Absent Member.
Absent Member.
2673 views

L1-Malware Monitoring - Indicators and Warnings

This package is the initial content release for AV solution integration.  It provides some basic use cases for detecting malware within an environment.

 

See the latest Activate Wiki Content for details (1.0.10 or later).

 

To install or upgrade:

1 - Download L1-Malware Monitoring - Indicators and Warnings 1.0.0.5.zip

2 - Extract it to your Microsoft Windows console installation's current directory (e.g., c:\arcsight\console\current)

3 - Execute L1MalwareUpdate.bat and follow the instructions

 

DO NOT INSTALL THIS PACKAGE USING THE CONSOLE!!!

 

 

Also, a big thanks to and his team for helping pull this together!

Labels (2)
20 Replies
Ensign
Ensign

Error while installing Malware dependency package :

Could Not Find C:\arcsight\Console\current\L1-Malware Monitoring - Indicators adn Warnings 1.0.0.5\L

1-Perimeter_and_Network_Monitoring_-_Indicators_and_Warnings_-_Customizations_*.arb

Any help?

0 Likes
Absent Member.
Absent Member.

Hi Mary,

You need to copy the installation files into \current\ . If you extract the .zip it extracts the files to \current\L1-Malware Monitoring - Indicators adn Warnings 1.0.0.5\ which will give you that error.

Chris

0 Likes
Absent Member.
Absent Member.

After installation I noticed the filters associated with the rule pointed to a filter which was called no events. Is this normal?

0 Likes
Vice Admiral Vice Admiral
Vice Admiral

I noticed the same thing.  I went to other filters and there are no conditions for any.  I am guessing we have to build our own content????!!!!

0 Likes
Absent Member.
Absent Member.

You are going to have to install the McAfee packs and hook them into the filters. I haven’t seen anything for Symantec or other products.

Similar process to the perimeter packs.

/J

0 Likes
Vice Admiral Vice Admiral
Vice Admiral

Ok, thanks!

Also, any idea where the Downloads_Groups_1.0.arb can be located?  This is needed for the Suspicious Outbound Traffic Monitoring use case from marketplace.

0 Likes
Absent Member.
Absent Member.

I don't know, need HP guidance on this.

Sent from my iPhone

0 Likes
Absent Member.
Absent Member.

When you download the zip file for Suspicious Outbound Traffic Monitoring, you will find Downloads_Groups_1.0.arb file within the zip file.

0 Likes
Ensign
Ensign

John (and John 😉 ),

You can find the Downloads_Groups_1.0.arb file in the Brute Force Attack package zip file on the Marketplace.

Brute Force Attack | HPE Marketplace

0 Likes
Ensign
Ensign

Yay...more websites to scour...

0 Likes
Vice Admiral Vice Admiral
Vice Admiral

Thanks Brent and Mary,

Yea I noticed the file after opening up one of the packages from Marketplace.  Duh, John........

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.