![](/uploads/1/2/7/6/127654087/840587143.png)
Summary of changes. This book is based on the CICS RACF Security Guide for CICS Transaction Server for z/OS, Version 2 Release 1, SC34-5720-00. Changes from that edition are marked by vertical bars in the left margin. This softcopy version is based on the printed version. Hp arcsight siem training. Arcsight siem architecturearcsight esm user guide pdf. Arcsight training pdf. Arcsight tutorial pdf. Wants to connect.
Resources Needed:. Active Channel. Active List. Rule.
NotificationThere used to be an example of this in the default content of ESM. Hopefully, it is still there.Example Use Case (from reader):Observe external computer scanning and set priority to 1. Observe apriority 1 computer attempt an exploit set it priority 2. Observe asuccessful exploit or C2 traffic from target ring a siren and blink ared light.Basic solution:. Create an Active List (AL) called “Suspicious ExternalHosts” that keeps track of at least Source IP and Source Zone URI. SetTTL on AL to something reasonable for your organization. Could be onehour; could be 30 days.
Create a rule with your definition of “scanning” with anAction of “Add to Active List”. Put the source IP in the SuspiciousExternal Hosts” AL. Make part of the rule condition NOT in AL toprevent repeat firing of the rule.
Create an Active List called “Malicious External Hosts” just like Suspicious External hosts in Step 1. Create an Active List called “Targeted Internal Hosts” just like Suspicious External hosts in Step 1. Create a Rule looking for attempted exploit or attempted unauthorized access. Include a condition that the Source IP of this event be in theSuspicious AL. Add an Action of “Add to Active List”. Put the sourceIP in the Malicious External Hosts” AL.
Put a second Action of “Add toActive List”. Add the Destination IP into the “Targeted InternalHosts” AL. Create a rule looking for C2 traffic with a condition thatthe source IP be in the “Targeted Internal Hosts” AL. Add an Action ofNotification which will send you an email when the rule fires.
Same as Step 7 except looking for successful exploit instead of C2 traffic for the condition. Create one or more active channels that use the Name field and looksfor the names of the Rules created above. Your analysts can eitherwatch this channel to be proactive or wait for the notifications to comein.
![Arcsight architecture explained Arcsight architecture explained](http://1.bp.blogspot.com/-eoluQIVwHhw/Ut3mIkxdMlI/AAAAAAAAAl8/UAMQdddV_us/s1600/1.04.+-+9th+Wonder+Drum+Kit+Free+-+(www.FLStudioFree.com).png)
Really depends on their workload.Closing TipsI would personally add another Active List and AL condition for Steps7 and 8 to do what I call “throttling” to prevent the rule from firingexcessively. I’ll write about throttling rules later if anyone isinterested.
Essentially, it uses the SIEM’s intelligence to prevent the“Boy Cried Wolf” syndrome and the reason for so many ignored emailalerts in IT.Make sure every field you use in the Condition tab is added to theAggregation tab in the Rule. Otherwise, the Rule will never fire.
WishI had a dollar for every time I made that mistake. Using the default 'Backup Files' repository to backup up my container only contains the agent.properties file and the agent.wrapper.conf file. Connector Appliance in a nutshell is a self-contained, hardened appliance with:1.
Connector SoftwareSmartConnectors are pre-installed and are constantly running in their own 'Container'. Even without any configured connectors, they continue to run in their own Java memory space.2.
Connector Management functionality (web process)A GUI that allows SmartConnectors to be locally and remotely managed, including configuration and monitoring of the processes.Capabilities:. Centralized management and full control of local, remote and software connectors.
Wizard based interface designed to automate common management tasksThere are three main types of appliance models: C1x00, C3x00, and C5x00.For more information, refer to the Connector Appliance Release Notes (for platform changes and updates) and the. Sometimes you need to completely reconfigure a Connector Appliance using an Appliance Backup.
This can occur if you had to RMA your Connector Appliance and want to restore the entire configuration from your backup to this new Connector Appliance.Important Notes:For a successful restore, the following conditions must be met:1. The backup file must be taken from a Connector Appliance which has the same number of onboard containers as the Connector Appliance to which you are restoring.Examples:A C1000 has only 1 container, while a C5200 has 8 containers, thus a backup from a C1000 to a C5200 will fail.However, a C5000 appliance and a C5200 both have 8 containers, thus the backup will succeed.2. The Connector Appliance versions must be the same on both source and destination Connector Appliances.3. The hostname must be the same on both source and destination Connector Appliances.Resolution:1. Create an Appliance Backup, as follows:a.
Go to Setup Backup/Restore in the UI.b. Click on Appliance Backupc. Enter the paramters and click Save.d. The backup file created is named configs.tar.gz.2. Ensure that the hostname on the Connector Appliance you are restoring to is the same as the hostname from the Connector Appliance where the backup was created.Note: If you still have access to the Connector Appliance where the backup was created, check the file /etc/sysconfig/network and compare the value for hostname (see example below) to that found in the same file on the Connector Appliance you are restoring to.Example:HOSTNAME=3.
Restore the Appliance Backup, as follows:a. Go to Setup Backup/Restore in the UI.b. Click on Appliance Restorec. Click Browse and navigate to the location where you have the stored the configs.tar.gz filed. Click Upload.4. If after restoring from the backup, the Web GUI is not available, modify /etc/sysconfig/network to reflect the correct HOSTNAME value. This issue can often be caused by a mismatch between the hostname recorded in the 'hosts' file on the appliance and the actual hostname set via the UI.If there is a mismatch, as it can cause local hostname lookup errors, which can cause severe delays when accessing certain features of the UI.
This mismatch can also cause issues such as failure to generate and upload the Container SSL certificate to the UI after restoring a Container, making it unreachable or un-configurable.Resolution:1. View the Setup System Admin Network tab. Note the System Hostname string configured.2. View the Setup System Admin Network Hosts tab. Confirm that the hostname listed in System Hostname, as you observed in Step 1, is listed.3.
If the System Hostname is not listed in the Hosts tab, add an entry for it and click Update File. When entering suffixes on the Setup Network DNS Search Domains page on Connector Appliance running v6.1, only the first 6 search domains listed are used by the SmartConnectors for DNS resolution.Any additional search domains added beyond the first 6 are not used for resolution by the DNS server.Workarounds:Depending on how many entries you have, there are a few options to work around this limitation:1. Place the short names into /etc/hosts on the appliance.2. Use fully-qualified names.3. Create a 'virtual' domain to hold all the short names and re-configure DNS servers for that virtual domain to forward accordingly.Note: For more information on virtual domains and forwarding, refer to the following site.
![](/uploads/1/2/7/6/127654087/840587143.png)