Highlighted
New Member.
1493 views

Threat Mapping/Geolocation

Hi All,

Pardon me to border you, I am looking at using our current ArcSight ESM Express set up without having to procure additional application to achieve set of attached above but it looks like steps are missing from some of the ArcSight documentation I have researched or  the one suggested by Hp ArcSight support team - .(ESM Console User’s Guide ArcSight Express™ v3.0 Featuring ESM with CORR Engine Storage).

The plan is to achieve these:

  • Attack pattern/Geo-location – similar to attached above

        - Allowing access to Google map for interpreting of the attacker IP address,Malware location etc).

  • Asset view/ Network discovery  – similar to above

I would be glad if someone could help from their wealth of experiences or point me to appropriate documentation(s) or videos.

Many thanks

Matt

0 Likes
Reply
7 Replies
Highlighted
Absent Member.
Absent Member.

Re: Threat Mapping/Geolocation

ESM ArcSight has built-in geo-location. Whenever it receives an event with populated IP address fields (like sourceAddress, deviceAddress, destinationAddress), it generates geo information and fills appropriate fields like sourceCountryName, etc.

For network mapping, the ESM has pretty complex network asset modeling. It is explained in the ArcSight Administration course. Asset network modeling includes:

  • assets (hosts)
  • network zones
  • networks
  • categories
  • locations
  • vulnerabilities

Also it is able to take into account multiple private network zones within large organization, for example if you have two identical networks 10.0.0.0/8 in different countries.

But if you are looking for network maps visualization... well, it is very limited though ESM allows to put some background images to dashboards.

Regards,
Alex.

0 Likes
Reply
Highlighted
New Member.

Re: Threat Mapping/Geolocation

Hi Alex,

Thanks for your reply.It is quite educative.

Do you mind pointing me to the ESM_Admin or user Guide that explains most importantly how to generate the threat geolocation map I attached above or point me to resource where I could find what I need to do to achieve it?

Many thanks

Matt

0 Likes
Reply
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Threat Mapping/Geolocation

Hi Matt,

I hope you have threat feed from External sources.. Since ur threat feeds which is populating in an active list and ur incoming events have Geolocation info based on the Ip addresses... All u need is to create content to get the matching incoming Events communicating to the threat IP existing in the activelist to plot it in the Dashboard(Google Earth).

Please refer the content below on how to set it up.

https://protect724.hp.com/message/41980#41980

https://protect724.hp.com/message/9454#9454

0 Likes
Reply
Highlighted
New Member.

Re: Threat Mapping/Geolocation

Hi Balahasan,

I am implementing steps expalined by Steven - on a locked down ArcSight appliance.Do I need to open it for internet connection most especially to the Google site?

And if it is required,should it be limited to get request?

I would also need additional information about creating webserver.ArcSight appliance are locked down to some services.Do you advice I should install apache webserver?

I would appreciate if you could get back to asap.

Thanks

Matt

0 Likes
Reply
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Threat Mapping/Geolocation

Hi Matt,

I haven't worked on it either. Since I was trying the same in my lab setup. But u need to connect to google maps i guess to plot the real time graph.And what do u mean by Locked down some services.. U won't any additional web servers to be configured for this requirement as long as the existing servers are running. And so It will be better if you ping the peoples like steven, jbur who delpoyed and worked on this.

0 Likes
Reply
Highlighted
New Member.

Re: Threat Mapping/Geolocation

Thanks Balahasan.I will get I am already in contact with Steven.

0 Likes
Reply
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: Threat Mapping/Geolocation

Hi Alex

I have a similar question about how we can check whether i am getting the updated geo-location and public address spaces from Hp Arc sight.

Can you explain how i can check whether my Arc Sight is getting the updates from Hp with the updated Geo-Locations and IPS.

Thanks in Advance

NSN
0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.