Highlighted
Absent Member.
Absent Member.
548 views

REQUIRED IMMIDIATE HELP-- FILTERS FOR USECASE ARCSIGHT ESM

Hi All

As i am working in production environment and new to this product, stuck in creating some filters and rules for below mentioned cases. If anybody have idea, please share or guide how to get this done.....

1.firewall - High Utilization Warning on Network Bandwidth

2.windows - AD changes happening across business domains

3.unix - Account disabled followed by re-enabled

4.unix - Track Sudo access to Unix

5.unix - Brute force attempts on key account

6.AV - Possible Virus Outbreak (5+) - Same File Name

7.AV - Possible Virus Outbreak (5+) - Same File Name - Malware Resolved

8.WINDOWS - Remote access logging failure more than 5 times, and activities trace

9.WINDOWS - Application - shared account activity

10.Firewall - Repeated Firewall Blocks to Critical Systems

11. Huge EPS from a single device

12. same virus found on multiple machines-enterprise wide threat

13.Threshold definition for account lockout

14.UNIX-User account added to root or sudo group

15.Unix- Failed SU followed by successful SU to root

16.SQL - Transaction Log Deleted

17.SQL- sql table modification of restricted tables

18. Admin Priviledge activity - read of restricted tables

19. AD -Terminated employee user account activity

Kindly help me

Thanks in advance..................

Hamendra Yadav

Labels (3)
0 Likes
4 Replies
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: REQUIRED IMMIDIATE HELP-- FILTERS FOR USECASE ARCSIGHT ESM

Hi Hemendra yadav

I this below rule works for you when you have a active list of key accounts for question 5

(Name=Brute force logins and type =Correlation and device product= UNIX and target user name is not null and target user name !=system )

Hope this will help you a bit

Thanks

NSN
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: REQUIRED IMMIDIATE HELP-- FILTERS FOR USECASE ARCSIGHT ESM

Dear ​,

there should be some default use case.. u can expand all the folder in the rule navigation tab.. u should be able to find some useful ones.. otherwise u can download it from here HPE Marketplace - Classic Packages download it and test it on a UAT environment first before setting up on a production environment

Regards,

Julian

0 Likes
Highlighted
Regular Contributor.
Regular Contributor.

Re: REQUIRED IMMIDIATE HELP-- FILTERS FOR USECASE ARCSIGHT ESM

Hey,

I would recommend you to visit at least the ArcSight Training H7G90S:

Security Training: Education Services - US and Canada | Hewlett Packard Enterprise

Regards

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: REQUIRED IMMIDIATE HELP-- FILTERS FOR USECASE ARCSIGHT ESM

HI Nick

Thanks a lot for this. Also guide for other rules

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.