Arcsight ESM 4.5 New Feature Description: Use-Cases

Steps to Success with ArcSight ESM 4.5 Use-Cases

Recently, ArcSight announced ArcSight ESM 4.5. ArcSight ESM 4.5 introduces a new feature called Use-Cases. This functionality goes a long way to help ArcSight users have a better understanding of the relevance of ArcSight Content packages as Use-Cases. This is functionality I've been a proponent of since about 2003. It is a walk through of all the necessary steps to make a Use-Case for your environment – as well as mechanism to explain existing Use-Cases. The bundling of Network Modeling and Use-Case into a wizard is a large step forward for ArcSight in the effort to make SIEM easier for users.

This post describes ArcSight’s new Use-Case and Network Modeling functionality and also serves to describe quickly how Decurity is providing ArcSight use-case content through our Decurity D3 Service that will leverage this ESM 4.5 functionality quite extensively. Don’t worry the content is focused ArcSight ESM focused, not a sales pitch.

This post is organized in the following manner:
1. Pre-requisites: Network Modeling, Use-Case Installation, Decurity D3 View
2. Use-Case Wizard Walk Through
3. Best Practices: Lab Environment Testing

Use-Case Prerequisites: Network Modeling
Use-Cases require you to configure/specify systems that will apply to the content provided in the Use-Case. For example, defining which hosts have PCI data within them and therefore fall into “PCI” monitoring Use-Cases.
As part for ESM 4.5 ArcSight has improved and integrated a previous “professional services” tool called “asset import” into a default ESM tool.

To launch this tool you log into the ArcSight ESM Console and select Tools > Network Model.
image

This will launch a GUI to walk you through importing Zones, Assets, Asset-Ranges.
image

Note: You will have to have your CSV files created ahead of time. The format of the file and available customizations are defined further in the ArcSight Documentation.

Use-Case Prerequisites: Install Use-Case Bundle
ArcSight provides several example Use-Case Packages(.arb) on the console system for you to test and gain a better understanding.
These default use-case packages are available in the ARCSIGHT_HOME/current/jumpstart directory.


The following Use-Case Packages are available by default:
• ArcSight-JumpStart-for-PCI.1.0.5787.arb
• ArcSight-JumpStart-for-Perimeter-Monitoring.1.0.5788.arb
• ArcSight-JumpStart-for-SOX.1.0.5789.arb
• ArcSight-JumpStart-for-User-Monitoring.1.0.5790.arb

image

Note: Installation of Use-Case should be an “Administrator” user(s) only.
The installation of these use-case packages is exactly the same as any other “Package”, Navagate to Packages, Click import, select the package (.arb) file you wish to load/import and follow the prompts.
The system will then verify and import the resources into your manager. The use-case packages will also load a GUI walk-through.

image


Use-Case Prerequisites: Decurity D3 Content Subscription
If you are a Decurity D3 Customer you may also download new/updated content from our Decurity support portal.

Decurity D3 Workspace:
image

Decurity D3 Content Download:
image

Decurity's Content is organized by Event Source(s), Problem Set and Solution (Use Case). It is easy to search, identify and download appropriate content. Content is provided by Decurity on a periodic basis, or On-Demand per Decurity D3 customer requests.

Use Case Wizard Overview: Introduction Panel
The Introduction panel describes the purpose of the use case.
image

Use Case Wizard Overview: Prerequisites Panel
The Prerequisites panel describes required actions or information needed before continuing with the Use Case wizard.
NOTE: Your network should be “modeled” before using the Use Case wizard to configure the use case.
Please carefully review ArcSight Documentation and Help functions in this wizard to better understand file formats for Zones, Assets and Asset Ranges.
There are some additional configuration options in the Wizard once the data is available. The documentation does a great job of explaining these features.

Use Case Wizard Overview: Confirm Event Sources Panel
The Confirm Event Sources panel lists the relevant event sources that send events to ESM via a SmartConnector for the specified use case. ArcSight SmartConnectors collect log data from existing event sources and generate events that are sent to ArcSight Logger or ESM.

Action: As appropriate for your environment, confirm the event sources that are configured with an ArcSight SmartConnector and supplying events to the ArcSight ESM for this use case.
Note: The Confirm Event Sources panel in this wizard is informational only.

IMPORTANT NOTE: The resources in the use case are driven by these events and without the event sources, the use case does not generate output.


Use Case Wizard Overview: Configuration Panels
The configuration depends on the ArcSight use-case you are setting up.
In the configuration phase you are asked to enter the values that apply to your environment. The values you provide are used to populate the settings in the resources that make up the use case.

The Use Case wizard displays the following types of configuration panels:
• Categorize Assets, Zones
• Active Lists
• Notification Configuration Expiration Time, Notification Rate
• Report periodicity configuration (Daily, Weekly, Monthly, Quarterly, Yearly)

Use Case Wizard Overview: Summary of Settings
After clicking Next, the settings are applied to applicable Data Monitors and Rules for the use-case.

It’s Alive:
The configuration of the use case is complete. If the event sources for this use case are configured with an ArcSight SmartConnector and are sending events to ArcSight ESM the output should be obvious:
• Content in the use case such as rules, data monitors, and queries start processing events
• If the conditions in the use case are met, data is provided to the output resources of the use case such as reports, active channels, dashboards, and cases.

Best Practices: Testing it - Lab Environment
If you do not have production event sources or similar event sources in your lab environment you can at least duplicate the event data by copying off some of the production data and bringing it into the lab environment. ArcSight provides some tools to assist with this effort.

Step 1: Create Replay Files
Log in to the ArcSight ESM manager and run 'arcsight replayfilegen' from the manager/bin directory. You will then be prompted to log in as Administrator or similar user, select the time range you wish to export, any filtering options, obfuscation options and an output replay file name.
Note: The replay file size is dependent on your timeframe and applicable filters but in general is usually several GB in size.

Step 2: ArcSight “Test” SmartConnector
You can install/configure a “Test” ArcSight SmartConnector to read, process and forward events from the file created in Step 1. The output is your replay (.events) file.
Note: For easiest usage copy the replay (.events) file into the “current” directory of the ArcSight SmartConnector.

From the ArcSight Connector Home/bin directory you will launch “arcsight agents” and this will launch a GUI that will allow you to select your replay file and will begin streaming those “production-like” events at the rate you specify into your Lab ArcSight ESM Manager.

Review, measure and tune the content to your environment and needs. Remember to look for things like CPU, Memory Utilization as well as things like “Rules Partial Matches” and of course the actual number of correlation triggers. Every environment is different and will require some tuning to make it work at the most optimal level for your needs. If you need help – just reach out we’re here for you!
Posted by Rocky on 05/11 at 08:57 AM

Name:

Email:

Location:

URL:

Smileys

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below:


Next entry: SIEM: A Lessons Learned Overview

Previous entry: Latest Verizon Business Data Breach Report