"ArcSight ESM Default Content 4.0" release is a milestone release for the entire ArcSight portfolio.
In this release, the primary focus has been to support "CyberRes Galaxy Threat Acceleration Program (GTAP)" version 2.0. This is done through the "Threat Intelligence Platform" sub-package of the ESM Default Content package.
As you may read more from GTAP 2.0 Release Notes, ArcSight's Threat Intelligence support that is built-into ESM and the Default Content has been significantly improved. The most signifant change has been the introduction of many additional fields to have a richer feed with more SOC-ready context.
As such, Active Lists hosting the realtime IoC information, that are received from the realtime threat intel feed, as well as the rules/filters and other resources that utilize these active lists have been considerably updated.
As this was a significant change in the way the ESM resources worked, "deployment of ESM Default Content 4.0" now requires a couple extra steps that are specific to this release.
Please read this document in full, and preferably watch the following video, to get yourself acquantied with the process.
The release 3.7 contains 9 new rules in the Security Threat Monitoring package to help protect Windows, AWS Security Hub, and Microsoft Office 365 environments [or] applications. It also contains 3 new rules and a new dashboard to help you monitor the health of the CyberRes Galaxy Threat Acceleration Program (GTAP)1.0 Basic and Plus Model Import Connector. This release also contains 14 updated rules with more fields in the aggregation tab.
In the release 3.6 22 new rules were added and 2 rules were updated to support MITRE ATT&CK Cloud Techniques for AWS Security Hub log source and Microsoft Office/Defender 365
In the release version 3.5, 15 new rules were added to support MITRE ATT&CK Cloud Techniques for Microsoft Azure Services
In the release version 3.4, 11 new rules were added to detect possible APT Malware and 0-day attacks, which will be triggered when the base event matches an entry in the Threat Intelligence active lists and where the threat level is Medium or High. A new active channel has been added for monitoring those rules.
In the release version 3.3, we added 7 rules to cover MITRE Techniques under two new MITRE Tactics - TA0042 Resource Development and TA0043 Reconnaissance.
In the release version 3.2, we added 3 rules to cover more MITRE ATT&CK Techniques/sub-Techniques.
In the release version 3.1, we added 77 rules to cover more MITRE ATT&CK Techniques/sub-Techniques.
In the release version 3.0, we have re-mapped the existing Default Content to support the new MITRE ATT&CK sub-techniques.
As a result of this re-mapping exercise, the Default Content now supports the techniques and sub-techniques listed below.
For a more user-friendly way of browsing this list, we recommend you to visit https://mitre.microfocus.com/.
We also provide a downloadable JSON formatted file of all Default and Non-Default Content on the above-mentioned webpage.
Threat Intelligence Platform
This package is designed to detect security threats based on intelligence data feed. It also follows the MITRE ATT&CK framework.
This package requires the installation of MIC for GTAP. For more information on MIC, please refer to the documentation at https://www.microfocus.com/documentation/arcsight/galaxy-gtap-2.0/gtap-2-0-admin-guide/
Following use cases are covered in this package:
System Requirements
========================
Micro Focus ArcSight ESM 7.2 or above.
-------------------------------------------------------------------------------
To install this package:
===========================
The zip file contains three files: package arb file, a signature of arb file, and release note.
Micro Focus provides a digital public key to enable you to verify that the signed software you received is indeed from Micro Focus and has not been manipulated in any way by a third party. Visit the following site for information and instructions:
https://entitlement.mfgs.microfocus.com/ecommerce/efulfillment/digitalSignIn.do
It is required to log in using a Microfocus/Software passport (It gives the option to create an account)
Perform the following steps in the ArcSight Console.
1. Go to the ArcSight Console.
2. Click on Packages
3. Click Import
4. Select package arb file from the zip file
5. Follow the prompts to import and install this package
To upgrade this package from version 3.x
1. Delete /ArcSight Foundation/Threat Intelligence Platform.
Make sure active list group have been deleted from /All Active Lists/ArcSight Foundation/Threat Intelligence Platform.
2. Restart the ESM manager (/opt/arcsight/services/init.d/arcsight_services stop manager, then start manager).
Note: If you do not restart the manager, you will receive an error: Install Failed: "Invalid field name: creatorOrg"
3. Go to the ArcSight Console.
4. Click Packages.
5. Click Import.
6. Select the package .arb from the .zip file.
7. Follow the prompts to import and install this package.
8.After the initial install finishes, right-click Threat Intelligence Platform and click Install Package.
To uninstall:
Right-click package from ArcSight Console, then selects "Uninstall Package".
Details in the recent releases
In the release version 4.0, following MITRE IDs were added or rules were added to existing MITRE IDs
T1552.006 T1553.005
Following new rules are added:
Following rules were updated:
Fields were expended from 15 to 37 in the following active lists:
/All Active Lists/ArcSight Foundation/Threat Intelligence Platform/Suspicious Addresses List
/All Active Lists/ArcSight Foundation/Threat Intelligence Platform/Suspicious Domain List
/All Active Lists/ArcSight Foundation/Threat Intelligence Platform/Suspicious Email List
/All Active Lists/ArcSight Foundation/Threat Intelligence Platform/Suspicious Hash List
/All Active Lists/ArcSight Foundation/Threat Intelligence Platform/Suspicious URL List
Following dashboards were added:
Following dashboards were updated:
In the release version 3.7, following MITRE IDs were added or rules were added to existing MITRE IDs:
T1003.006 T1213.002 T1218 T1218.008 T1530 T1546.001 T1560 T1574.012
Following new rules were added:
Following rules are updated:
Sample replay events
This zip file contains four files: two replay events, one arb package, and readme.
In order to trigger/test rules in the default content, you need to:
1) Make sure install 4.0 package before install the package in this zip file for testing rules in the Threat Intelligence Platform package
2) Enable rules which you want to test
ESM 7.2 and above
Threat Intelligence Platform package requires MIC for GTAP
Suggested for you are based on app category, product compatibility, popularity, rating and newness. Some apps may not show based on entitlements. Learn more about entitlements.
Expended suspicious active lists from 15 to 37 fields, and add more rules and dashboards.
Added 2 new rules and updated 2 rules.
Replay events for default content 4.0 or above
Add more replay events to support new added rules in release 3.7.
This release contains new rules and a new dashboard to help you monitor the health of the CyberRes Galaxy Threat Acceleration Program (GTAP)1.0 Basic and Plus Model Import Connector
This release contains new resources in the Security Threat Monitoring package to help protect Windows, AWS Security Hub, and Microsoft Office 365 environments [or] applications.
Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox