This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2-Network Monitoring - Situational Awareness

This is the official forum for the discussion of the L2-Network Monitoring - Situational Awareness package.

The installation/update package is available from the ArcSight Marketplace. All new and updated Activate Framework packages is available on the ArcSight Marketplace (https://marketplace.microfocus.com/arcsight).

 

The documentation is available at https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/L2NetworkMonitoring.

--
Prentice S. Hayes
Principal Product Manager | Cybersecurity Enterprise, Security Analytics
OpenText Cybersecurity

LinkedIn: https://www.linkedin.com/in/prenticeshayes/ 

Website: https://www.opentext.com/

  • 0

    Hi,


    I installed the L2-Network Monitoring - Situational Awareness package and noticed a broken resource.  The rule "Web Proxy Identified Exploit Traffic" is dependent on an Active List that does not exist.

    Rule /All Rules/Real-time Rules/ArcSight Activate/Solutions/Network Monitoring/Situational Awareness/Web Proxy Identified Exploit Traffic depends on resource /All Active Lists/ArcSight Activate/Solutions/Perimeter and Network Monitoring/Situational Awareness/Proxy Identified Exploit Kit Queries that cannot be found.

    On a side note, from the L2-Perimeter Monitoring - Situational Awareness package I noticed 2 broken resources.  The rule "Egress Communications to Suspicious Region" and "Ingress Communications from Suspicious Region".

    Rule /All Rules/Real-time Rules/ArcSight Activate/Solutions/Perimeter Monitoring/Situational Awareness/Egress Communications to Suspicious Region depends on resource /All Active Lists/ArcSight Activate/Solutions/Perimeter and Network Monitoring/Situational Awareness/Suspicious Region - ITAR_OFAC Countries that cannot be found

    and

    Rule /All Rules/Real-time Rules/ArcSight Activate/Solutions/Perimeter Monitoring/Situational Awareness/Ingress Communications from Suspicious Region depends on resource /All Active Lists/ArcSight Activate/Solutions/Perimeter and Network Monitoring/Situational Awareness/Suspicious Region - ITAR_OFAC Countries that cannot be found

    I used the latest packages available from the HP Marketplace and installed them in the order below.  Older versions of the packages which require migration were never installed.

    ArcSight Activate Base 2.4.0.0

    L1-Perimeter Monitoring - Indicators and Warnings

    L2-Perimeter Monitoring - Situational Awareness

    L1-Network Monitoring - Indicators and Warnings

    L2-Network Monitoring - Situational Awareness

    Has anyone else experience this?  What's the best way to resolve this issue with the broken resources?

    ​

  • 0

    Check this link: .  There is a resolution to the broken resource.  The active list is in a different location.  However, I just did a search in ESM for Proxy Identified Exploit Kit Queries, but could not find it. Leave it to HP to put out a product that is not ready or useful.......I really hope they put out some use cases and direction for the L2 packages.

  • 0

    ​ isnt this problem fixed in the package mentioned above? I see that it was posted after the package was published on marketplace.

    Thanks :-)

  • 0

    Same here, I could not find Proxy Identified Exploit Kit Queries

  • 0   in reply to 

    Hey,

    Apologies for the delayed response. I just installed the L1-Network Monitoring and L2-Network Monitoring packages, as well as the L1-Perimeter Monitoring and L2-Perimeter Monitoring packages. For /All Rules/Real-time Rules/ArcSight Activate/Solutions/Network Monitoring/Situational Awareness/Web Proxy Identified Exploit Traffic, the conditions should look like this:WebProxyIdentifiedExploitTrafficConditions.png

     I know this sounds lame, but I cannot reproduce the problem you've stated. The list is at /All Active Lists/ArcSight Activate/Solutions/Network Monitoring/Situational Awareness/Proxy Identified Exploit Kit Queries.

    Hope this helps,

    --

    Prentice

     

     

     

     

    --
    Prentice S. Hayes
    Principal Product Manager | Cybersecurity Enterprise, Security Analytics
    OpenText Cybersecurity

    LinkedIn: https://www.linkedin.com/in/prenticeshayes/ 

    Website: https://www.opentext.com/

  • 0   in reply to   

    Hi Prentice

    I just did a clean install of the L2-Network_Monitoring_-_Situational_Awareness_0.1.0.0 package, this was not an upgrde. I got the same problem where theres a reference to the Proxy Identified Exploit Kit Queries Active List under /Perimeter and Network Monitoring/Situational Awareness which dosnt exist in my enviroment.

    error.JPG

    It doesnt look like the Active List is included in the package also..

    Cheers

    Mark

  • 0 in reply to   

    Same issue here as , no Active List or Filter.Rule Error 2.pngRule Error1.png

  • 0 in reply to 

    Also, don't know if this is related but I noticed two issues with the install. With the second screenshot, I don't see that Package in the Console. Unfortunately, no time to research right now.

    L2 Install Error 1.pngL2 Install Error 2.png