L1 Entity Monitoring

This package identifies the anomalies dealing with the Entity authentication and management.

Authors:

- Mary Cordova SNEI

- Donald Chapell

- Oswaldo Dimas

- Prentice Hayes

- Rhydham Joshi

- Nellie Wang

Introduction

Initial idea generation for L2 Package uses cases leveraging the Linux Product Package led to decomposition of the four "core" product use case categories into 2 new L1 Packages; L1 Entity Monitoring and L1 Host Monitoring.

Early on in the Activate framework development, product packages contained a standard set of four high-level use case categories and possibly a 5th (or more) product specific category. The standard set of use case categories were Entity Management, Entity Authentication, System and Service Changes, System and Service Errors.

These four use case categories formed the initial basis for the L1 Entity Monitoring and L1 Host Monitoring Packages as follows:
  • L1-Entity Monitoring
    • Entity Management (formerly User Administration)
    • Entity Authentication
  • L1-Host Monitoring
    • Host Activity (formerly System and Service Errors)
    • Host Administration (formerly System and Service Changes)
The justification for this design decision was that the effort to develop these rule sets in every product package (and the resources consumed by the rule sets) was redundant. Fundamentally, a user account creation is a user account creation regardless of the system upon on which this activity is being performed. This justification can be extrapolated to the L1 Host package as well, a system boot is a system boot.

Work has been performed to create the initial L1 Entity and Host packages containing the directory structure necessary to facilitate migration to the new framework. The new L1 packages will work in the same manner as the Perimeter and Network Monitoring packages.

Rules will exist in the L1 package which references corresponding null filters in the L1 package. Wherever possible, only filters will reside within the product packages. Those filters in the product package will then be linked to an OR statement in the (previously) null L1 package filter where appropriate. For example:
  • L1-Entity Monitoring (package)
    • (resource) Rules
      • Arcsight Activate
        • Solutions
          • Entity Monitoring
            • Indicators and Warnings
              • Entity Management
                • User Account Created --->> reference to L1 Package filter User Account Created <<--- reference from (multiple) Product filter(s) User Account Created (Linux filter) OR User Account Created (ASA filter) OR product filter OR etc
                • User Account Deleted
                • etc
              • Entity AuthenticationL1EntityMonitoring.PNG
The implication is that each of the existing Product Packages will need to be reviewed and optimized so that only filters, wherever possible, remain in the product packages when the activity monitored is fundamentally either User or Host monitoring. Care needs to be taken that, the current use cases are comprehensively covered in the new L1 User and Host packages. The Product packages will continue to provide L1 use case rules sets ,which are unique to the defined function of the product.

For instance, the Websense Web Security (web proxy/gateway) product package will have all the rules relating to the previously defined L1 User and Host packages removed but the Web Security (proxy/gateway) specific components, Proxy Suspicious Events, will remain intact. The filters and rules will provide L1 alerts such as Websense Proxy Avoidance to the ESM system SOC Stage as configured in the product package.

Main Use Cases

L1-Entity Monitoring - Indicators and Warnings package includes the following user stories:

Use Case 1 - Account Anomalies

User Account Created and Deleted within 24 Hours

User Account Enabled and Disabled within 24 Hours

Impossible Travel Activity Detected

Use Case 2 - Entity Authentication

User Account Brute Force Attempt

User Account Brute Force Attempt from Multiple Sources

User Account Brute Force Attempt Reported by Device

User Account Harvesting Attempt

User Account Logoff

User Account Logon

User Account Logon Failure

Use Case 3 - Entity Management

User Account Created

User Account Deleted

User Account Disabled

User Account Enabled

User Account Locked

User Account Locked Multiple Times

User Account Modification

User Account Unlocked

Future Use Cases: Entity Monitoring

Replay Attack

Pass the Hash

Supported Log Sources

Supported Log sources include device product packages (Microsoft Windows Product Package, Linux Product Package, application product package etc.) that log User Account management/authentication events.

Package Download Instructions

The latest package can be downloaded from the ArcSight Marketplace.

Prerequisites

Ensure the following is complete:
  • Activate Base Package (v2.5.1.0) has been installed

Package Installation Procedure

After the Activate Base is installed, follow below steps to install the L1 Entity Monitoring package.
1. Copy L1-Entity_Monitoring_-_Indicators_and_Warnings_1.3.0.0 .bat file as well as the L1-Entity_Monitoring_-_Indicators_and_Warnings_1.3.0.0.arb file to the current directory on the path where the ArcSight Console is installed i.e. c:\arcsight\console\current InstallL1Package_2.PNG

2. Execute theL1-Entity_Monitoring_-_Indicators_and_Warnings_1.3.0.0.bat file. Provide ESM username and password. The installation script will import and install contained package.

Imported and Installed package:

L1-Entity Monitoring - Indicators and Warnings

L1-Entity Monitoring - Indicators and Warnings - Customizations

InstallL1Package_3.PNG

Entity_3.PNG

Content Hooks for Product Packages

1. Below filters have to be configured with filters from product packages for triggering L1-Entity Monitoring - Indicators and Warnings rules.
Filter URI in L1 Entity Monitoring Description
User Account Brute Force Attempt Reported by Device
  • /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Authentication/User Account Brute Force Attempt Reported by Device
This filter identifies brute force attack events reported by other devices like IDS/IPS etc.
User Account Logoff
  • /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Authentication/User Account Logoff
This filter tracks the user account logoff events.
User Account Logon
  • /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Authentication/User Account Logon
This filter tracks the user account successful login events.
User Account Logon Failure
  • /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Authentication/User Account Logon Failure
This filter identifies the user account failed login events.
User Account Created
  • /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Management/User Account Created
This filter identifies the user account created events.
User Account Deleted
  • /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Management/User Account Deleted
This filter identifies the user account deleted events.
User Account Disabled
  • /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Management/User Account Disabled
This filter identifies the user account disabled events.
User Account Enabled
  • /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Management/User Account Enabled
This filter identifies the user account enabled events.
User Account Locked
  • /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Management/User Account Locked
This filter identifies the user account locked events.
User Account Modification
  • /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Management/User Account Modification
This filter identifies the modification in user account attributes.
User Account Unlocked
  • /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Management/User Account Unlocked
This filter identifies the user account unlocked events.
The P-Linux and P-Windows package have been used to conduct an end-to-end test with above filters in L1-Entity Monitoring package.

Lab environment with Linux RHEL 7.1 and Windows Server 2012 providing Active Directory Service, Domain Name Services and Dynamic Host Configuration Protocol services to Windows 7 machines.

Uninstallation Procedure

To uninstall the L1-Entity Monitoring - Indicators and Warnings, perform the below mentioned steps. Please note, installation of L1-Entity Monitoring - Indicators and Warnings would also led to the uninstallation of L2-Entity Monitoring - Situational Awareness since the Situational Awareness package is depended on that.

1) Navigate to the Package section and locate the L1-Entity Monitoring package.

EntityUninstall_1.PNG

2) Right click on the package and select "Uninstall the Package" to uninstall.

EntityUninstall_2.PNG

3) To delete the package perform the following operation. Navigate to Package -> Right Click on the Package -> Select "Delete Package".

EntityUninstall_3.PNG

4) Due to the package dependency, uninstallation of L1-Entity Monitoring - Indicators and Warnings will led to automatic uninstallation of L2-Entity Monitoring - Situational Awareness & L2-Entity Monitoring - Situational Awareness - Active List. Please note, uninstallation of package doesn't mean the package will get deleted but deleting a package will led to its uninstallation and deletion of coresponding package and all those packages that depends on it automatically.

5) Deletion of L1-Entity Monitoring - Indicators and Warnings will led to the deletion of L2-Entity Monitoring - Situational Awareness & L2-Entity Monitoring - Situational Awareness - Active List too.

6) Customization packages has to be deleted manually following the above mentioned procedure since it depends on Activate Base and deletion of L1 & L2 Entity Monitoring package won't affect that.

Test Plan

L1EntityMonitoringTestPlan provides the methodology for testing this package.

Resources

The link below contains a table of all resources included in this package:

Topic attachments
I Attachment Action Size Date Who Comment
EntityUninstall_1.PNGPNG EntityUninstall_1.PNG manage 13.7 K 28 Feb 2017 - 21:24 RhydhamJoshiWiki  
EntityUninstall_2.PNGPNG EntityUninstall_2.PNG manage 28.2 K 28 Feb 2017 - 21:25 RhydhamJoshiWiki  
EntityUninstall_3.PNGPNG EntityUninstall_3.PNG manage 28.2 K 28 Feb 2017 - 21:26 RhydhamJoshiWiki  
Entity_1.PNGPNG Entity_1.PNG manage 59.9 K 28 Feb 2017 - 21:12 RhydhamJoshiWiki  
Entity_2.PNGPNG Entity_2.PNG manage 80.0 K 28 Feb 2017 - 21:16 RhydhamJoshiWiki  
Entity_3.PNGPNG Entity_3.PNG manage 70.1 K 28 Feb 2017 - 21:17 RhydhamJoshiWiki  
InstallL1Package_1.PNGPNG InstallL1Package_1.PNG manage 29.4 K 28 Feb 2017 - 23:14 RhydhamJoshiWiki  
InstallL1Package_2.PNGPNG InstallL1Package_2.PNG manage 29.8 K 28 Feb 2017 - 23:16 RhydhamJoshiWiki  
InstallL1Package_3.PNGPNG InstallL1Package_3.PNG manage 68.3 K 28 Feb 2017 - 23:16 RhydhamJoshiWiki  
Installation_1.PNGPNG Installation_1.PNG manage 45.8 K 13 Feb 2017 - 22:29 RhydhamJoshiWiki  
Installation_2.PNGPNG Installation_2.PNG manage 88.2 K 13 Feb 2017 - 22:29 RhydhamJoshiWiki  
Installation_3.PNGPNG Installation_3.PNG manage 79.4 K 13 Feb 2017 - 22:29 RhydhamJoshiWiki  
Installation_ScreenShot_3.PNGPNG Installation_ScreenShot_3.PNG manage 83.5 K 06 Feb 2017 - 23:01 RhydhamJoshiWiki  
Installation_ScreenShot_4.PNGPNG Installation_ScreenShot_4.PNG manage 79.4 K 06 Feb 2017 - 23:01 RhydhamJoshiWiki  
L1-UserMonitoring.pngpng L1-UserMonitoring.png manage 49.2 K 17 Oct 2016 - 20:17 RhydhamJoshiWiki  
L1-UserMonitoring1.pngpng L1-UserMonitoring1.png manage 80.5 K 17 Oct 2016 - 20:17 RhydhamJoshiWiki  
L1UserMonitoring.PNGPNG L1UserMonitoring.PNG manage 39.9 K 10 Mar 2016 - 22:51 MaryCordova  
Uninstall_1.PNGPNG Uninstall_1.PNG manage 38.1 K 15 Feb 2017 - 18:33 RhydhamJoshiWiki  
Uninstall_2.pngpng Uninstall_2.png manage 31.6 K 15 Feb 2017 - 18:34 RhydhamJoshiWiki  
Uninstall_3.pngpng Uninstall_3.png manage 27.2 K 15 Feb 2017 - 18:35 RhydhamJoshiWiki  
Topic revision: r35 - 24 Oct 2018, OswaldoDimas


 


Activate Wiki 2.1.0.0

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback