Description

"ArcSight ESM Default Content 4.0" release is a milestone release for the entire ArcSight portfolio.
In this release, the primary focus has been to support "CyberRes Galaxy Threat Acceleration Program (GTAP)" version 2.0. This is done through the "Threat Intelligence Platform" sub-package of the ESM Default Content package.

As you may read more from GTAP 2.0 Release Notes, ArcSight's Threat Intelligence support that is built-into ESM and the Default Content has been significantly improved. The most signifant change has been the introduction of many additional fields to have a richer feed with more SOC-ready context.

As such, Active Lists hosting the realtime IoC information, that are received from the realtime threat intel feed, as well as the rules/filters and other resources that utilize these active lists have been considerably updated.

As this was a significant change in the way the ESM resources worked, "deployment of ESM Default Content 4.0" now requires a couple extra steps that are specific to this release.

Please read this document in full, and preferably watch the following video, to get yourself acquantied with the process.

The release 3.7 contains 9 new rules in the Security Threat Monitoring package to help protect Windows, AWS Security Hub, and Microsoft Office 365 environments [or] applications. It also contains 3 new rules and a new dashboard to help you monitor the health of the CyberRes Galaxy Threat Acceleration Program (GTAP)1.0 Basic and Plus Model Import Connector. This release also contains 14 updated rules with more fields in the aggregation tab.

In the release 3.6 22 new rules were added and 2 rules were updated to support MITRE ATT&CK Cloud Techniques for AWS Security Hub log source and Microsoft Office/Defender 365

In the release version 3.5, 15 new rules were added to support MITRE ATT&CK Cloud Techniques for Microsoft Azure Services

In the release version 3.4, 11 new rules were added to detect possible APT Malware and 0-day attacks, which will be triggered when the base event matches an entry in the Threat Intelligence active lists and where the threat level is Medium or High. A new active channel has been added for monitoring those rules.

In the release version 3.3, we added 7 rules to cover MITRE Techniques under two new MITRE Tactics - TA0042 Resource Development and TA0043 Reconnaissance.

In the release version 3.2, we added 3 rules to cover more MITRE ATT&CK Techniques/sub-Techniques.

In the release version 3.1, we added 77 rules to cover more MITRE ATT&CK Techniques/sub-Techniques.

In the release version 3.0, we have re-mapped the existing Default Content to support the new MITRE ATT&CK sub-techniques.

As a result of this re-mapping exercise, the Default Content now supports the techniques and sub-techniques listed below.

For a more user-friendly way of browsing this list, we recommend you to visit https://mitre.microfocus.com/.

We also provide a downloadable JSON formatted file of all Default and Non-Default Content on the above-mentioned webpage.

Threat Intelligence Platform

This package is designed to detect security threats based on intelligence data feed. It also follows the MITRE ATT&CK framework.

This package requires the installation of MIC for GTAP. For more information on MIC, please refer to the documentation at https://www.microfocus.com/documentation/arcsight/galaxy-gtap-2.0/gtap-2-0-admin-guide/

Following use cases are covered in this package: 

  • An Alert triggers if data feeds from the GTAP Connector do not update from a specified time frame. The default time frame is two hours.
  • The new dashboard shows the health status of the GTAP Connector
  • Error messages from the GTAP Connector trigger alerts.
  • APT and 0-day Activity
  • Botnet Activity 
  • Dangerous Browsing 
  • Internal Asset Found in Reputation List 
  • Phishing 
  • Ransomware 
  • Suspicious Activity 
  • Suspicious DNS Query 
  • Suspicious Email 
  • Suspicious File Hash

System Requirements

========================

Micro Focus ArcSight ESM 7.2 or above.

-------------------------------------------------------------------------------

To install this package:

===========================

The zip file contains three files: package arb file, a signature of arb file, and release note.

Micro Focus provides a digital public key to enable you to verify that the signed software you received is indeed from Micro Focus and has not been manipulated in any way by a third party. Visit the following site for information and instructions:

https://entitlement.mfgs.microfocus.com/ecommerce/efulfillment/digitalSignIn.do

It is required to log in using a Microfocus/Software passport (It gives the option to create an account)

Perform the following steps in the ArcSight Console.

1. Go to the ArcSight Console.

2. Click on Packages

3. Click Import

4. Select package arb file from the zip file

5. Follow the prompts to import and install this package

To upgrade this package from version 3.x

1. Delete /ArcSight Foundation/Threat Intelligence Platform.
Make sure active list group have been deleted from /All Active Lists/ArcSight Foundation/Threat Intelligence Platform.
2. Restart the ESM manager (/opt/arcsight/services/init.d/arcsight_services stop manager, then start manager).
Note: If you do not restart the manager, you will receive an error: Install Failed: "Invalid field name: creatorOrg"
3. Go to the ArcSight Console.
4. Click Packages.
5. Click Import.
6. Select the package .arb from the .zip file.
7. Follow the prompts to import and install this package.
8.After the initial install finishes, right-click Threat Intelligence Platform and click Install Package.

To uninstall:

Right-click package from ArcSight Console, then selects "Uninstall Package".

Details in the recent releases

In the release version 4.0, following MITRE IDs were added or rules were added to existing MITRE IDs

T1552.006 T1553.005

Following new rules are added:

  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Credentials in Group Policy Preferences
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Mark-of-the-Web Bypass Using PowerShell
  • /All Rules/ArcSight Foundation/Threat Intelligence Platform/GTAP Connector Health/Track GTAP Connector Update Count

Following rules were updated:

  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Malware Monitoring/Possible Ransomware Detected
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Large amount of file modifications in users directories

Fields were expended from 15 to 37 in the following active lists:

/All Active Lists/ArcSight Foundation/Threat Intelligence Platform/Suspicious Addresses List
/All Active Lists/ArcSight Foundation/Threat Intelligence Platform/Suspicious Domain List
/All Active Lists/ArcSight Foundation/Threat Intelligence Platform/Suspicious Email List
/All Active Lists/ArcSight Foundation/Threat Intelligence Platform/Suspicious Hash List
/All Active Lists/ArcSight Foundation/Threat Intelligence Platform/Suspicious URL List

Following dashboards were added:

  • /All Dashboards/ArcSight Foundation/Threat Intelligence Platform/Data Feed Overview
  • /All Dashboards/ArcSight Foundation/Threat Intelligence Platform/TI Confidence Comparison - Open Source vs Galaxy-curated
  • /All Dashboards/ArcSight Foundation/Threat Intelligence Platform/Top Malware and CVE

Following dashboards were updated:

  • /All Dashboards/ArcSight Foundation/Threat Intelligence Platform/GTAP Health Status
  • /All Dashboards/ArcSight Foundation/Threat Intelligence Platform/Threat Intelligence Security Incidents Overview
  • /All Dashboards/ArcSight Foundation/Threat Intelligence Platform/TI Confidence Details
  • /All Dashboards/ArcSight Foundation/Threat Intelligence Platform/Top Malware Types

In the release version 3.7, following MITRE IDs were added or rules were added to existing MITRE IDs:

T1003.006 T1213.002 T1218 T1218.008 T1530 T1546.001 T1560 T1574.012

Following new rules were added:

  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Cloud Monitoring/AWS S3 Policy Misconfiguration
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Cloud Monitoring/AWS S3 Unauthorized Access
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Cloud Monitoring/SharePoint Activity by Privileged User
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/COR_PROFILER to Hijack Program Execution Flow
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Odbcconf to Proxy Execution of Malicious Payloads
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Possible Archive of Collected Data Using PowerShell
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Possible Change of Default File Association
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Possible DCSync OS Credential Dumping
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Signed Binary Proxy Execution
  • /All Rules/ArcSight Foundation/Threat Intelligence Platform/GTAP SmartConnector Health/No Update from GTAP SmartConnector
  • /All Rules/ArcSight Foundation/Threat Intelligence Platform/GTAP SmartConnector Health/Error in GTAP SmartConnector Service Message
  • /All Rules/ArcSight Foundation/Threat Intelligence Platform/GTAP SmartConnector Health/Track GTAP SmartConnector Service Message

Following rules are updated:

  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Application Monitoring/Malicious PowerShell Commandlets
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/MetaSploit Detected
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Script Executed On Critical Host
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Application Monitoring/Suspicious Powershell Command Line Argument Detected
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Application Monitoring/Shell Command Execution
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Application Monitoring/API Hooking Detected
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Network Monitoring/System Network Configuration Discovery
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Network Monitoring/Remote System Discovery
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Network Monitoring/Suspicious Network Sniffing
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Application Monitoring/Remote PowerShell Session Activity On Host
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Windows Hooking API Used by PowerShell
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Suspicious Remote System Discovery Commands Entered On Linux
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Suspicious Remote System Discovery Commands Entered On Windows
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Cloud Monitoring/Suspicious SharePoint Activity


Sample replay events

This zip file contains four files: two replay events, one arb package, and readme.

In order to trigger/test rules in the default content, you need to:

1) Make sure install 4.0 package before install the package in this zip file for testing rules in the Threat Intelligence Platform package

2) Enable rules which you want to test


Minimum Requirements

ESM 7.2 and above

Threat Intelligence Platform package requires MIC for GTAP

Suggested apps

Suggested for you are based on app category, product compatibility, popularity, rating and newness. Some apps may not show based on entitlements. Learn more about entitlements.

Releases

Release
Size
Date
Threat Intelligence Platform 4.0.0.0
435.6 KB
  |  
Mar 15, 2023
More info Less info
Product compatibility
ESM
Version 7.2 · 7.3 · 7.4 · 7.5 · 7.6
Release notes

Expended suspicious active lists from 15 to 37 fields, and add more rules and dashboards.

Languages
English
Security Threat Monitoring 4.0.0.0
572.3 KB
  |  
Mar 15, 2023
More info Less info
Product compatibility
ESM
Version 7.2 · 7.3 · 7.4 · 7.5 · 7.6
Release notes

Added 2 new rules and updated 2 rules.

Languages
English
Sample Replay Events 4.0.0.0
159.0 KB
  |  
Mar 15, 2023
More info Less info
Product compatibility
ESM
Version 7.2 · 7.3 · 7.4 · 7.5 · 7.6
Release notes

Replay events for default content 4.0 or above

Languages
English
Files
Sample Replay Events 3.7.0.0
151.6 KB
  |  
May 16, 2022
More info Less info
Product compatibility
ESM
Version 6.8 · 6.11.0 · 6.9.1
Version 7.0 · 7.2 · 7.3 · 7.1 · 7.4 · 7.5 · 7.6
Release notes

Add more replay events to support new added rules in release 3.7.

Languages
English
Files
Threat Intelligence Platform 3.7.0.0
404.8 KB
  |  
May 16, 2022
More info Less info
Product compatibility
ESM
Version 7.2 · 7.3 · 7.4 · 7.5 · 7.6
Release notes

This release contains new rules and a new dashboard to help you monitor the health of the CyberRes Galaxy Threat Acceleration Program (GTAP)1.0 Basic and Plus Model Import Connector

Languages
English
Security Threat Monitoring 3.7.0.0
569.5 KB
  |  
May 16, 2022
More info Less info
Product compatibility
ESM
Version 7.2 · 7.3 · 7.4 · 7.5 · 7.6
Release notes

This release contains new resources in the Security Threat Monitoring package to help protect Windows, AWS Security Hub, and Microsoft Office 365 environments [or] applications.

Languages
English

Resources

Unsubscribe from notifications

You are receiving release updates for this item because you have subscribed to the following products:
If you unsubscribe, you will no longer receive any notifications for these products.
Tip: to update your subscription preferences, go to Manage Subscriptions from your Dashboard, uncheck the products you no longer want to receive notifications for, and click 'Save'.

Marketplace Terms of Service

In order to continue, you must accept the updated Marketplace Terms of Service
Since you are downloading an app from the Micro Focus Marketplace, you need to accept the updated Marketplace Terms of Service before you can continue. Use the link to review the Marketplace Terms of Service. Once complete check the, "I accept the Marketplace Terms of Service" box below and click accept to continue your download.


Your download has begun...

Your download has begun

Related content and resources

Your browser is not supported!

Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox

release-rel-2023-3-2-5381 | Wed Mar 22 11:18:10 PDT 2023