L1-Perimeter Monitoring - Indicators and Warnings


This package provides a view on IDS and attempt events on the network.

Main Use Cases

Below are the main use cases for this packages

Use Case 1: Clear Text Protocol Usage

Cleartext Protocol Crossing a Perimeter

Use Case 2: Events to Same Destination

High Volume of Denies to Same Destination
Multiple Denies to Same Destination

Use Case 3: Events from Same Source

Multiple Denies and an Allow from Same Source
Multiple Denies from Same Source

Supported Log Sources

Here are the log source types supported by this package as delivered:
Vendor Product Version(s) Comments
Check Point VPN-1 and FW-1    
Cisco ASA    
Cisco Sourcefire    
Cisco Sourcefire FireSight    
TippingPoint Unity One IPS    
Blue Coat Proxy SG    
AWS VPC Flow    
       

Package Download Instructions

The latest package can be downloaded from the ArcSight Marketplace.

Package Installation

Prerequisites

Ensure that following steps are completed:
  • Activate Base package version 2.5.2.0 or newer is installed (required package)
  • Ensure that the ESM is setup to sort packages by their IDs:

Package Install

Follow the installation guide to install packages

Package Configuration

Product packages are expected to hook into these filters:
1. /All Filters/ArcSight Activate/Solutions/Perimeter Monitoring/Indicators and Warnings/All Firewall Accept Traffic
2. /All Filters/ArcSight Activate/Solutions/Perimeter Monitoring/Indicators and Warnings/All Firewall Deny Traffic
3. /All Filters/ArcSight Activate/Solutions/Perimeter Monitoring/Indicators and Warnings/All Proxy Accept Traffic
4. /All Filters/ArcSight Activate/Solutions/Perimeter Monitoring/Indicators and Warnings/All Proxy Deny Traffic
5. /All Filters/ArcSight Activate/Solutions/Perimeter Monitoring/Indicators and Warnings/All Flow Accept Traffic
6. /All Filters/ArcSight Activate/Solutions/Perimeter Monitoring/Indicators and Warnings/All Flow Deny Traffic

Test Plan

L1PerimeterMonitoringTestPlan provides methodology for testing this package.

Extensibility

Ideas on how to extend the package for new log sources, new use cases.

Resources

The link below contains a table of all resources included in this package:

L1PerimeterMonitoringResources

Special Instructions for Editors

If the above link is not yet created, use the button here to create this page using the PackagesResourcesTemplate

Create New Resource Table

-- AlexandraLomotan - 19 Jul 2016
Topic revision: r10 - 20 May 2019, EstebanHerrera


 


Activate Wiki 2.1.0.0

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback