
public networks
• For private networks you need
to configure the Location
• Create a location and provide
the necessary parameter
• Assign it to the Network Zone
How does it help you?

• Priority better shows what an event really means


• With Zone and Customer information filters can be created more
easily
• Links in the Event Inspector go down to e.g. Asset Information
• Geo View also includes your private networks
Filters & Active Channels
Filters

• Filters are conditions that reduces the volume of


Events.

• Can be applied at the Connectors to reduce the


volume of events sent to Manager.

• Can be applied in Reports, Active Channels, Rules etc


to retrieve the exact events.
Filters

Filter Statements are constructed using Boolean Logic


Operators and operators
 & AND
 = OR
 != NOT

Operators
 =  Is  On
 !=  InSubnet  InGroup
 Contains  Between  BitAnd
 In  <
 Startswith
 <=
 Endswith
 Like  >
 >=
Filters

Data Type Operators Used Example

Number or CustomNumber1 = 50
=, !=, <, <=, >=, <, and In
Integer Aggregated Event Count >= 10

=, !=, In, Contains, ArcSightCategory StartsWith /Attack


String Matches, Starts With, or
Ends With, and Like ArcSightCategory = /AttackSuccess
=, !=, Between, In, and
Date Time End Time Between 03/06/2009 15:00:00,03/06/2009 16:00:00
On
Target Address = 178.168.11.211
=, !=, In, InSubnet, and Target Address In 178.168.11.211, 178.168.11.212,
IP Address
between 178.168.11.213
Target Address InSubnet 172.168.11.0/24

 In the case sensitive column, select the check box if the data field value must
be case sensitive.
 In the negate condition column, select the check box to change the condition
statement to an “all except this condition statement”.
Field Sets

Field Sets are group of fields

• Shows Exact contents/information in an Event

• Used in Active Channel (in grid View) to limit the columns


that are displayed, reports ,etc
Active Channel

Display Events that match an existing filter over a fixed or


rolling time frame.
Active Channel Elements
 Header

 Provides overview of the active Channel.


 It includes the Time frame, Filter, Events criticality etc
 Radar
 Bar Chart overview Active Channel events
 It represents the group of events (in segments) with the
same time
 Channel Viewer
 Grid
 Graph
 Image
Active Channel

Image Graph
View View

Grid
View
Active Channel
Active Channel
Rules
Rules

• Arcsight rules are similar to Intrusion Detection System.


• Rules acts on live data.
• Rule is triggered when specified matching events
(conditions) occur in the time limit specified.
• Investigates live data and generates correlation
Events/send notification if conditions specified matches.
• Constructed using Aggregation and Boolean pattern.
• Must be activated and saved in Real Time Rules Folder.
Rules
Rules
Rules
Rules
Rules
Simple Rule

Basic Conditions using a single event type or category


eg. Device shutdown

Join Rule

Connect Events from Different devices in order to analyze the trend.


eg. If there is an event from an IDS and a corresponding permit event from a
firewall (occurred in a single session i.e. both target the same port from the
attacker).
Rules
Chained Join Rule

Uses Active Lists


Good for long and slow elapsed time attack sequences across multiple rules .
eg. One rule finds an asset shows abnormal activity and add the asset's details
/activity information to an Active List. Another Rule can read from the active
list and takes additional action, such as aggregate additional Activity from that
asset.
Notifications

• To Alert about an Event’s occurrence to a Group of users.


• When we create a rule and add a Send To Notifier action, We will be able to
select the notification group that will receive the message

When a rule that has a notification action triggers, the ArcSight notification
engine does the following:

• Notify all active destinations in the first escalation level within that group.
The notification engine then waits for a certain time period to receive an
acknowledgment to that notification.
• The length of time that the notification engine waits for acknowledgement
depends on the event severity, and can be set.
• If no acknowledgment is received within the specified time interval, the same
notification is escalated to the next level within the group.
Notifications
Notification Icon

Notification Window
Notifications

• Indicates New notifications have arrived.


Click the notification icon to open the Notifications tab in
the Viewer panel

Notification Category Explanation

Pending These are notifications that you have not yet handled.
Acknowledged These are notifications to which you have replied.
Pending notifications older than 24 hours are automatically
Not Acknowledged
refilled as Not Acknowledged.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy