Highlighted
Absent Member.
Absent Member.
632 views

ArcSight Rules Suggestions?

Hello,

I am trying to generate a report with the rules I've created in ArcSight, however I want this to be has comprehensive as possible. Can anyone suggest some of the better security rules for access control that I may implement with ESM? Some of the ones I have already have setup include:

Active Account Detected

Active Directory Account Deleted

Active Directory Account locked out

Activity by Dormant Account

Arcsight user Login

Critical Device Not Reporting

Domain Account Created

Domain Account Deactivated

Group Policy Created

Group Policy deleted

Guest Anonymous Account Activity

Local Account Provisioning Detected

Logins to known shared Accounts

I think I have a good start, but I know there are a ton of rules I need to add to get a better comprehensive report from a security standpoint.

Any suggestions would be great!

Thanks,

Abe Anwari

Labels (4)
0 Likes
Reply
5 Replies
Highlighted
Absent Member.
Absent Member.

Yes please give me a call and I will show you how to set those Reports and Rules up.

0 Likes
Reply
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Hi Abe,

Check this for Windows related stuffs here for Defining ur Content: Audit Policy

For the Internal ArcSight Resource Related ACL's  : Refer the Audit Events on Resources in ESM Console user guide pg: 757

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

I didn't get a number to call.

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Not sure if this will help, but the NSA released a PDF on essentially what are Windows Event Log Use Cases: http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf

0 Likes
Reply
Highlighted
Established Member..
Established Member..

The ArcSight manual for is very helpful.  You need to download the software and install on your Express / ESM system to get all of the content.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.