ArcSight Rules Suggestions?
I am trying to generate a report with the rules I've created in ArcSight, however I want this to be has comprehensive as possible. Can anyone suggest some of the better security rules for access control that I may implement with ESM? Some of the ones I have already have setup include:
Active Account Detected
Active Directory Account Deleted
Active Directory Account locked out
Activity by Dormant Account
Arcsight user Login
Critical Device Not Reporting
Domain Account Created
Domain Account Deactivated
Group Policy Created
Group Policy deleted
Guest Anonymous Account Activity
Local Account Provisioning Detected
Logins to known shared Accounts
I think I have a good start, but I know there are a ton of rules I need to add to get a better comprehensive report from a security standpoint.
Any suggestions would be great!
Check this for Windows related stuffs here for Defining ur Content: Audit Policy
For the Internal ArcSight Resource Related ACL's : Refer the Audit Events on Resources in ESM Console user guide pg: 757
Not sure if this will help, but the NSA released a PDF on essentially what are Windows Event Log Use Cases: http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf