P-WebSense Web Security

This package provides content for WebSense Web Security that blocks web threats.

Main Use Cases

Below are the main use cases for this packages:
  • All Permitted Traffic
  • All Blocked Traffic
  • All Exploit Traffic

Secondary Use Cases

  • Websense Dynamic Engine Engaged
  • Websense High Count of Uncategorized Traffic
  • Websense Malicious Embeds and Frames
  • Websense Proxy Avoidance
  • Websense Single Source of High Count of Uncategorized Events
  • Websense Suspect Category Traffic
  • Websense Threat Engine
  • Websense Web Service on Non-Typical Port

Additional Use Cases for User Authentication

  • Websense Authentication Anomolies
  • Websense User Location Anomolies

Supported Log Sources

Here are the log source types supported by this package as delivered:

Vendor Product Version(s) Comments
Websense Security   Notes

Device Configuration Procedure

PWebSenseWebSecurityDeviceConfiguration provides instructions on how to configure WebSense Security for this package.

Connector Installation

PWebSenseWebSecurityConnectorInstallation describes how to install and configure SmartConnector for this package.

Package Download Instructions

The latest package can be downloaded from the ArcSight Marketplace.

Package Installation

Introduction

*NOTE:* Latest WebSense Security Package (1.3.0.0) installs as fresh-install or upgrades from version 1.1.0.1. If you have releases 1.2.0.1 or 1.2.0.2, uninstall previous package and then fresh install latest 1.3.0.0 version.


The installer script will automatically manipulate files, allowing you to keep your customizations, while we push updates up to standard resources. If the packages in the bundle are installed via the console, we will overwrite your configuration and you will have to uninstall and reinstall the this particular package.

Prerequisites

Ensure the following is complete:
  • Devices are configured as per the device configuration above
  • Connectors are configured as per the connector configuration above
  • Minimum Activate Base Package 2.5.0.0 has been installed (from P-Websense Security 1.3.0.0)
  • Ensure that the ESM is setup to sort packages by their IDs: - Open ESM server.properties (<ARCSIGHT_HOME>/manager/config)
  • Add following line: export.archive.reference.sort.order=id
  • For ESM in Compact Mode: Restart the ESM Manager

    or For ESM in Distributed Mode: Restart the ESM Manager, Aggregator(s), and Correlator(s)

Package Installation Procedure

1. Download and extract P-Websense_Security Package into your ArcSight console's home directory.  
2. Open a command prompt and navigate to ARCSIGHT_HOME  
3. Execute the P-Websense_Security_1.3.0.0.bat file to install the update install-1.jpg

4. You will be prompted to enter the manager hostname, username and password. The password is displayed in cleartext, please be aware of your environment.

install-2.jpg
5. After the package installation, your packages in ArcSight ESM will look like the screenshot to the right. If you run into any issues, the errors will be displayed in the command prompt window. install-3.jpg

6. You can now delete the files from ARCSIGHT_HOME

  • P-Websense_Security_Updated_<version>.arb
  • P-Websense_Security_1.3.0.0.bat

 

Content Hooks for Product Packages

As a guideline, please follow the below procedure to configure your Product filters. The below example demonstrates how to configure multiple Product filters with the "" filter:

1. Within the Navigator panel select Filters and expand the tree up to /All Filters/ArcSight Activate/Solutions/Perimeter Monitoring/Indicators and Warnings/ and double click the All Proxy Accept Traffic filter. hook-1.jpg
2. On the Inspect/edit panel select the Filter tab and from there select the event1 node and click on Filters hook-2.jpg
3. From the window select the /All Filters/ArcSight Activate/Core/Product Filters/Websense Security/Proxy Suspicious Events/All WebSense Permitted Taffic filter, click OK to close the window. hook-3.jpg
4. The filter /All Filters/ArcSight Activate/Core/Product Filters/Websense Security/Proxy Suspicious Events/All WebSense Permitted Taffic appears selected in the filter Tab. If there are multiple Proxy products in the environment, add them joined within an OR statement. hook-4.jpg
Use the above-mentioned steps to configure the following corresponding filters of L1-Malware Monitoring - Indicators and Warnings package:

L1-Perimeter Monitoring Resource URI: L1-Perimeter Monitoring URI: P-Websense Security
All Proxy Accept Traffic
  • /All Filters/ArcSight Activate/Solutions/Perimeter Monitoring/Indicators and Warnings/All Proxy Accept Traffic
  • /All Filters/ArcSight Activate/Core/Product Filters/Websense Security/Proxy Suspicious Events/All WebSense Permitted Taffic
All Proxy Deny Traffic
  • /All Filters/ArcSight Activate/Solutions/Perimeter Monitoring/Indicators and Warnings/All Proxy Deny Traffic
  • /All Filters/ArcSight Activate/Core/Product Filters/Websense Security/Proxy Suspicious Events/All WebSense Blocked Traffic
L1-Network Monitoring Resource URI: L1-Network Monitoring URI: P-Websense Security
All Proxy Exploitation Activity Events /All Filters/ArcSight Activate/Solutions/Network Monitoring/Indicators and Warnings/All Proxy Exploitation Activity Events /All Filters/ArcSight Activate/Core/Product Filters/Websense Security/Proxy Suspicious Events/All WebSense Exploit Traffic
In case the User Authentication is enabled and use cases desired, enable following rules in /All Rules/Real-time Rules/ArcSight Activate/Solutions/Product Rules/Websense Security/Proxy Suspicious Events:
  • Websense Authentication Anomalies
  • Websense User Location Anomalies

Test Plan

PWebSenseWebSecurityTestPlan provides methodology for testing this package.

Extensibility

Ideas on how to extend the package for new log sources, new use cases.

Resources

The link below contains a table of all resources included in this package:
Topic revision: r6 - 18 May 2018, EstebanHerrera


 


Activate Wiki 2.1.0.0

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback