Do NOT remove Revenue Recognition Approval

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1

Products mentioned in presentation

Version #

Date first shipped

Discussing future?

Pre-announcement?

ESM 6.5 Last year NO If yes, who is approver?

In order for your presentation to be shown at Protect, this form must be filled out and each deck must be approved by the Rev Rec Team. Presentation will be given by _X_HP speaker __HP customer __HP partner Other_____________ (check all that apply)

Revenue Recognition Approval Do NOT remove this slide

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Use cases to content Ray Cotten, Principal Consultant APJ


The two use cases

Internet banking use case Report has data use case


Foundation


Requirements

Turn requirements gathering into use case building • Who • What • When • Where • Why • How


Threshold exceeded – UC1


The problem?

Client would like to know if anyone is transferring large amounts of $$$$ over multiple days. They have a internal internet banking system that limits transactions to $1000 daily. Many MITM or malware on the customers PC can go unnoticed if the user doesn’t report a problem. How can we help detect if an account has reached its daily $$ limit 3 days in a row?


WTH?

Flex

Use CEF, then no flexes are needed. Customer was able to change their logging.

CEF:0|CustomerName|IBank|1.0|201|Transfer Failed|Medium|src=192.168.1.1 suser=fflinstone deviceExternalId=F21CE0E1-82AC-5D77-E044-0021281A5568 act=Fail end=MAR 14 2014 11:40:22.111 deviceProcessName=XFerAddRq2 suid=251103142 duid=123457899 sproc=Melbourne, Australia dproc=Ray Cotton cn1=2500000 cn1Label=Amount in AUD CEF:0|CustomerName|IBank|1.0|200|Transfer Success|Low|src=218.77.79.34 suser=brubble deviceExternalId=F21CE0E1-82AC-5D77-E044-0021281A5569 act=Success end=MAR 14 2014 11:41:00.111 deviceProcessName=XFerAddRq2 suid=251103142 duid=123457899 sproc=Tokyo, Japan dproc=Ray Cotton cn1=2500000 cn1Label=Amount in YEN CEF:0|CustomerName|IBank|1.0|201|Transfer Failed|Medium|src=218.77.79.34 suser=trex deviceExternalId=F21CE0E1-82AC-5D77-E044-0021281A5569 act=Fail end=MAR 14 2014 11:42:22.111 deviceProcessName=XFerAddRq2 suid=251103142 duid=123457899 sproc=Mumbai, India dproc=Ray Cotton cn1=2500000 cn1Label=Amount in INR


Definitions

Flex


Add to List

Rule #1 – Lightweight


Conditions

Rule #2 – Verification


Actions

Rule #2 – Verification


Active List – The data


Query – Queryviewer


Query – Report


Queryviewer


Report


Report


Active Channel


Dashboard


Report has data – UC2


Got data?

Client would like a .csv or .pdf report that is sent to a specific email group or list of emails. This report should only be sent if there is data in the report. The report will be scheduled hourly for any EMC Audit events that are found, as these require investigation.


Woof

Install the “Mutt” package from RedHat DVD. This is necessary for its ability to encode binary files to send through email. • “yum install Mutt” • Accept the defaults for all dependencies “y”

Configure Mutt • vi “/home/arcsight/.muttrc”

– Add the following: • set smtp_url="smtp://192.168.1.113:25" • set from="[email protected]" • set realname="ArcSight ESM"


Symbolic

(Complete “The Archives” slide, before performing this step) Create a “shortcut” to the ArcSight reports directory. This has the advantage of removing “ ” (spaces) from the path. ln -s /opt/arcsight/manager/reports/archive/Archived Reports.Meta.Group/Bedrock/EMC/opt/arcsight/externalcommands/EMC_REPORTS


Unix and config Do not use spaces in your path, directory or filename choices. Create directory for external commands • mkdir /opt/arcsight/externalcommands • Copy reporthasdata.sh to directory

Modify the following parameters in the script • LOG_FILE=/opt/arcsight/externalcommands/reporthasdata.log • EMAIL=“[email protected] [email protected]” • MESSAGE="This is a Test Message, anything you want." • SUBJECT="This is Events from Last Hour" • FILEPATH=/opt/arcsight/externalcommands/EMC_REPORTS/ • MINSIZE=94 (This is the value, in kb, of a blank PDF file) • MAXLINES=2 (This how many line should be in a CSV file)

Uncomment appropriate ‘if’ statement for either .CSV or .PDF see comments in the .sh script • if [ $FILELINES -ge $MAXLINES ]; then ##For CSV • #if [ $FILESIZE -ge $MINSIZE ]; then ##For PDF

Save the file • chmod a+x reporthasnodata.sh

Make sure the file is chown and chgrp to arcsight


The archives

Create a path in ArcSight for your files to be saved in: • Archived Reports->Shared->All Archived Reports-

>Bedrock->EMC

• Run a test report and have it written to this directory. This creates the structure in Unix


The report

Create your report as normal. Your report name should not include any spaces. Use underscore, dashes, etc.… You can change the title of your report in the template if you wish. Schedule your report making sure to modify the following in the job parameters: • Archive Report Folder • Archive Report Name


The rule

When your report runs, it creates an internal ArcSight event. A rule can be written to look for this event and then run the reporthasdata.sh script. This rule looks for the report being written to the Archive directory that was created above.


Aggregation


Be careful of quotes and case sensitivity

Action


The script #!/bin/bash

#--------------------------------- # reporthasdata.sh #

# Description: Report not Empty so send Email with attachment # This script looks at CSV or PDF files and determines if # the report has more then just the header line in it.

# If it does it emails the report to the specified users. # # Requires: RPM pacakge "Mutt".

# Mutt is on Redhat DVD or through redhat repository # 'yum install mutt' #

# Configure Mutt to use SMTP server # vi /home/arcsight/.muttrc add the following lines: # set smtp_url="smtp://192.168.1.113:25"

# set from="[email protected]." # set realname="ArcSight ESM"


# # Ray Cotten - Arcsight/HP PS

# Date - July 23 2014 # #---------------------------------

#LOGGING # Make directory on manager to place your script in. Change the path below to match

# These two lines can be commented out. They are for troubleshooting #LOG_FILE=/opt/arcsight/externalcommands/reporthasdata.log #exec >> $LOG_FILE 2>&1

#Email address: Multiple addresses seperated with " " (space) between them. EMAIL=”[email protected] [email protected]"

#Message body. This is the text of the message MESSAGE="This is a Test Message."

#Subject line of email message SUBJECT="EMC Audit Events from Last Hour"


#Full file path to report # Create ”Bedrock/EMC" in ESM Archives via Console

# #Create symbolic link to reports directory # This gets rid of spaces that cause issues in scripts

# ln -s /opt/arcsight/manager/reports/archive/Archived Reports.Meta.Group/Bedrock/EMC /opt/arcsight/externalcommands/EMC_REPORTS FILEPATH=/opt/arcsight/externalcommands/EMC_REPORTS/

#Customer blank PDF file is 94kb. This can be different between reports based on template used. MINSIZE=94 #Max number of lines in CSV report to match on, usually 2. Line 1 is Header.

MAXLINES=2 ## ##

###No Modification of variables should be needed below this line ### ## Unless you change from CSV to PDF then is if statement ##


#Command line input from ArcSight rules is the "Report Name" # The argument passed by ArcSight is $fileName

# Make report names in ESM one word # Don't use spaces, use underscore, dashes etc.. # ${1//:/-}Replaces all ":" with "-" for filename.

# The above is important if time is part of reportname FILENAME=${1//:/-}

#Full File path and Filename in one variable FILELOCATION=$FILEPATH$FILENAME

#Wait for file to appear on disk. It should be there already # If loops, then filename not matching etc.. while [ ! -f $FILELOCATION ]

do sleep 2 echo "Waiting...Looking for $FILELOCATION"

done


#Gets the filesize from the PDF file on disk FILESIZE=$(/usr/bin/stat -c%s $FILELOCATION)

#Gets the number of lines from a CSV file on disk FILELINES=$(/usr/bin/wc -l < $FILELOCATION)

##These echo's are for troubleshooting and logging ##Can be commented out if not troubleshooting echo "Date = $(date)"

echo "Actual Size = $FILESIZE" echo "Actual Lines = $FILELINES" echo "File Location = $FILELOCATION"

echo "File Name = $FILENAME" echo "File Path = $FILEPATH" echo "Min Size in Kb = $MINSIZE"

echo "Max Lines = $MAXLINES" #FILESIZE or FILELINES greater or equal to MAX/MIN values

#Change this based on if you are measuring a .csv or .pdf if [ $FILELINES -ge $MAXLINES ]; then ##For CSV #if [ $FILESIZE -ge $MINSIZE ]; then ##For PDF


#This sends the message. You could print both a CSV and PDF, # Evaluate the .csv for size >=2 and then email the PDF

# or attach both copies of CSV and PDF to email. 'man mutt' for details echo $MESSAGE|/usr/bin/mutt -s "$SUBJECT" -a $FILELOCATION -- $EMAIL echo "Status = Email sent"

echo " " else echo "Status = No Email sent"

echo " " fi


Use the mobile app 1. Click on Sessions 2. Click on this session 3. Click on Rate Session

Or use the hard copy surveys

Thank you for providing your feedback, which helps us enhance content for future events.

Session TB3009 Speaker Ray Cotten

Please give me your feedback


Thank you

Documents

Do NOT remove Revenue Recognition Approval