L1 Physical Security Monitoring

Introduction

The "L1-Physical Security - Indicators and Warnings" package so far focuses on swipe card activity, motion, alarm, and camera systems. Defender often install badging, cameras, security guards or other detection techniques for physical security and monitoring and the use cases have covered all of these activities related to Physical Security.

The L1-Physical Security - Indicators and Warnings package is designed to monitor physical access control in an organization and track the badge access activity. This package has to be integrated with any Product Packages that track physical access control activities. This package can also be integrated with, but does not require, the L2-Physical Security - Situational Awareness package for further detection and investigations.

Current Version : 1.0.0.2 "L1-Physical_Security_-_Indicators_and_Warnings_1.0.0.2.arb"

What's new in the updated version ?
  • The package has been linked to MITRE id T1360

Use Case Summary

The L1 Physical Security package provides the following Use Cases:
  • Badge Access Denied on Multiple Doors
  • Badge Access Denied on Same Door
  • Badge Access Event Details

Supported Log Sources

Here are the log source types supported by this package as delivered:
Vendor Product Version(s) Comments
Lenel OnGuard   Requires FlexConnector - see attached

Download Instructions

The latest version of this package can be downloaded from the Marketplace.

Prerequisites

Ensure the following is complete:
  • Version 2.5.0.0 and later

Installation

1. Copy L1PhysicalSecurityIndicatorsandWarningsInstallAndUpdate_1.0.0.1.bat file as well as the L1-Physical_Security_-_Indicators_and_Warnings_1.0.0.1.arb file to the current directory on the path where the Console is installed i.e. c:\arcsight\console\current


2. Open a command prompt and navigate to the "current" directory of your respective console
1.PNG

3. Execute the L1PhysicalSecurityIndicatorsandWarningsInstallAndUpdate_1.0.0.1.bat file to install the package

4. You will be prompted to enter the manager hostname, username and password.The Password will be displayed in clear text
2.PNG

5. Once the package installation is complete, there will be "Install complete" message on your command prompt for L1-Physical Security Indicators and Warning and L1-Physical Security Indicators and Warnings customization


6. After the update, your packages in ArcSightESM will look like the screenshot to the right. If you run into any issues, the errors will be displayed in the command prompt window.

7. To the right is the screen shot for the customization package being installed successfully.

8. After the installation is complete you can delete the below files from ARCSIGHT HOME

L1-Physical_Security_-_Indicators_and_Warnings.arb and L1PhysicalSecurityIndicatorsandWarningsInstallAndUpdate_1.0.0.1.bat

Content Hooks for Product Packages

Below filters have to be configured with filters from product packages.
Filters URI in L1 Physical Security Description
All Badge Events /All Filters/ArcSight Activate/Solutions/Physical Security/Indicators and Warnings/All Badge Events The filter identifies all the Badge Access Events.
Badge Access Denied at the Same Door /All Filters/ArcSight Activate/Solutions/Physical Security/Indicators and Warnings/Badge Access Denied at the Same Door The filter identifies the events where the Badge Access was Denied at the same door.
Badge Access Denied Events /All Filters/ArcSight Activate/Solutions/Physical Security/Indicators and Warnings/Badge Access Denied Events The filter identifies all the Badge Access Denied Events.
Badge Access Granted But No Entry Taken Events /All Filters/ArcSight Activate/Solutions/Physical Security/Indicators and Warnings/Badge Access Granted But No Entry Taken Events The filter identifies events where the Badge Access was Granted but no entry was taken.
Badge Access Granted Events /All Filters/ArcSight Activate/Solutions/Physical Security/Indicators and Warnings/Badge Access Granted Events The filter identifies all the successful Badge Access Granted events.
Invalid Card Format Events /All Filters/ArcSight Activate/Solutions/Physical Security/Indicators and Warnings/Invalid Card Format Events The filter identifies events for Invalid Card format.

The P-Lenel Onguard package have been used to conduct end to end test with above filters of L1-Physical Security package.

Uninstalation Procedure

To uninstall the L1-Physical Security - Indicators and Warnings, perform the below mentioned steps. Please note, installation of L1-Physical Security - Indicators and Warnings would also led to the uninstallation of L2-Physical Security - Situational Awareness since the Situational Awareness package is depended on that.

1. In the ArcSight ESM Console, navigate to "Packages" tab and right click on L1-Physical Security-Indicators and Warning package.

2. Click on "Delete Package".
3. Since the L2 package is linked to L1 package, we get an option to remove the Link as well. Click "Delete".
4. Select "Delete All Resources and Packages" or select any appropriate option as per the requirement and Click OK.
  • Due to the package dependency, uninstallation of L1-Physical Security - Indicators and Warnings will led to automatic uninstallation of L2-Physical Security - Situational Awareness & L2-Physical Security - Situational Awareness - Active List. Please note, uninstallation of package doesn't mean the package will get deleted but deleting a package will led to its uninstallation and deletion of coresponding package and all those packages that depends on it automatically.
  • Deletion of L1-Physical Security - Indicators and Warnings will led to the deletion of L2-Physical Security - Situational Awareness & L2-Physical Security - Situational Awareness - Active List too.
  • Customization packages has to be deleted manually following the above mentioned procedure since it depends on Activate Base and deletion of L1 & L2 Physical Security package won't affect that.

Test Plan

L1PhysicalSecurityTestPlan provides the methodology for testing this package.

Resources

The link below contains a table of all resources included in this package:
Topic attachments
I Attachment Action Size Date Who Comment
1.PNGPNG 1.PNG manage 7.6 K 13 Feb 2020 - 07:13 DatNguyen Physical Security
2.PNGPNG 2.PNG manage 11.2 K 13 Feb 2020 - 07:18 DatNguyen  
Topic revision: r7 - 13 Feb 2020, DatNguyen


 


Activate Wiki 2.1.0.0

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback