Highlighted
prentice@hpe.co Honored Contributor.
Honored Contributor.
1552 views

L2-Network Monitoring - Situational Awareness

This is the official forum for the discussion of the L2-Network Monitoring - Situational Awareness package.

The installation/update package is available from the ArcSight Marketplace. All new and updated Activate Framework packages is available on the ArcSight Marketplace (https://marketplace.microfocus.com/arcsight).

 

The documentation is available at https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/L2NetworkMonitoring.

Labels (2)
0 Likes
8 Replies
tkachouba Trusted Contributor.
Trusted Contributor.

Re: L2-Network Monitoring - Situational Awareness

Hi,


I installed the L2-Network Monitoring - Situational Awareness package and noticed a broken resource.  The rule "Web Proxy Identified Exploit Traffic" is dependent on an Active List that does not exist.

Rule /All Rules/Real-time Rules/ArcSight Activate/Solutions/Network Monitoring/Situational Awareness/Web Proxy Identified Exploit Traffic depends on resource /All Active Lists/ArcSight Activate/Solutions/Perimeter and Network Monitoring/Situational Awareness/Proxy Identified Exploit Kit Queries that cannot be found.

On a side note, from the L2-Perimeter Monitoring - Situational Awareness package I noticed 2 broken resources.  The rule "Egress Communications to Suspicious Region" and "Ingress Communications from Suspicious Region".

Rule /All Rules/Real-time Rules/ArcSight Activate/Solutions/Perimeter Monitoring/Situational Awareness/Egress Communications to Suspicious Region depends on resource /All Active Lists/ArcSight Activate/Solutions/Perimeter and Network Monitoring/Situational Awareness/Suspicious Region - ITAR_OFAC Countries that cannot be found

and

Rule /All Rules/Real-time Rules/ArcSight Activate/Solutions/Perimeter Monitoring/Situational Awareness/Ingress Communications from Suspicious Region depends on resource /All Active Lists/ArcSight Activate/Solutions/Perimeter and Network Monitoring/Situational Awareness/Suspicious Region - ITAR_OFAC Countries that cannot be found

I used the latest packages available from the HP Marketplace and installed them in the order below.  Older versions of the packages which require migration were never installed.

ArcSight Activate Base 2.4.0.0

L1-Perimeter Monitoring - Indicators and Warnings

L2-Perimeter Monitoring - Situational Awareness

L1-Network Monitoring - Indicators and Warnings

L2-Network Monitoring - Situational Awareness

Has anyone else experience this?  What's the best way to resolve this issue with the broken resources?

0 Likes
Honored Contributor.. john.robinson21 Honored Contributor..
Honored Contributor..

Re: L2-Network Monitoring - Situational Awareness

Check this link: .  There is a resolution to the broken resource.  The active list is in a different location.  However, I just did a search in ESM for Proxy Identified Exploit Kit Queries, but could not find it. Leave it to HP to put out a product that is not ready or useful.......I really hope they put out some use cases and direction for the L2 packages.

0 Likes
Outstanding Contributor.. pushpendra.rath Outstanding Contributor..
Outstanding Contributor..

Re: L2-Network Monitoring - Situational Awareness

​ isnt this problem fixed in the package mentioned above? I see that it was posted after the package was published on marketplace.

Thanks 🙂

0 Likes
Outstanding Contributor.. pushpendra.rath Outstanding Contributor..
Outstanding Contributor..

Re: L2-Network Monitoring - Situational Awareness

Same here, I could not find Proxy Identified Exploit Kit Queries

0 Likes
prentice@hpe.co Honored Contributor.
Honored Contributor.

Re: L2-Network Monitoring - Situational Awareness

Hey,

Apologies for the delayed response. I just installed the L1-Network Monitoring and L2-Network Monitoring packages, as well as the L1-Perimeter Monitoring and L2-Perimeter Monitoring packages. For /All Rules/Real-time Rules/ArcSight Activate/Solutions/Network Monitoring/Situational Awareness/Web Proxy Identified Exploit Traffic, the conditions should look like this:WebProxyIdentifiedExploitTrafficConditions.png

 I know this sounds lame, but I cannot reproduce the problem you've stated. The list is at /All Active Lists/ArcSight Activate/Solutions/Network Monitoring/Situational Awareness/Proxy Identified Exploit Kit Queries.

Hope this helps,

--

Prentice

 

 

 

 

0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: L2-Network Monitoring - Situational Awareness

Hi Prentice

I just did a clean install of the L2-Network_Monitoring_-_Situational_Awareness_0.1.0.0 package, this was not an upgrde. I got the same problem where theres a reference to the Proxy Identified Exploit Kit Queries Active List under /Perimeter and Network Monitoring/Situational Awareness which dosnt exist in my enviroment.

error.JPG

It doesnt look like the Active List is included in the package also..

Cheers

Mark

Micro Focus Expert
Micro Focus Expert

Re: L2-Network Monitoring - Situational Awareness

Same issue here as mark.lowings@hp , no Active List or Filter.Rule Error 2.pngRule Error1.png

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: L2-Network Monitoring - Situational Awareness

Also, don't know if this is related but I noticed two issues with the install. With the second screenshot, I don't see that Package in the Console. Unfortunately, no time to research right now.

L2 Install Error 1.pngL2 Install Error 2.png

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.