The SolarWinds IOC Activity is a content package that leverages ArcSight Logger to detect any communication between your organization and SolarWinds SUNBURST IOC.
SolarWinds SUNBURST Monitoring package detects security threats that are related to SolarWinds SUNBURST hacks.
Following use cases are included in this package:
SolarWinds SUNBURST related suspicious traffic, based on intelligence Datafeed from MISP CIRCL
• Dangerous Browsing to a Suspicious SolarWinds URL
• Inbound Traffic from a SolarWinds Suspicious Address
• Inbound Traffic from a SolarWinds Suspicious Domain
• Outbound Traffic to a SolarWinds Suspicious Address
• Outbound Traffic to a SolarWinds Suspicious Domain
• SolarWinds Detected by Vendor
Following MITRE ATT&CK Techniques are covered as well:
• T1190-Exploit Public-Facing Application
• T1566.002-Spearphishing Link
---------------------------------------------------
System Requirements
========================
Micro Focus ArcSight ESM 6.11 or above.
---------------------------------------------------
Pre-requisite
==============
This package is dependent on the ESM Default Content - Threat Intelligence Platform package, which can be downloaded from https://marketplace.microfocus.com/arcsight/content/esm-default-content
---------------------------------------------------
To install this package:
===========================
The zip file contains four files: package arb file, the signature of arb file, test replay events, and Readme.
Micro Focus provides a digital public key to enable you to verify that the signed software you received is indeed from Micro Focus and has not been manipulated in any way by a third party. Visit the following site for information and instructions:
https://entitlement.mfgs.microfocus.com/ecommerce/efulfillment/digitalSignIn.do
It is required to log in using a Microfocus/Software passport (It gives the option to create an account if you do not have one)
Perform the following steps in the ArcSight Console.
1. Go to the ArcSight Console.
2. Click on Packages
3. Click Import
4. Select arb from the zip file
5. Follow the prompts to import and install this package
To uninstall:
=============================
Right-click package from ArcSight Console, then selects "Uninstall Package".
ESM 6.11 and above
This package is dependent on ESM Default Content - Threat Intelligence Platform package, which can be downloaded from https://marketplace.microfocus.com/arcsight/content/esm-default-content
Suggested for you are based on app category, product compatibility, popularity, rating and newness. Some apps may not show based on entitlements. Learn more about entitlements.
Add a new package for Logger, the SolarWinds IOC Activity is a content package which leverages ArcSight Logger to detect any communication between your organization and SolarWinds SUNBURST IOC.
Following use cases are included in this package:
• SolarWinds SUNBURST related suspicious traffic, based on intelligence Datafeed from MISP CIRCL
• Dangerous Browsing to a Suspicious SolarWinds URL
• Inbound Traffic from a SolarWinds Suspicious Address
• Inbound Traffic from a SolarWinds Suspicious Domain
• Outbound Traffic to a SolarWinds Suspicious Address
• Outbound Traffic to a SolarWinds Suspicious Domain
• SolarWinds Detected by Vendor
Following MITRE ATT&CK Techniques are covered as well:
• T1190-Exploit Public-Facing Application
• T1566.002-Spearphishing Link
Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox