L1 Physical Security Monitoring

This package so far focuses on swipe card activity, motion, alarm, and camera systems.

Team members:
  • Doug Henk
  • Chris Kaija
  • Ian Fitzgerald
  • Jan Stodola
  • Ray Cotten
  • Maulin Dalal

Use Case Summary

The Physical Security module provides the following Use Cases:
  • Track Access Activity
  • Badge Use at Unexpected Time or Place
  • Credential Compromised
  • Unauthorized Access
  • System Changes
  • Authorization Changes
  • System Monitoring

User Story Summary

  • Track Access Activity
    • Track User Activity at Locations within the Enterprise
    • Track User Activity at Locations by User Type
    • Track User Movement into/out of Critical Areas
    • Track All Events in Selected Areas
  • Badge Use at Unexpected Time or Place
    • Track User Activity to Critical Areas out of Hours
    • Badge Access Denied on Multiple Doors - Completed
    • Badge Access Denied on Same Door - Completed
    • All Badge Access Events Monitoring - Completed
    • All the Access Granted and Denied Events - Completed
    • Track Repeated Access Failures by User to single door
    • Track Successful Swipes with into multiple areas with no entry
    • Track Repeated Failed Swipe Attempts by User to different doors
    • Detect Anti Passback Activity
    • Unrecognized Badge
  • Credential Compromised
    • Badge Used at multiple locations in improbable time
    • Cardholder Swipe and Camera Image do not match
    • Card does not match Bio Data
    • Key Missing for Extended Period
    • Duplicate Badge Issued to cardholder
    • Track Badge Use when User is terminated, deactivated, reactivated, on vacation, expired, or has reported their badge lost or stolen
  • Unauthorized Access
    • Compromised Badge Used
    • Escorted Visitor Unescorted or Left Alone
    • Unescorted Visitor Failed Swipe
    • Use of Compromised Key
    • Key Used without Accessing an Electronic Key Safe
    • Unexpected Movement in a Critical Area with Camera Down
    • Unexpected Movement in a Critical Area with No Swipe
    • Violation of Two Person Integrity
    • Detect Tailgating
  • System Changes
    • Badge in + Device Added/Removed to Critical Host + Malicious software/process detected (CROSS LAYER USE CASE)
    • Badge in + Service stopped on Critical Host (CROSS LAYER USE CASE)
  • Authorization Changes
    • Track all System Admin/System Activity
    • Badge Added to User
    • Badge Removed from User
    • Privilege Added to Badge
    • Privilege Removed from Badge
    • Administrator User Created
    • Administrator User Deleted
    • Administrator User Rights Added
    • Administrator User Rights Removed
    • Detect Administrator assigning privileges to their own card
    • Use of Unapproved Admin Interface
  • System Monitoring
    • System Damaged (door forced, or equivalent)
    • System Failed (camera, motion, badge, alarm, door held open etc)
    • System Degraded (camera, motion, badge, alarm, etc)
    • Video Recorder not Recording
    • Management System Up/Down

Supported Log Sources

Here are the log source types supported by this package as delivered:

Vendor Product Version(s) Comments
  CCecure   Requires FlexConnector - see attached
  Lenel   Requires FlexConnector - see attached

Download Instructions

The latest version of this package can be downloaded from the Marketplace.


Ensure the following is complete:
  • Activate Base Package (v2.5.0.0) has been installed


1. Copy L1-PhysicalSecurityv1002.bat file as well as the L1-Physical_Security - Indicators_and_Warnings.arbfile to the current directory on the path where the Console is installed i.e. c:\arcsight\console\current

2. Open a command prompt and navigate to the "current" directory of your respective console

3. Execute the L1-PhysicalSecurityv1002.batfile to install the package

4. You will be prompted to enter the manager hostname, username and password.The Password will be displayed in clear text

5. Once the package installation is complete, there will be "Install complete" message on your command prompt for L1-Physical Security Indicators and Warning and L1-Physical Security Indicators and Warnings customization

6. After the update, your packages in ArcSightESM will look like the screenshot to the right. If you run into any issues, the errors will be displayed in the command prompt window.

7. To the right is the screen shot for the customization package being installed successfully.

8. After the installation is complete you can delete the below files from ARCSIGHT HOME

L1-Physical_Security_-_Indicators_and_Warnings.arb and L1-PhysicalSecurityv1002.bat

Content Hooks for Product Packages

Below filters have to be configured with filters from product packages for triggering L1-User Monitoring - Indicators and Warnings rules.
Filters URI in L1 Physical Security Description
All Badge Events /All Filters/ArcSight Activate/Solutions/Physical Security/All Badge Events The Filters identifies all badge access events reported by the badge reader
Badge Access Denied Events /All Filters/ArcSight Activate/Solutions/Physical Security/Badge Access Denied Events The filter identifies all the Badge Access Denied Events
Badge Access Granted but No Entry Taken Events /All Filters/ArcSight Activate/Solutions/Physical Security/Badge Access Granted but Entry Not Taken Events The filter identifies the events for which the Badge Access was granted but the entry was not taken.
Badge Access Granted Events /All Filters/ArcSight Activate/Solutions/Physical Security/Badge Access Granted Events The filter identifies all the successful Badge Access Granted events
Badge Access Denied at the Same Door /All Filters/ArcSight Activate/Solutions/Physical Security/Badge Rejected at Same Door This filter identifies the events for which the badge access was denied at the same door.
Invalid Card Format Events /All Filters/ArcSight Activate/Solutions/Physical Security/Invalid Card Format Events This filter identifies events related to invalid card format

The P-Lenel Onguard package have been used to conduct end to end test with above filters of L1-Physical Security package.

Uninstalation Procedure

To uninstall the L1-Physical Security - Indicators and Warnings, perform the below mentioned steps. Please note, installation of L1-Physical Security - Indicators and Warnings would also led to the uninstallation of L2-Physical Security - Situational Awareness since the Situational Awareness package is depended on that.

1. In the ArcSight ESM Console, navigate to "Packages" tab and right click on L1-Physical Security-Indicators and Warning package.

2. Click on "Delete Package".
3. Since the L2 package is linked to L1 package, we get an option to remove the Link as well. Click "Delete".
4. Select "Delete All Resources and Packages" or select any appropriate option as per the requirement and Click OK.
  • Due to the package dependency, uninstallation of L1-Physical Security - Indicators and Warnings will led to automatic uninstallation of L2-Physical Security - Situational Awareness & L2-Physical Security - Situational Awareness - Active List. Please note, uninstallation of package doesn't mean the package will get deleted but deleting a package will led to its uninstallation and deletion of coresponding package and all those packages that depends on it automatically.
  • Deletion of L1-Physical Security - Indicators and Warnings will led to the deletion of L2-Physical Security - Situational Awareness & L2-Physical Security - Situational Awareness - Active List too.
  • Customization packages has to be deleted manually following the above mentioned procedure since it depends on Activate Base and deletion of L1 & L2 Physical Security package won't affect that.

Test Plan

L1PhysicalSecurityTestPlan provides the methodology for testing this package.


The link below contains a table of all resources included in this package:
Topic revision: r4 - 16 Aug 2018, EstebanHerrera


Activate Wiki

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback