[ESM 6.9.1c] Hands on Network Modeling in four steps
After several days struggling with some minor issues, I came up with my lab network modeling.
This is just a demo of how useful network modeling is, using some possible features as Customers, Networks, Zones, Assets, Categories and Locations.
1st. Step: Create a Customer and a Network - and also a location - and configure it all to be assigned to each other, including some related connectors.
|Network & Location|
2nd Step: After that, provide a Zone using your network (mine is a /24 network, through 192.168.21.1 until 192.168.21.254), as follows:
|Zone and Categories|
3rd. Step: Include and configure your assets (mine, at this time was only two assets, for testing purposes. One is gonna be my own machine, running a syslog daemon connector and other will be our VMware ESXi Server, where HPE ArcSight ESM virtual machine, among others, is located) The configuration were made as follows:
|Asset 1 - My Own Machine (where a syslog daemon connector is installed)|
|Asset 2 - ESXi Server|
4th. Step: Having all these settings done, set your connectors to operate using this modeling, not forgetting to send the network model via context menu short after the following configurations were applied - notice that this configuration must be replied in every connector that you want to acquire modeling from the above structure:
*Default Tab: make sure to have selected the corrects Zones from Source Zone URI to Device Translated Zone URI - It also applies to customer, at Customer URI field.
*Alternate #1: no need to use this one. Simply leave it blank.
And, finally, send the network modeling using Right Click, plus option "Send Model mappings now", as follows:
|Context Menu (Right Click)|
After a while, create a new active channel using previously configured connector as source and include this columns at its fieldset: Agent Asset Name, Device Asset Name, Source Asset Name, Destination Asset Name, Attacker Asset Name, Target Asset Name, Original Asset Name, Final Asset Name. Your events might look like this:
|Test Active Channel|
That's it. That's your first step towards network modeling. You may now search for events, create rules and use this resource to create nice and useful resources.
Further possibilities regarding this matter will be described as soon as I deploy they.