Highlighted
Established Member.. fausto.filho1
Established Member..
1259 views

[ESM 6.9.1c] Hands on Network Modeling in four steps

Folks,

After several days struggling with some minor issues, I came up with my lab network modeling.

This is just a demo of how useful network modeling is, using some possible features as Customers, Networks, Zones, Assets, Categories and Locations.

1st. Step: Create a Customer and a Network - and also a location - and configure it all to be assigned to each other, including some related connectors.

Customer

Network & Location

2nd Step: After that, provide a Zone using your network (mine is a /24 network, through 192.168.21.1 until 192.168.21.254), as follows:

Zone and Categories

3rd. Step: Include and configure your assets (mine, at this time was only two assets, for testing purposes. One is gonna be my own machine, running a syslog daemon connector and other will be our VMware ESXi Server, where HPE ArcSight ESM virtual machine, among others, is located) The configuration were made as follows:​

Asset 1 - My Own Machine (where a syslog daemon connector is installed)

Asset 2 - ESXi Server

4th. Step: Having all these settings done, set your connectors to operate using this modeling, not forgetting to send the network model via context menu short after the following configurations were applied - notice that this configuration must be replied in every connector that you want to acquire modeling from the above structure:

Connector

*Default Tab: make sure to have selected the corrects Zones from Source Zone URI to Device Translated Zone URI - It also applies to customer, at Customer URI field.

*Alternate #1: no need to use this one. Simply leave it blank.

And, finally, send the network modeling using Right Click, plus option "Send Model mappings now", as follows:​

Context Menu (Right Click)

After a while, create a new active channel using previously configured connector as source and include this columns at its fieldset: Agent Asset Name, Device Asset Name, Source Asset Name, Destination Asset Name, Attacker Asset Name, Target Asset Name, Original Asset Name, Final Asset Name. Your events might look like this:​

Test Active Channel

That's it. That's your first step towards network modeling. You may now search for events, create rules and use this resource to create nice and useful resources.

Further possibilities regarding this matter will be described as soon as I deploy they.

Cheers!

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.