ArcSight participated in MITRE ATT&CK Carbanak+FIN7 emulation enterprise evaluation in October 2020. More details about the evaluation can be found on

The file contains two packages that were used during the evaluation:

Package One – ATTACK_EvalsR3_Carbanak_and_FIN7_v1_no-optimization.arb used during the first and second day.

Package Two – ATTACK_EvalsR3_Carbanak_and_FIN7_v2_optimized_and_recommended.arb used during the third day with minor config modifications to capture a lot more use cases that were originally missed in the package One. Caution, this package also generates more False Positives.

Data Sources and Configuration

ESM: Suppression List set to 1 minute during evaluation (by default 24 hours)


1. Windows logs: Enable command line process creation auditing

  • Microsoft-Windows-Security-Auditing:4688, 5145, 4624, 4683, 4728, 4732, 4756, 4740, 6416, 4729, 4733, 4757, 4656, 5156, 4799, 4798, 5140, 5158, 4689, 4697, 4625, 4950

2. PowerShell logs: Turn on PowerShell Script Block Logging - 8003. Sysmon: Enable following event ids:

  • 1: Process creation
  • 3: Network connection
  • 7: Image loaded
  • 8: CreateRemoteThread
  • 10: ProcessAccess
  • 11: FileCreate
  • 12: RegistryEvent (Object create and delete)
  • 13: RegistryEvent (Value Set)
  • 15: FileCreateStreamHash
  • 17: PipeEvent (Pipe Created)
  • 18: PipeEvent (Pipe Connected)
  • 22: DNSEvent (DNS query)

4. Firewall logs

5. Proxy logs

6. IDS/IPS logs

7. Anti-virus logs

8. Linux auditd logs: Modify /usr/lib/systemd/system/auditd.service to get these logs

9. Snoopy logs

10. Flex connector for Hollows Hunter

To install this package:

The zip file contains three files: package arb file, signature of arb file, and Readme.Micro Focus provides a digital public key to enable you to verify that the signed software you received is indeed from Micro Focus and has not been manipulated in any way by a third party. Visit the following site for information and instructions:


It is required to log in using a Microfocus/Software passport (It gives the option to create an account)

Perform the following steps in the ArcSight Console.

1. Go to the ArcSight Console.

2. Click on Packages

3. Click Import

4. Select arb file from the zip file

5. Follow prompt to import and install this package

Minimum Requirements

ESM 6.11 and above.

Suggested apps

Suggested for you are based on app category, product compatibility, popularity, rating and newness. Some apps may not show based on entitlements. Learn more about entitlements.


Replay Events During Evaluations
42.3 MB
Apr 20, 2021
More info Less info
Product compatibility
Version 6.11.0
Version 7.0 · 7.2 · 7.3 · 7.1 · 7.4 · 7.5 · 7.6 · 7.7 · 7.8
Release notes

Replay events for the first and second day evaluation.

ATTACK EvalsR3 Carbanak and FIN7
1.6 MB
Apr 20, 2021
More info Less info
Product compatibility
Version 6.11.0
Version 7.0 · 7.2 · 7.3 · 7.1 · 7.4 · 7.5 · 7.6 · 7.7 · 7.8
Release notes

This package was used during MITRE ATT&CK Carbanak+FIN7 emulation enterprise evaluation in October 2020.


Unsubscribe from notifications

You are receiving release updates for this item because you have subscribed to the following products:
If you unsubscribe, you will no longer receive any notifications for these products.
Tip: to update your subscription preferences, go to Manage Subscriptions from your Dashboard, uncheck the products you no longer want to receive notifications for, and click 'Save'.

Marketplace Terms of Service

In order to continue, you must accept the updated Marketplace Terms of Service
Since you are downloading an app from the OpenText Marketplace, you need to accept the updated Marketplace Terms of Service before you can continue. Use the link to review the Marketplace Terms of Service. Once complete check the, "I accept the Marketplace Terms of Service" box below and click accept to continue your download.

Your download has begun...

Your download has begun

Related content and resources

Your browser is not supported!

Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox

release-rel-2024-5-1-6172 | Mon Jun 24 04:52:54 PDT 2024