View
6
Download
0
Category
Preview:
Citation preview
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1
Products mentioned in presentation
Version #
Date first shipped
Discussing future?
Pre-announcement?
ESM 6.5 Last year NO If yes, who is approver?
In order for your presentation to be shown at Protect, this form must be filled out and each deck must be approved by the Rev Rec Team. Presentation will be given by _X_HP speaker __HP customer __HP partner Other_____________ (check all that apply)
Revenue Recognition Approval Do NOT remove this slide
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Use cases to content Ray Cotten, Principal Consultant APJ
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3
The two use cases
Internet banking use case Report has data use case
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Foundation
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5
Requirements
Turn requirements gathering into use case building • Who • What • When • Where • Why • How
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Threshold exceeded – UC1
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 7
The problem?
Client would like to know if anyone is transferring large amounts of $$$$ over multiple days. They have a internal internet banking system that limits transactions to $1000 daily. Many MITM or malware on the customers PC can go unnoticed if the user doesn’t report a problem. How can we help detect if an account has reached its daily $$ limit 3 days in a row?
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 8
WTH?
Flex
Use CEF, then no flexes are needed. Customer was able to change their logging.
CEF:0|CustomerName|IBank|1.0|201|Transfer Failed|Medium|src=192.168.1.1 suser=fflinstone deviceExternalId=F21CE0E1-82AC-5D77-E044-0021281A5568 act=Fail end=MAR 14 2014 11:40:22.111 deviceProcessName=XFerAddRq2 suid=251103142 duid=123457899 sproc=Melbourne, Australia dproc=Ray Cotton cn1=2500000 cn1Label=Amount in AUD CEF:0|CustomerName|IBank|1.0|200|Transfer Success|Low|src=218.77.79.34 suser=brubble deviceExternalId=F21CE0E1-82AC-5D77-E044-0021281A5569 act=Success end=MAR 14 2014 11:41:00.111 deviceProcessName=XFerAddRq2 suid=251103142 duid=123457899 sproc=Tokyo, Japan dproc=Ray Cotton cn1=2500000 cn1Label=Amount in YEN CEF:0|CustomerName|IBank|1.0|201|Transfer Failed|Medium|src=218.77.79.34 suser=trex deviceExternalId=F21CE0E1-82AC-5D77-E044-0021281A5569 act=Fail end=MAR 14 2014 11:42:22.111 deviceProcessName=XFerAddRq2 suid=251103142 duid=123457899 sproc=Mumbai, India dproc=Ray Cotton cn1=2500000 cn1Label=Amount in INR
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9
Definitions
Flex
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10
Add to List
Rule #1 – Lightweight
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11
Conditions
Rule #2 – Verification
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12
Actions
Rule #2 – Verification
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 13
Active List – The data
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 14
Query – Queryviewer
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15
Query – Report
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16
Queryviewer
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17
Report
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18
Report
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19
Active Channel
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 20
Dashboard
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Report has data – UC2
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 22
Got data?
Client would like a .csv or .pdf report that is sent to a specific email group or list of emails. This report should only be sent if there is data in the report. The report will be scheduled hourly for any EMC Audit events that are found, as these require investigation.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 23
Woof
Install the “Mutt” package from RedHat DVD. This is necessary for its ability to encode binary files to send through email. • “yum install Mutt” • Accept the defaults for all dependencies “y”
Configure Mutt • vi “/home/arcsight/.muttrc”
– Add the following: • set smtp_url="smtp://192.168.1.113:25" • set from="arcsight@bedrock.com" • set realname="ArcSight ESM"
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 24
Symbolic
(Complete “The Archives” slide, before performing this step) Create a “shortcut” to the ArcSight reports directory. This has the advantage of removing “ ” (spaces) from the path. ln -s /opt/arcsight/manager/reports/archive/Archived Reports.Meta.Group/Bedrock/EMC/opt/arcsight/externalcommands/EMC_REPORTS
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 25
Unix and config Do not use spaces in your path, directory or filename choices. Create directory for external commands • mkdir /opt/arcsight/externalcommands • Copy reporthasdata.sh to directory
Modify the following parameters in the script • LOG_FILE=/opt/arcsight/externalcommands/reporthasdata.log • EMAIL=“fred.flinstone@bedrock.com barney.rubble@bedrock.com” • MESSAGE="This is a Test Message, anything you want." • SUBJECT="This is Events from Last Hour" • FILEPATH=/opt/arcsight/externalcommands/EMC_REPORTS/ • MINSIZE=94 (This is the value, in kb, of a blank PDF file) • MAXLINES=2 (This how many line should be in a CSV file)
Uncomment appropriate ‘if’ statement for either .CSV or .PDF see comments in the .sh script • if [ $FILELINES -ge $MAXLINES ]; then ##For CSV • #if [ $FILESIZE -ge $MINSIZE ]; then ##For PDF
Save the file • chmod a+x reporthasnodata.sh
Make sure the file is chown and chgrp to arcsight
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 26
The archives
Create a path in ArcSight for your files to be saved in: • Archived Reports->Shared->All Archived Reports-
>Bedrock->EMC
• Run a test report and have it written to this directory. This creates the structure in Unix
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 27
The report
Create your report as normal. Your report name should not include any spaces. Use underscore, dashes, etc.… You can change the title of your report in the template if you wish. Schedule your report making sure to modify the following in the job parameters: • Archive Report Folder • Archive Report Name
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 28
The rule
When your report runs, it creates an internal ArcSight event. A rule can be written to look for this event and then run the reporthasdata.sh script. This rule looks for the report being written to the Archive directory that was created above.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 29
Aggregation
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 30
Be careful of quotes and case sensitivity
Action
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 31
The script #!/bin/bash
#--------------------------------- # reporthasdata.sh #
# Description: Report not Empty so send Email with attachment # This script looks at CSV or PDF files and determines if # the report has more then just the header line in it.
# If it does it emails the report to the specified users. # # Requires: RPM pacakge "Mutt".
# Mutt is on Redhat DVD or through redhat repository # 'yum install mutt' #
# Configure Mutt to use SMTP server # vi /home/arcsight/.muttrc add the following lines: # set smtp_url="smtp://192.168.1.113:25"
# set from="arcsight@bedrock.com." # set realname="ArcSight ESM"
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
# # Ray Cotten - Arcsight/HP PS
# Date - July 23 2014 # #---------------------------------
#LOGGING # Make directory on manager to place your script in. Change the path below to match
# These two lines can be commented out. They are for troubleshooting #LOG_FILE=/opt/arcsight/externalcommands/reporthasdata.log #exec >> $LOG_FILE 2>&1
#Email address: Multiple addresses seperated with " " (space) between them. EMAIL=”fred.flinstone@bedrock.com barney.rubble@bedrock.com"
#Message body. This is the text of the message MESSAGE="This is a Test Message."
#Subject line of email message SUBJECT="EMC Audit Events from Last Hour"
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
#Full file path to report # Create ”Bedrock/EMC" in ESM Archives via Console
# #Create symbolic link to reports directory # This gets rid of spaces that cause issues in scripts
# ln -s /opt/arcsight/manager/reports/archive/Archived Reports.Meta.Group/Bedrock/EMC /opt/arcsight/externalcommands/EMC_REPORTS FILEPATH=/opt/arcsight/externalcommands/EMC_REPORTS/
#Customer blank PDF file is 94kb. This can be different between reports based on template used. MINSIZE=94 #Max number of lines in CSV report to match on, usually 2. Line 1 is Header.
MAXLINES=2 ## ##
###No Modification of variables should be needed below this line ### ## Unless you change from CSV to PDF then is if statement ##
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
#Command line input from ArcSight rules is the "Report Name" # The argument passed by ArcSight is $fileName
# Make report names in ESM one word # Don't use spaces, use underscore, dashes etc.. # ${1//:/-}Replaces all ":" with "-" for filename.
# The above is important if time is part of reportname FILENAME=${1//:/-}
#Full File path and Filename in one variable FILELOCATION=$FILEPATH$FILENAME
#Wait for file to appear on disk. It should be there already # If loops, then filename not matching etc.. while [ ! -f $FILELOCATION ]
do sleep 2 echo "Waiting...Looking for $FILELOCATION"
done
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
#Gets the filesize from the PDF file on disk FILESIZE=$(/usr/bin/stat -c%s $FILELOCATION)
#Gets the number of lines from a CSV file on disk FILELINES=$(/usr/bin/wc -l < $FILELOCATION)
##These echo's are for troubleshooting and logging ##Can be commented out if not troubleshooting echo "Date = $(date)"
echo "Actual Size = $FILESIZE" echo "Actual Lines = $FILELINES" echo "File Location = $FILELOCATION"
echo "File Name = $FILENAME" echo "File Path = $FILEPATH" echo "Min Size in Kb = $MINSIZE"
echo "Max Lines = $MAXLINES" #FILESIZE or FILELINES greater or equal to MAX/MIN values
#Change this based on if you are measuring a .csv or .pdf if [ $FILELINES -ge $MAXLINES ]; then ##For CSV #if [ $FILESIZE -ge $MINSIZE ]; then ##For PDF
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
#This sends the message. You could print both a CSV and PDF, # Evaluate the .csv for size >=2 and then email the PDF
# or attach both copies of CSV and PDF to email. 'man mutt' for details echo $MESSAGE|/usr/bin/mutt -s "$SUBJECT" -a $FILELOCATION -- $EMAIL echo "Status = Email sent"
echo " " else echo "Status = No Email sent"
echo " " fi
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 37
Use the mobile app 1. Click on Sessions 2. Click on this session 3. Click on Rate Session
Or use the hard copy surveys
Thank you for providing your feedback, which helps us enhance content for future events.
Session TB3009 Speaker Ray Cotten
Please give me your feedback
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
Recommended