cfir homeri security presales - central eastern europe ......global event ids (geid) uniquely...
TRANSCRIPT
![Page 1: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/1.jpg)
Cfir Homeri Security Presales - Central Eastern Europe & [email protected]
![Page 2: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/2.jpg)
The New ArcSight Architecture
User Cloud App Servers & Workloads
Network Endpoints IoT Physical
ARCSIGHT ENTERPRISE SECURITY MANAGER24x7 Real-time Monitoring & Correlation
UEBAUser Entity Behavior Analytics
ARCSIGHT LOGGERCompliance | Search |Retention
ARCSIGHT INVESTIGATEHunt | Investigation
SECURITY OPEN DATA PLATFORM
MANAGEMENT CENTERSuite Management & Administration
TRANSFORMATION HUBInformation delivery
SMART/FLEX CONNECTORSData Collection, Enrichment, and Normalization
CONTENTUnified | Actionable | Insight
WEB CONSOLEAccessible Monitoring & Platform Management
![Page 3: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/3.jpg)
ArcSight ESM 7.2
![Page 4: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/4.jpg)
Release Summary
Release Name: ArcSight ESM 7.2.0
GA Date: December 4, 2019
Gen10 Appliance GA Date: January 10, 2020
Key Themes: [Simple, Intelligent, Open, Converged (Sentinel, Interset, ArcSight), etc]
![Page 5: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/5.jpg)
Release Highlights / What’s New?
1. Global Event ID
2. Rules Action
3. AutoPass licensing support and Event Ingestion Metrics
4. MITRE ATT&CK Dashboard
5. Default content available on installation
![Page 6: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/6.jpg)
Global Event ID
ESM 7.2 includes the new Global Event ID feature. SODP assigns a unique event ID to each security event being ingested and distributed. That ID will stick with the event as it moves to and through ArcSight Logger, ESM, and Investigate.
Benefits to the Customer : Global Event ID will help customers track unique security events across their entire ArcSight ecosystem. They can quickly search for and verify that a specific event is the one they are looking for. This helps facilitate threat investigation and cross-portfolio event analysis.
![Page 7: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/7.jpg)
Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event Id field in addition to the Event Id field.
GEIDs are generated using a GEID generator id. Generator id is specified during fresh install/upgrade and should ideally stay the same for the lifetime of the
product.
The generator id must be unique for each ArcSight product (e.g. connectors/ESM/Logger etc.) in an ArcSight deployment.
Events received by ESM from external sources (connectors/TH) should have the GEIDs set by the external source. Only connector version starting 7.12 onwards supports GEID in events.
Events generated internally by ESM (correlation events, audit events, monitor events etc.) will have their GEIDs set by ESM.
7
Global Event IDs
![Page 8: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/8.jpg)
GEIDs can be viewed in Active Channels, Filter, Query Viewers etc.
All places where Security Event fields can be viewed.
Note that if the event source (connectors/TH) do not send events with GEID set, ESM will not set them.
Events archived in previous versions of ESM, prior to upgrade, will not have GEIDs set in them upon reactivation.
8
Global Event IDWhere GEIDs can be viewed
![Page 9: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/9.jpg)
Improve concurrency of deferred rules action execution
Capture the result of external scripts
9
Rules Action Improvement
![Page 10: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/10.jpg)
Multiple threads to handle rules deferred actions
Actions within one rule will be executed in sequence
Configure number of threads to process rules deferred actions.
In server.properties, rules.action.threads
10
Rules Action -- Improve the Concurrency
![Page 11: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/11.jpg)
We save the result of executing rules actions in action event. E.g. ExecuteCommand:Success
The following are fields used to save result in action event:
Device Custom Number 1: Return value
Device Custom Number 2: Execution time
Device String 5: Console output – When there is an error in execution. Limit to 200 characters
11
Rules Action -- Capture the result of external scripts
![Page 12: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/12.jpg)
Return value error code:
0: Success
1000: Invalid platform
1001: Exception in executing the script
Other value: Returned by script
If a script returns a non-zero value(error), there will be console output in device custom string 5.
12
Rules Action -- Capture the result of external scripts
![Page 13: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/13.jpg)
13
Sample SlideIf you are seeking additional funding outside of the annual Portfolio Operation Planning process, state specifics
How many additional persons?
<provide count>
Other funding needs
<provide details>
Business Justification
Describe why this is necessary and should be considered while providing evidence of data to support request
![Page 14: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/14.jpg)
What is scheduled rules?
Query historical events
Run at a specified time interval (hourly, daily, weekly)
Scheduled rules engine is a batch rules engine which filters historical events, generates correlation events and execute rules actions like real-time rules engine
14
Scheduled Rules
![Page 15: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/15.jpg)
With the new licensing model, ESM generates a 45-day median report every day at 23:59:59 UTC
ESM maintains a history of average EPS, SEPS, MMEPS and license capacity.
The history of license usage is maintained in mysql database table arc_epd_stats.
15
45 – day EPS median report
![Page 16: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/16.jpg)
EPD – Events Per Day is the total number of events generated in a twenty-four hour clock period.
SEPS – Sustained EPS is the “constant” Events Per Second that the system sustained within the twenty-four hour clock period. The formula used for this calculation is (EPD/((60*60)*24))
MMEPS – Utilizing the SEPS information recorded per day, the Moving Median value is calculated using a 45 day data set, and shifting the calculation window one day every twenty-four hours after the first 45 days.
Median is calculated by sorting SEPS over a 45 day range and taking the middle one or avg of middle two values (when even number of SEPS available).
16
Calculations
![Page 17: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/17.jpg)
For days 1..45, there isn't enough SEPS collected yet to compute the MMEPS, so we display "approximate" MMEPS
on day 2, this would be the SEPS for day 1
on day 3, this would be the average of SEPS for day 1 and 2
on day 4, this would be the median SEPS for days 1..3
and so on until day 46 where there will be 45 days of SEPS, and a real MMEPS could be computed.
To distinguish the "approx." MMEPS from real MMEPS, the former are shown in gray, while the latter are shown in green/yellow/red.
Reference: https://wiki.arst.hpeswlab.net:8443/display/DEV/45-day+Moving+Median+EPS+Report+on+ACC
17
MMEPS Calculation
![Page 18: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/18.jpg)
Stats page - https://<esm_host>:8443/www/ui-phoenix/com.arcsight.phoenix.PhoenixLauncher/#eventStatistics
CLI tool – exports to a CSV file - bin/arcsight licenseusageexporter
18
Accessing the report
![Page 19: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/19.jpg)
License Metrics
![Page 20: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/20.jpg)
ESM New Content for 7.2
![Page 21: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/21.jpg)
Overview
New Default Content
MISP Model Import Connector
Threat Intelligence Platform
Security Threat Monitoring
MITRE Tagging
Integration Command
Updates to Existing Content
21
Agenda
![Page 22: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/22.jpg)
22
What is MITRE ATT&CK ?
MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
The MITRE ATT&CK™ includes 3 major components Matrices, Tactics Techniques
![Page 23: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/23.jpg)
What:
Dashboard showing events that match the MITRE ATT&CK matrix.
Why:
Having content to tag MITRE ATT&CK use cases enables SOC to identify threats enterprise is facing.
Dashboard will provide visualization of threats identified in an intuitive way.
23
MITRE ATT&CK Dashboard
![Page 24: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/24.jpg)
The Basics – The Pyramid of Pain
![Page 25: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/25.jpg)
25
MITRE ATT&CK – Blueprint for Attack Tactic & Techniques
![Page 26: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/26.jpg)
26
Visualization
Datasource
/All Active Lists/ArcSightFoundation/MITRE ATT&CK/Rules Triggered with Mitre ID
![Page 27: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/27.jpg)
27
Details
![Page 28: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/28.jpg)
MITRE ATT&CK Activity Dashboard with Drilldown
1) User selects “MITRE Activity” from the main dashboards2) Within the tree visualization, user selects a specific
technique.3) All real-time correlation rules related to that alert are
shown on the right, along with more MITRE-related information.
4) When clicked, a special channel opens up with *ONLY* those events related to the selected technique.
1 2
MITRE ATT&CK Activity DashboardA special visualization, showing a tree-view structure: MITRE ATT&CK tactics in the middle + techniques as the branches.
![Page 29: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/29.jpg)
MITRE ATT&CK Activity Dashboard Drilldown Steps
1) User selects “MITRE Technique” from the main dashboard. E.g. “Brute Force”
2) All real-time correlation *rules* related to that alert are shown on the right, along with more MITRE-related information.
3) When clicked on a specific ‘rule’ (e.g. “Brute Force OS and Application Attempts”), a special channel opens up with *ONLY* those events related to that rule.
3
4
3
MITRE ATT&CK Activity Dashboard
![Page 30: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/30.jpg)
MITRE ATT&CK Activity Dashboard with Drilldown
1) The special active channel opens up *ONLY* those special events related to the rule, associated with the chosen MITRE Technique: “Brute Force”
2) All other MITRE ATT&CK artifacts are displayed in the channel.
MITRE ATT&CK Activity Dashboard
![Page 31: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/31.jpg)
MITRE ATT&CK Overview Dashboard
MITRE ATT&CK Matrix Overview Dashboard
MITRE ATT&CK-tagged correlated alerts/events and specific dashboards per MITRE Tactic and MITRE Technique ID are provided OOTB and as a downloadable MITRE ATT&CK Content Pack.
![Page 32: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/32.jpg)
Content: MISP as a Threat Intelligence Feed
![Page 33: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/33.jpg)
MISP - Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing, community driven platform
Has become invaluable platform for the NATO, Europian governments and CERTS
It is a threat intelligence platform for gathering, sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information.
34
What is MISP?
![Page 34: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/34.jpg)
35
New Model Import Connector for MISP has been developed.
Threat Intelligence Feed from MISP can be directly imported into ESM using this new MIC.
The new Threat Intelligence Platform content utilizes this MISP data
MISP as a Threat Intelligence Feed for ArcSight
![Page 35: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/35.jpg)
5 x ESM Active ListsAlways up-to-date through MISP CRCL Model Import Connector.
Suspicious Email List @ ArcSight ESM
Suspicious Domain List @ ArcSight ESM
Suspicious Filehashes @ ArcSight ESM
Suspicious Full URL List @ ArcSight ESM
![Page 36: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/36.jpg)
37
Design Overview
2 new packages – Security Threat Monitoring and Threat Intelligence Platform
![Page 37: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/37.jpg)
Content:Threat Intelligence Platform
![Page 38: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/38.jpg)
40
Threat Intelligence Platform (TIP) package detects security threats based on data feed from MISP which is collected by MIC.
It is possible for customer to import the feed from other source into ESM with the same format of active list.
Intelligence feed from MISP
![Page 39: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/39.jpg)
41
Use cases for Threat Intelligence PlatformGlobal
VariablesRules
![Page 40: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/40.jpg)
42
Reputation Data Overview
![Page 41: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/41.jpg)
Content:Security Threat Monitoring
![Page 42: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/42.jpg)
44
Security Threat Monitoring package detect attacks based on security logs from firewall, IDS/IPS, OS, proxy, scanner etc.
Use Cases
Rules
Use Cases for Security Threat Monitoring
![Page 43: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/43.jpg)
Resources :
2 active channels
2 Dashboards
13 Rules
7 Data Monitors
13 Filters
3 Fieldsets
45
Example - Entity Monitoring
![Page 44: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/44.jpg)
The MITRE Framework for ArcSight ESM are a bunch of ArcSightresources which monitor MITRE ATT&CK rules and it includes the following end user resources:
2 Dashboards
1 Active Channel
1 Integration Command
1 Report
46
MITRE ATT&CK Framework for ArcSight ESM
![Page 45: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/45.jpg)
The MITRE Technique is Mapped to ArcSight Rules
47
MITRE ATT&CK Framework for ArcSight ESM
![Page 46: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/46.jpg)
48
Examples : MITRE ATT&CK Overview Dashboard
![Page 47: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/47.jpg)
49
Examples : MITRE ATT&CK Targets Overview Dashboard
Brute force
Exploit of remote service
![Page 48: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/48.jpg)
2 Integration Commands
50
Integration Commands
![Page 49: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/49.jpg)
Logger 7.0
![Page 50: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/50.jpg)
24 TB of Event storage per Logger
New Search UI
Search based of event occurred time
EPS Licensing
Reporting:
Data Science – Ability to use Python’s Data Science/Predictive analytics capabilities with Reporting
Reporting on ArcSight Investigate – Investigate’s Vertica database can be added as a data source in Logger Reporting, allowing to create reports on Investigate Data.
IP to GeoMapping – Ability to convert IP address to Geo Location and create maps within Reports.
Out of the Box Content updates
Bonding/Trunking of NICs for Appliances
Gen 10
Peer search and reporting perf improvements (Internal Test Metrics Available!!!)52
Whats New
![Page 51: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/51.jpg)
Why?
Need to collect more data, from more sources and retain in for more time.
Adding more Loggers is one solution.
Adding more storage to a logger is another solution.
53
24 TB of Storage
![Page 52: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/52.jpg)
54
24 TB of Storage - Storage Group, Storage Volume
24 TB in Storage Volume.
12 TB for Default Storage Group and 5GB for Internal
![Page 53: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/53.jpg)
Event Grid
Drag and Drop Columns
Resizable columns
Three types Events results Grid
Grid View
Raw Event View
Column View
Event Details
Hide/show null field values
Expand/collapse field categories
Event Comparison
Query Syntax Highlight
Open Filter and Saved Search
Field set selector55
UI Improvements – Search
![Page 54: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/54.jpg)
56
New Search UI - Query with Syntax Highlight
![Page 55: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/55.jpg)
57
New Search UI - Grid View
![Page 56: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/56.jpg)
58
New Search UI - Grid + Raw Event View
![Page 57: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/57.jpg)
59
New Search UI - Raw Event View
![Page 58: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/58.jpg)
60
New Search UI - Event Details
![Page 59: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/59.jpg)
61
New Search UI - Compare Events
![Page 60: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/60.jpg)
62
Logger Gen 10 (Tentative GA – Jan 4th 2020)
DL 360 Gen 10 L7700 Spec
2 x Xeon-G 5118
2 x 12 core = 24 cores
12 x 16 GB = 192 GB RAM
10 GB NIC
2 port Ethernet
2 port SFP
4 x 10TB SAS 7.2K LFF = 40TB HDD
30 TB with RAID 5
24 TB of live Event Data
![Page 61: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/61.jpg)
On Logger reporting, Python Data Science can be used to extract knowledge and gain insights form security data collected in Logger.
Python installed on OS (Redhat/CentOS) is used
Data Science Libraries included in Logger bits
scikit_learn, numpy, pandas, etc.
Turned off by default
Admin Guide Note to turn on Data Science
Python can be used for non data science aspects as well
63
Reporting – Data Science
![Page 62: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/62.jpg)
Create Query object
MySQL / Logger search Query
Data Science Step
Python Script
Learning and predicting
Format/Other steps
Create Report
Grid
Chart
64
Data Science / Predictive Analytics
![Page 63: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/63.jpg)
Data Science Engine component – while creating a reporting Query Object
Python Script of Data Science Engine component
![Page 64: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/64.jpg)
Analyze firewall traffic based on port, and determine probability success for traffic to each port.
Compare future events to see if they conform to model. (i.e. if traffic on port 1234 is 90% fail, I need to pay attention to every success access attempt on that port)
66
Sample Data Science Usecase
![Page 65: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/65.jpg)
67
Reporting on ArcSight Investigate
Configure Vertica
Create Query Object
Create Reports
Schedule
Publish
Export
Charts / Maps
Data Science
![Page 66: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/66.jpg)
MaxMind Library is used for converting IP to Geo location.
Latest MaxMind is available with Logger 7.0
Context updates used by ESM will be used by Logger as well
Download Context update file from Entitlements portal
Logger Configuration -> Import Content
68
Reporting – IP to Geo
![Page 67: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/67.jpg)
69
Report with IP to Geo – Recon Activity
![Page 68: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/68.jpg)
Major rework of content after 4 years
100+ New Reports
Device Monitoring – OS, Anti-Virus, Networking, IDS-IPS, DGA, etc
Foundation – Intrusion, MITRE, Networking, Vulnerability, etc
OWASP
Cloud – CSA-Treacherous-12
8 New Dashboards
Malware Overview
DGA
MITRE
Attack and Suspicious Activity, etc.
70
Logger Out of the Box Content
![Page 69: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/69.jpg)
71
OWASP\A 7 - Cross-Site Scripting\XXS Vulnerabilities(Top Events)
![Page 70: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/70.jpg)
72
OWASP\A 2 - Broken Authentication\Broken Authentication Events (Signatures)
![Page 71: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/71.jpg)
73
MITRE Events
![Page 72: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/72.jpg)
74
MITRE - Radar Overview
![Page 73: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/73.jpg)
75
DGA – Clients by Outgoing Bytes to DGA Domains
![Page 74: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/74.jpg)
76
DGA Domains by Client IP Overview
Good for spotting DNS Tunneling only form the graph
![Page 75: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/75.jpg)
77
DGA – Radar Overview
![Page 76: Cfir Homeri Security Presales - Central Eastern Europe ......Global Event IDs (GEID) uniquely identify an event in ArcSight product suite. ESM event schema now includes Global Event](https://reader033.vdocument.in/reader033/viewer/2022050918/6018430da8592f32a241645b/html5/thumbnails/76.jpg)
78
DGA Dashboard