aanwari Absent Member.
Absent Member.
533 views

ArcSight Rules Suggestions?

Hello,

I am trying to generate a report with the rules I've created in ArcSight, however I want this to be has comprehensive as possible. Can anyone suggest some of the better security rules for access control that I may implement with ESM? Some of the ones I have already have setup include:

Active Account Detected

Active Directory Account Deleted

Active Directory Account locked out

Activity by Dormant Account

Arcsight user Login

Critical Device Not Reporting

Domain Account Created

Domain Account Deactivated

Group Policy Created

Group Policy deleted

Guest Anonymous Account Activity

Local Account Provisioning Detected

Logins to known shared Accounts

I think I have a good start, but I know there are a ton of rules I need to add to get a better comprehensive report from a security standpoint.

Any suggestions would be great!

Thanks,

Abe Anwari

Labels (4)
0 Likes
Reply
5 Replies
rbhuta1 Absent Member.
Absent Member.

Re: ArcSight Rules Suggestions?

Yes please give me a call and I will show you how to set those Reports and Rules up.

0 Likes
Reply
Acclaimed Contributor.. balahasan.v1 Acclaimed Contributor..
Acclaimed Contributor..

Re: ArcSight Rules Suggestions?

Hi Abe,

Check this for Windows related stuffs here for Defining ur Content: Audit Policy

For the Internal ArcSight Resource Related ACL's  : Refer the Audit Events on Resources in ESM Console user guide pg: 757

0 Likes
Reply
aanwari Absent Member.
Absent Member.

Re: ArcSight Rules Suggestions?

I didn't get a number to call.

0 Likes
Reply
mcwieka1 Absent Member.
Absent Member.

Re: ArcSight Rules Suggestions?

Not sure if this will help, but the NSA released a PDF on essentially what are Windows Event Log Use Cases: http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf

0 Likes
Reply
Established Member.. Ahedge
Established Member..

Re: ArcSight Rules Suggestions?

The ArcSight manual for is very helpful.  You need to download the software and install on your Express / ESM system to get all of the content.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.