Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
john.petropoulo1 Absent Member.
Absent Member.
2355 views

L1-Malware Monitoring - Indicators and Warnings

This package is the initial content release for AV solution integration.  It provides some basic use cases for detecting malware within an environment.

 

See the latest Activate Wiki Content for details (1.0.10 or later).

 

To install or upgrade:

1 - Download L1-Malware Monitoring - Indicators and Warnings 1.0.0.5.zip

2 - Extract it to your Microsoft Windows console installation's current directory (e.g., c:\arcsight\console\current)

3 - Execute L1MalwareUpdate.bat and follow the instructions

 

DO NOT INSTALL THIS PACKAGE USING THE CONSOLE!!!

 

 

Also, a big thanks to and his team for helping pull this together!

Labels (2)
20 Replies
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: L1-Malware Monitoring - Indicators and Warnings

Error while installing Malware dependency package :

Could Not Find C:\arcsight\Console\current\L1-Malware Monitoring - Indicators adn Warnings 1.0.0.5\L

1-Perimeter_and_Network_Monitoring_-_Indicators_and_Warnings_-_Customizations_*.arb

Any help?

0 Likes
chrispols Absent Member.
Absent Member.

Re: L1-Malware Monitoring - Indicators and Warnings

Hi Mary,

You need to copy the installation files into \current\ . If you extract the .zip it extracts the files to \current\L1-Malware Monitoring - Indicators adn Warnings 1.0.0.5\ which will give you that error.

Chris

0 Likes
john.moore Absent Member.
Absent Member.

Re: L1-Malware Monitoring - Indicators and Warnings

After installation I noticed the filters associated with the rule pointed to a filter which was called no events. Is this normal?

0 Likes
Honored Contributor.. john.robinson21 Honored Contributor..
Honored Contributor..

Re: L1-Malware Monitoring - Indicators and Warnings

I noticed the same thing.  I went to other filters and there are no conditions for any.  I am guessing we have to build our own content????!!!!

0 Likes
j__ Absent Member.
Absent Member.

Re: L1-Malware Monitoring - Indicators and Warnings

You are going to have to install the McAfee packs and hook them into the filters. I haven’t seen anything for Symantec or other products.

Similar process to the perimeter packs.

/J

0 Likes
Honored Contributor.. john.robinson21 Honored Contributor..
Honored Contributor..

Re: L1-Malware Monitoring - Indicators and Warnings

Ok, thanks!

Also, any idea where the Downloads_Groups_1.0.arb can be located?  This is needed for the Suspicious Outbound Traffic Monitoring use case from marketplace.

0 Likes
j__ Absent Member.
Absent Member.

Re: L1-Malware Monitoring - Indicators and Warnings

I don't know, need HP guidance on this.

Sent from my iPhone

0 Likes
yunp@hpe.com Absent Member.
Absent Member.

Re: L1-Malware Monitoring - Indicators and Warnings

When you download the zip file for Suspicious Outbound Traffic Monitoring, you will find Downloads_Groups_1.0.arb file within the zip file.

0 Likes
brent Frequent Contributor.
Frequent Contributor.

Re: L1-Malware Monitoring - Indicators and Warnings

John (and John 😉 ),

You can find the Downloads_Groups_1.0.arb file in the Brute Force Attack package zip file on the Marketplace.

Brute Force Attack | HPE Marketplace

0 Likes
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: L1-Malware Monitoring - Indicators and Warnings

Yay...more websites to scour...

0 Likes
Honored Contributor.. john.robinson21 Honored Contributor..
Honored Contributor..

Re: L1-Malware Monitoring - Indicators and Warnings

Thanks Brent and Mary,

Yea I noticed the file after opening up one of the packages from Marketplace.  Duh, John........

0 Likes
Honored Contributor.. john.robinson21 Honored Contributor..
Honored Contributor..

Re: L1-Malware Monitoring - Indicators and Warnings

Circling back to this topic.  I downloaded and installed the package with no problems.  However, when reading the wiki and viewing the Filters associated to the rules in the package....it seems that all rules are based from one filter called "No Events"?  How can multiple rules be based on one filter?  Especially a filter that only has "false" in the common conditions?

0 Likes
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: L1-Malware Monitoring - Indicators and Warnings

Ok so I havent looked at this package, but based on my knowledge of the Activate framework, you need to install the product package pertinent to your environment, for example McAfee ePO then replace the filter/false with the appropriate filter from McAfee. 

So rule might be "Unquarantined" in the malware package and the filter might be "Unquarantined" in the McAfee package and you just link those 2 up.  This makes it easy to link products and rules no matter if you are using McAfee or Symantec or fill_in_the_blank_malware_service. 

This is where it becomes important for customers to develop the specific product packages, like if you are using MalwareBytes in your environment, but ArcSight maintains the abstract "Malware" solution packages. 

​ - does that sound correct? 

0 Likes
mike_of_many Trusted Contributor.
Trusted Contributor.

Re: L1-Malware Monitoring - Indicators and Warnings

That's correct. The malware package used the higher level language choices

  • Quarantined
  • Resolved
  • Unresolved
  • Unscanned

These in McAfee are pretty straight forward as ePO AV and AM events use the same language, TrendMicro events are (if I recall) going to read,

  • Isolated
  • Removed
  • Marked
  • Untouched or unable to scan ..

This also extends to IOC's and sandboxing aka Detonation Engines...

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.