Kerry_Matre Absent Member.
Absent Member.
980 views

L2-Perimeter and Network Monitoring - Situational Awareness

L2-Perimeter and Network Monitoring - Situational Awareness Version 1.1.0.0

 

Removed the following rules:

Successful Egress RDP Communications

Successful Egress SMB Communications

Successful Egress SSH Communications

Successful Ingress RDP Communications

Successful Ingress SMB Communications

Successful Ingress SSH Communications

Successful Ingress Telnet Communications

 

Replaced the previous rules with:

Successful Egress Restricted Services Communications

Successful Ingress Restricted Services Communications

 

Active list added:

Interzone Communications to Restricted Services

 

Renamed rules:

25 or More Deny Events from Same Critical Host => Multiple Deny Events from Same Critical Host

25 or More Deny Events to Same Critical Host => Multiple Deny Events to Same Critical Host

4 Unique Events to a Protected Asset => Multiple Unique Events to a Protected Asset

 

Rules added:

ICMP Sweep from Internal Source

Multiple Deny Events from Same Critical Host

Multiple Deny Events to Same Critical Host

Multiple Drop Events from Same Internal Source

Multiple Unique Events to a Protected Asset

Successful Egress DNS Communications

Successful Egress NTP Communications

Successful Egress Restricted Services Communications

Successful Ingress Restricted Services Communications

 

 

Created new installation and update procedures

- Created a customizations package to prevent overwriting filters that have been configured for specific product packages

 

See the latest Activate Wiki Content for details.

 

To upgrade:

1 - Download L2-Perimeter and Network Monitoring - Situational Awareness 1.1.0.0.zip

2 - Extract it to your Microsoft Windows console installation's current directory (e.g., c:\arcsight\console\current)

3 - Execute L2PerimeterUpdate.bat and follow the instructions

 

DO NOT INSTALL THIS PACKAGE USING THE CONSOLE!!!

Labels (1)
0 Likes
6 Replies
prentice@hpe.co Honored Contributor.
Honored Contributor.

Re: L2-Perimeter and Network Monitoring - Situational Awareness

Hey all,

If you contributed to this package, please PM me. I know and others helped in general. Let me know if you're not already mentioned in this comment (see below), please!

If you contributed to any of the Proxy content, please e-mail me!

I think it was , , or ... I'm particularly interested in the development decision for /All Active Lists/ArcSight Activate/Solutions/Perimeter and Network Monitoring/Situational Awareness/Proxy Identified Exploit Kit Queries.

Thanks!

0 Likes
Highlighted
mike_of_many Trusted Contributor.
Trusted Contributor.

Re: L2-Perimeter and Network Monitoring - Situational Awareness

I'm probably best for answering that one, it was part of my originals.  Feel free to im or ask here.

Mike

0 Likes
Super Contributor.. mendoncanuno Super Contributor..
Super Contributor..

Re: L2-Perimeter and Network Monitoring - Situational Awareness

Hello guys,

Do you know if there's documentation for this package?

Best regards,

Miguel Mendonça

0 Likes
mike_of_many Trusted Contributor.
Trusted Contributor.

Re: L2-Perimeter and Network Monitoring - Situational Awareness

The earlier versions of the package had documentation included in the activate wiki. See versions 1.09 and such.

0 Likes
prentice@hpe.co Honored Contributor.
Honored Contributor.

Re: L2-Perimeter and Network Monitoring - Situational Awareness

Actually, the documentation is at https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/L1PerimeterAndNetworkMonitoring. There's not much for L2. Also, we are splitting this package into two new package sets, one for Network Monitoring and another for Perimeter Monitoring. The Activate Wiki has, or will have, more details.

0 Likes
prentice@hpe.co Honored Contributor.
Honored Contributor.

Re: L2-Perimeter and Network Monitoring - Situational Awareness

Hey Mike, just making sure that everyone who participated got the appropriate credit!

I do have some questions, but I'll ping you later, when I've caught up with myself (sometime after Protect 2016).

--

Prentice

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.