L1 Host Monitoring - Indicators and Warnings


Authors

- Nellie Wang HPE

- Dat Nguyen HPE

- Phil Jorgensen (MNIT)

- Henk-Jan van Esterik (Micro Focus Professional Services)

Introduction

The host layer focuses on the device, device operations, and their security analysis. It is for the events having to do with a device’s operations, configuration, and changes that affect those attributes, so that you can collectively and generically deal with any given device.

The L1_Host_Monitoring - Indicators and Warnings package is designed to monitor and track the availability of system host and service accounts which may have certain security and/or operational significance. This package has to be integrated with any Product packages which collect and filter out these device events for hosts and host components. This package can be also integrated with, but does not require, the L2 Host Monitoring-Situational and Awareness package for further detections and investigations.

The idea to have the L1 Host Monitoring Indicators and Warnings package is to build some common functionality (such as Rules) that can be applied by multiple Product packages. The Rule filters for L1 package will exist which reference corresponding null (False) filters in the L1 package. Wherever possible, only the filters will reside within the product packages. Those filters in the product package will then be linked into an OR statement in the null (false) L1 package filter where appropriate. For example:

Graphic_View.PNG

merge_multipleProductFilters.PNG

The following describes all resources included for this package. If you modify a resource, we suggest adding a comment in the Description field. If you create a new resource, please add it to the appropriate table below.

Main Use Cases

Below are the main use cases and user stories for this package

Use Cases

  • Availability for Hosts
  • Availability for Essential Services on normal hosts
  • Monitor System Host Configuration Changes

User Stories

  • Use Case 1 - User Story 1: Detect Downtime for Hosts
  • Use Case 1 - User Story 2: Detect Host Start
  • Use Case 2 - User Story 1: Detect Downtime for System Services
  • Use Case 2 - User Story 2: Detect Service Start
  • Use Case 3 - User Story 1: Detect Configuration Changes in the System/Services

Future Use Cases:

  • Monitor host hardware warning and failures
  • Detect extended downtime for essential Services during business hours
  • Monitor host resource utilization
  • Monitor system driver operation
  • Monitor system service configuration
  • Monitor log service operation
  • Monitor log service configuration
  • Monitor unknown process or service
  • Process or Service activated from suspicious path

Package Download Instructions

The latest package can be downloaded from the !ArcSight Marketplace, or internally from the GitHub web site (https://github.com/ArcSightActivate/Host)

Prerequisites

Ensure the following is complete:
  • Activate Base Package 2.5.1 or higher has been installed
  • ESM version is 6.8c or up

  • Ensure ESM is setup to sort packages by their IDs:

    - Open ESM server.properties (<ARCSIGHT_HOME>/manager/config), add the following line:
export.archive.reference.sort.order=id
  • For ESM in Compact Mode: Restart the ESM Manager

    or For ESM in Distributed Mode: Restart the ESM Manager, Aggregator(s), and Correlator(s)

Package Installation Procedure

Follow the steps below to install the L1 Host Monitoring - Indicators and Warnings package:
1. Copy L1-HostMonitoringInstallAndUpdate1210.bat file as well as the L1-Host Monitoring_-_Indicators_and_Warnings_1.2.1.0.arb file to the current directory on the path where the ArcSight Console is installed, i.e. c:\arcsight\console68\current\ L1-Host-pkg-list.png
2. Execute the L1-HostMonitoringInstallAndUpdate1210.bat or L1HostIndicatorsAndWarningsInstallAndUpdate1210.sh

L1-Host-pkg-batchinstall.png

3. You will be prompted to enter the manager hostname, port, username and password. The password is displayed in cleartext, please be aware of your environment. L1-Host-pkg-Install-Sh.png

4. After the update, your packages in ArcSight ESM will look like the screenshot to the right.

If you run into any issues, the errors will be displayed in the command prompt window.

5. You can now delete the files from ARCSIGHT_HOME

  • L1-<Package_Name>_<version>.arb
  • L1-<Package_Name_Updated>_<version>.arb
  • L1<PackageName>InstallAndUpdate<version>.bat
L1-Host-pkg-console.png

Package Uninstallation Procedure

Follow the steps below to uninstall the L1 Host Monitoring - Indicators and Warnings package:
1. Select the packages you wish to uninstall. L1-Host-pkg-Delete.png
2. Select "Delete" in the dialog box. L1-Host-pkg-Delete-1.png
3. If L2-Host Monitoring package is also installed, It will also remove it. Select "OK" to confirm the deletion of respective L2 package as well. L1-Host-pkg-Delete-2.png

4. Select "Delete All Resources and Packages" and select "Ok". Then confirm deletion on the next screen.

These contents should be removed from ESM.

Note: Customization and Active List packages do not automatically uninstall, just in case the customer wants to preserve data. Delete it the same way as above.

L1-Host-pkg-Delete-3.png


Package Configuration

1. Create the Essential Service List

In the 'Essential Service List' active list, some default essential service names have been pre-populated. To make sure some of the essential services related L1 and L2 Rules work as expected, the user may need to populate proper essential services according to their business requirements and security concerns. This list should be maintained and updated by the user.
In the Navigator panel select "Lists" from the Dropdown list, and go to /All Active Lists/ArcSight Activate/Solutions/Host Monitoring/Indicators and Warnings/Essential Services List EssentialServiceList.PNG
  • Right click the List, and select 'Show Entries', then click '+' icon to add a new entry

or

  • Right click the list and select 'Edit Active List', then click 'Add Entry' icon to add a new entry
AddNewEntry.PNG
2. Filter Configuration

At the L1 Host Monitoring Indicators and Warnings level, a minimum configuration is required for integrating your product filters with 'Host Shutdown', 'Host Started', 'Service Stopped', and 'Service Started' filters accordingly.

As a guideline, please follow the below procedure to configure your Product filters with these above 4 filters. The below example demonstrates how to configure multiple Product filters with a 'Host Shutdown' filter.
  • Edit the filter "/All Filters/ArcSight Activate/Solutions/Host Monitoring/Indicators and Warnings/System Changes/Host Shutdown".
  • The default L1 'Host Shutdown' filter condition is set as 'False'.
defaultFilter.PNG
  • Use 'AND (&)' operator if one filter is selected, or use 'OR (II)' operator if more than one filters from multiple products.
  • Click 'Filters' icon, and select the filter from P-Linux Product package.
Note: two Filters are selected from P-Linux and P-Microsoft Windows packages in this case.
Product-L1_FilterConfig.PNG
  • The Rule of 'Host Down' in L1 Host Monitoring Indicators and Warnings package will have the customized filter without doing any further configuration change.
  • The same procedure could be followed for the 'Host Stopped' Rule filter as needed.
merge_multipleProductFilters.PNG

Content Hooks for Product Packages

List of filters that need to be configured with filters in L1 Host Monitoring - Indicators and Warnings package:
Filter URI in L1 Host Monitoring URI in P-Linux and P-Windows
Host Shutdown
  • /All Filters/ArcSight Activate/Solutions/Host Monitoring/Indicators and Warnings/System Changes/Host Shutdown
  • /All Filters/ArcSight Activate/Core/Product Filters/Linux/System Changes/Linux Auditd System Shutdown
  • /All Filters/ArcSight Activate/Core/Product Filters/Microsoft Windows/Microsoft Windows 2008 - Vista/System Changes/Windows is Shutting Down
Host Started
  • /All Filters/ArcSight Activate/Solutions/Host Monitoring/Indicators and Warnings/System Changes/Host Started
  • /All Filters/ArcSight Activate/Core/Product Filters/Linux/System Changes/Linux Auditd System Boot
  • /All Filters/ArcSight Activate/Core/Product Filters/Microsoft Windows/Microsoft Windows 2008 - Vista/System Changes/Windows is Starting Up
  • /All Filters/ArcSight Activate/Core/Product Filters/Microsoft Windows/Microsoft Windows pre-2003/System Changes/Windows is Starting Up
Service Stopped
  • /All Filters/ArcSight Activate/Solutions/Host Monitoring/Indicators and Warnings/System Changes/Service Stopped
  • /All Filters/ArcSight Activate/Core/Product Filters/Linux/System Changes/Linux Auditd Service Stopped
  • /All Filters/ArcSight Activate/Core/Product Filters/Microsoft Windows/Microsoft Windows 2008 - Vista/System Changes/Service was Sent a Stop Control
Service Failed
  • /All Filters/ArcSight Activate/Solutions/Host Monitoring/Indicators and Warnings/System Errors/Service Failed
  • /All Filters/ArcSight Activate/Core/Product Filters/Linux/System Changes/Service Activities RHEL 7x/Linux Auditd Service Failed
  • /All Filters/ArcSight Activate/Core/Product Filters/Microsoft Windows/Microsoft Windows 2008 - Vista/System Errors/Windows Service Failure
  • /All Filters/ArcSight Activate/Core/Product Filters/Microsoft Windows/Microsoft Windows 2008 - Vista/System Errors/Windows Service Crash
Service Started
  • /All Filters/ArcSight Activate/Solutions/Host Monitoring/Indicators and Warnings/System Changes/Service Started
  • /All Filters/ArcSight Activate/Core/Product Filters/Linux/System Changes/Service Activities RHEL 7x/Linux Auditd Service Started
  • /All Filters/ArcSight Activate/Core/Product Filters/Microsoft Windows/Microsoft Windows 2008 - Vista/System Changes/Service was Sent a Start Control
All Device Config Configuration Change Events
  • /All Filters/ArcSight Activate/Solutions/Host Monitoring/Indicators and Warnings/System Changes/All Device Config Configuration Change Events
  • /All Filters/ArcSight Activate/Core/Product Filters/Cisco ASA/System Changes/Cisco ASA Write Config
All Essential Configuration Change Events
  • /All Filters/ArcSight Activate/Solutions/Host Monitoring/Indicators and Warnings/System Changes/All Essential Configuration Change Events
Both P-Linux and Windows packages have been conducted an end-to-end test with above filters in L1-Host Monitoring package (supported RHEL v7.1, REHL 6.7, Windows 2008). However, service starts/stops events are not consistently collected by syslogd in the prior RHEL 7.1. Customer needs to define the event filter condition based on their own system OS version.

Supported Log Sources

Here are the log source types supported by this package as delivered:

Vendor Product Version(s) Comments
Microsoft Windows 2008  
Redhat Linux 7.1, 6.7  
Cisco ASA    
Atalla HSM    
Symantec Endpoint Protect    
       

Test Plan

L1HostMonitoringTestPlan Plan provides methodology for testing this package.

Extensibility

Ideas on how to extend the package for new log sources, new use cases.

Resources

The link below contains a table of all resources included in this package:

Best Practices to Build Contents

https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/HowActivateBestPractices#Events

Attribution:

Date Description
   
March 2016 Activate Developers Working Group:
  Donald Chapell, HPE
  Mary Cordova, Sony
  Phil Jorgensen, State of Minnesota
  Nellie Wang, HPE
Dec 2017 Henk-Jan van Esterik (Micro Focus Professional Services)
Dec 2017 Seema Khan, MicroFocus
Topic attachments
I Attachment Action Size Date Who Comment
AddNewEntry.PNGPNG AddNewEntry.PNG manage 18.3 K 06 Oct 2016 - 05:12 NellieWang  
CriticalHost.PNGPNG CriticalHost.PNG manage 19.8 K 04 Oct 2016 - 22:11 NellieWang  
ESMInfoUaserPassword.PNGPNG ESMInfoUaserPassword.PNG manage 41.1 K 06 Oct 2016 - 04:35 NellieWang  
EssentialServiceList.PNGPNG EssentialServiceList.PNG manage 21.0 K 06 Oct 2016 - 05:07 NellieWang  
ExecuteHostMonitoringInstaller.PNGPNG ExecuteHostMonitoringInstaller.PNG manage 37.1 K 06 Oct 2016 - 04:32 NellieWang  
Graphic_View.PNGPNG Graphic_View.PNG manage 12.9 K 17 Oct 2016 - 18:13 NellieWang  
HostMonitoringInstallerDone.PNGPNG HostMonitoringInstallerDone.PNG manage 38.4 K 06 Oct 2016 - 04:52 NellieWang  
HostPackageInstalled.PNGPNG HostPackageInstalled.PNG manage 12.8 K 05 Oct 2016 - 16:09 NellieWang  
HostShutdownRule.PNGPNG HostShutdownRule.PNG manage 21.0 K 06 Oct 2016 - 18:12 NellieWang  
Host_Monitoring_Package_Add-on_Essential_Configuration_Change.docxdocx Host_Monitoring_Package_Add-on_Essential_Configuration_Change.docx manage 872.8 K 14 Dec 2017 - 19:32 SeemaKhan Essential config change resources
L1-Host-pkg-Delete-1.pngpng L1-Host-pkg-Delete-1.png manage 13.5 K 13 Dec 2017 - 22:56 SeemaKhan  
L1-Host-pkg-Delete-2.pngpng L1-Host-pkg-Delete-2.png manage 33.8 K 13 Dec 2017 - 22:56 SeemaKhan  
L1-Host-pkg-Delete-3.pngpng L1-Host-pkg-Delete-3.png manage 21.5 K 13 Dec 2017 - 22:56 SeemaKhan  
L1-Host-pkg-Delete.pngpng L1-Host-pkg-Delete.png manage 7.1 K 13 Dec 2017 - 22:55 SeemaKhan  
L1-Host-pkg-Install-Sh.pngpng L1-Host-pkg-Install-Sh.png manage 35.0 K 13 Dec 2017 - 00:59 SeemaKhan shell install
L1-Host-pkg-batchinstall.pngpng L1-Host-pkg-batchinstall.png manage 20.1 K 13 Dec 2017 - 00:59 SeemaKhan Batch File Install
L1-Host-pkg-console.pngpng L1-Host-pkg-console.png manage 5.7 K 13 Dec 2017 - 01:00 SeemaKhan Console package list
L1-Host-pkg-list.pngpng L1-Host-pkg-list.png manage 15.0 K 13 Dec 2017 - 00:58 SeemaKhan Package list
MultipleFilters.PNGPNG MultipleFilters.PNG manage 50.1 K 06 Oct 2016 - 18:02 NellieWang  
ProductFilters.PNGPNG ProductFilters.PNG manage 20.6 K 06 Oct 2016 - 18:16 NellieWang  
ServiceStopStop_config.PNGPNG ServiceStopStop_config.PNG manage 16.6 K 12 Oct 2016 - 22:12 NellieWang  
UninstallPackage.PNGPNG UninstallPackage.PNG manage 69.5 K 31 Oct 2016 - 21:24 NellieWang  
defaultFilter.PNGPNG defaultFilter.PNG manage 11.8 K 06 Oct 2016 - 07:02 NellieWang  
merge_multipleProductFilters.PNGPNG merge_multipleProductFilters.PNG manage 14.0 K 20 Oct 2016 - 22:59 NellieWang  
newHostShutdownRule.PNGPNG newHostShutdownRule.PNG manage 21.0 K 06 Oct 2016 - 18:13 NellieWang  
Topic revision: r35 - 06 Nov 2018, YunPeng


 


Activate Wiki 2.1.0.0

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback