SlideShare a Scribd company logo

Logger Brute Force Attack Detection Security Use Case User's Guide

P
protect724rkeer

This document provides information about using HPE ArcSight Logger to detect brute force attacks through dashboards and reports. It describes the installation process and includes an overview of the key parameters tracked, including login counts, sources, destinations, and user accounts. Dashboards display failed login data for the past 6 hours, while reports allow tracking trends over any time period. The document provides details on the default dashboards and included reports to help identify potential brute force attacks.

Software
1 of 13
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
HPE ArcSight Logger Brute Force Attack Detection Software Version: 1.0 Security Use Case Guide January 20, 2016
Legal Notices Warranty The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. The network information used in the examples in this document (including IP addresses and hostnames) is for illustration purposes only. HPE ArcSight products are highly flexible and function as you configure them. The accessibility, integrity, and confidentiality of your data is your responsibility. Implement a comprehensive security strategy and follow good security practices. This document is confidential. Restricted Rights Legend Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Copyright Notice © Copyright 2016 Hewlett Packard Enterprise Development, LP Follow this link to see a complete statement of copyrights and acknowledgements: http://www.hpenterprisesecurity.com/copyright Support Phone A list of phone numbers is available on the HPE ArcSight Technical Support Page: https://softwaresupport.hp.com/documents/10180/14684/esp-support- contact-list Support Web Site https://softwaresupport.hp.com Protect 724 Community https://protect724.hp.com Contact Information Security Use Case Guide HPE Logger Brute Force Attack Detection (1.0) Page 2 of 13
Contents Overview 4 Installation 6 Brute Force Attack Detection Dashboards 7 Modifying the Default Dashboard Settings 8 Brute Force Attack Detection Reports 9 Brute Force Attack Reports 9 Source Reports 9 Failed Login Counts Reports 10 Failed Login Statistics Reports 10 Additional Information 11 Queries 11 Filters 11 Fieldset 11 Send Documentation Feedback 13 HPE Logger Brute Force Attack Detection (1.0) Page 3 of 13
Overview Brute force attacks apply trial-and-error methods to hack into a system and obtain encrypted information such as passwords and personal identification numbers (PINs). A brute force program generates a massive number of automated consecutive login attempts. The HPE ArcSight Logger Brute Force Attack Detection Security Use Case helps you identify potential brute force attempts using HPE ArcSight Logger. After identification of a threat, you can take action to investigate the activity and protect your assets. Parameters The Brute Force Attack Detection Security Use Case tracks the following parameters related to brute force attack detection. l Count: The number of login attempts made during a given interval. A count includes both successful and unsuccessful logins. A high count may indicate a possible brute force attack. l Source: The system from which a possible brute force attack originated. l Destination: The target system subject to a possible brute force attack. l User Account: User account associated with the possible brute force attack, used by the source to log in to the destination. These parameters are tracked in two ways: through dashboards and reports. Security Use Case Guide Overview HPE Logger Brute Force Attack Detection (1.0) Page 4 of 13
Dashboards The Brute Force Attack Detection dashboards display a count of failed logins for each of the following for the past 6 hours: l Top sources of failed logins l Top destinations of failed logins l Top source destination pairs l Top user account and destination pairs For more information, see "Brute Force Attack Detection Dashboards" on page 7. Reports As part of the Logger Brute Force Attack Detection Security Use Case, these reports are available in Logger. Reports enable you to track failed login trends over any period and are highly customizable to meet your needs. The included reports track information on counts, sources, and trends. For more information, see "Brute Force Attack Detection Reports" on page 9. Security Use Case Guide Overview HPE Logger Brute Force Attack Detection (1.0) Page 5 of 13
Installation Installation of the Logger Brute Force Detection Security Use Case is accomplished with the installer file downloaded from the HPE ArcSight Marketplace. You must separately install the use case content (the fieldset, dashboard, and filters). The Logger Brute Force Detection Security Use Case is supported on Logger v6.0 and later versions. To install the Logger Brute Force Detection Security Use Case package: 1. In Logger, on the main menu, click Reports. 2. Click Deploy Report Bundle. 3. Under Step 1: Upload and View Cab Information, browse to the *.cab file containing the Logger Brute Force package, then click Upload. 4. Under Step 2: Deploy Objects on Report Server, review the objects that will be deployed to your report server. Then click Deploy. The objects are added to your server. To install the Logger Brute Force Detection Security Use Case content: 1. In Logger, on the main menu, click Configuration. 2. Under Advanced, click Import Content. 3. Click Choose File. Select the *.gz file containing the fieldset content. Click Import. 4. Repeat Step 3 for the file containing the dashboard content. 5. Repeat Step 3 for the file containing the filter content. Security Use Case Guide Installation HPE Logger Brute Force Attack Detection (1.0) Page 6 of 13
Brute Force Attack Detection Dashboards Four dashboards are available as part of the Logger Brute Force Attack Security Use Case. Dashboards give a snapshot of current activity for the defined interval (by default, the interval is 6 hours). To view the Brute Force Attack Detection dashboard: 1. In the Logger main menu, click Dashboards. 2. In the dashboard drop-down list, select Brute Force Attack Detection. 3. The dashboard displays with four panels displaying data on failed logins: l Failed Logins - Top Sources: displays a bar graph of the 10 sources with the highest count of login attempts for the last 6 hours. l Failed Logins - Top Destinations: displays a bar graph of the 10 destinations with the highest count of login attempts for the last 6 hours. l Failed Logins - Top Source & Destination Pairs: displays a table of the 10 source-destination pairs with the highest count of login attempts from the last 6 hours. l Failed Logins - Top User Account and Destination Pairs: displays a table of the 10 user account- destination pairs with the highest count of login attempts from the last 6 hours. Hover your pointer over any colored portion of a graph to display the overall details, including the count of login attempts. Click View on Search Page to display the panel in its own page, including the Saved Search details. Security Use Case Guide Brute Force Attack Detection Dashboards HPE Logger Brute Force Attack Detection (1.0) Page 7 of 13
Drilling Down To drill down on the data in a dashboard graph and review details of the data displayed, click the colored portion of any graph. While the graphs displays the 10 items with the highest count, the drill- down page shows the 100 items with the highest count. At the top of the page is a graph with local time as the x-axis, showing groups of events across time as bars. Click any bar shown on the graph to view the details of all events that took place at the indicated time. The Saved Search used to filter data for the dashboard is displayed at the top of the page. The filter can be used as-is, or may be customized by the filter tools. For details on how to modify a filter, consult the Logger Administrator's Guide. To export the dashboard data, click Export. Then, on the Export Options page, select the details of the export. Modifying the Default Dashboard Settings You can modify the default dashboard settings by editing the panel display or by editing the Saved Search used to compile the dashboard. For more information on modifying a dashboard layout, panels, or a Saved Search, see the Logger Administrator's Guide. Security Use Case Guide Brute Force Attack Detection Dashboards HPE Logger Brute Force Attack Detection (1.0) Page 8 of 13
Brute Force Attack Detection Reports By running and reviewing the reports included in the Brute Force Attack Detection Security Use Case, you can easily determine trends over time and that could be brute force attacks. Before running a report, verify that the report's period (start and end date) is for the desired time frame. Period can be retained from previously run reports. To access a Brute Force Attack Detection report: 1. On the Logger main menu, click Reports. 2. In the navigation menu, click Report Explorer. 3. Select Brute Force Attack. 4. Select a report to run. 5. Under Actions, select an action to take with the report, such as Run with Default Options. You can run reports, customize, copy or take other actions with any of these reports as you would with other Logger reports. For detailed instructions on how to run, edit, and manage Logger reports, see the Logger Administrator's Guide. Brute Force Attack Reports Brute force attacks show possible brute force attacks by source, user account, and destination. You should run these reports as often as possible (preferably daily) to spot possible brute force attacks early. Alternatively, you can schedule these reports to run automatically in Logger under Scheduled Reports in the navigation menu. Report Description Attempted Brute Force Attack Shows source, user account, and destination involved in an attempted brute force attack. An attempted brute force attack is defined as one where the number of failed login attempts exceeds the report query's threshold (by default, 50 failed attempts per day). Successful Brute Force Attack Shows source, user account, and destination involved in an attempted brute force attack, which resulted in one or more successful logins. Source Reports Source reports display information on the sources of possible brute force attacks. Security Use Case Guide Brute Force Attack Detection Reports HPE Logger Brute Force Attack Detection (1.0) Page 9 of 13
Report Description A Source Targeting Destinations Shows a list, sorted by count, of the top 100 sources targeting multiple destinations with failed logins. You can customize the report to isolate one or more sources or destinations. Exploit Attempts of User Accounts by Sources Shows a list, sorted by count, of the top 100 user accounts that failed to log in to any destination. You can customize the report to isolate one or more user accounts, sources, or destinations. Failed Login Counts Reports Failed login counts reports show the trends of the count of failed logins, grouped by different parameters. Using failed login counts reports will let you spot possible trends and other issues. Report Description Failed Login Counts by Days Groups failed login events by day of occurrence. Failed Login Counts by Destinations Groups the top 100 (by count) destinations for failed login events. Failed Login Counts by Sources Groups the top 100 (by count) sources for failed login events. Failed Login Counts by User Accounts Groups the top 100 (by count)user accounts for failed login events. Failed Login Counts by Weeks Groups failed login events by the week in which they occurred. Failed Login Statistics Reports Failed login statistics reports show the statistics of all failed logins, each by different parameters. Report Description Failed Login Statistics by a Destination Shows statistics of all failed login events associated with a destination. Failed Login Statistics by a Source Shows statistics of all failed login events associated with a source. Failed Login Statistics by a User Account Shows statistics of all failed login events associated with a user account. Security Use Case Guide Brute Force Attack Detection Reports HPE Logger Brute Force Attack Detection (1.0) Page 10 of 13
Additional Information The dashboard and reports included in the Brute Force Security Use Case make use of the following queries, filters, and fieldset. Queries The Logger Brute Force Detection Attack Security Use Case includes queries for each report discussed under "Brute Force Attack Detection Reports" on page 9 You can view or edit the query details as needed. To view or edit query details: 1. In the main menu, click Reports. 2. In the left navigation menu, click Query Explorer. 3. Select Brute Force Attack in the first column. 4. In the second column, double-click the query you wish to view or edit. For complete details on editing or managing queries, see the Logger Administrator's Guide. Filters These filters are part of the Logger Brute Force Detection Attack Security Use Case. l Brute Force Attack - Failed Login Events l Brute Force Attack - Successful Login Events To view or edit filter details: 1. On the main menu, click Configuration. 2. Under Search, click Filters. 3. The Brute Force filters are displayed in the list. Click any filter to display its details. For complete details on editing or managing filters, see the Logger Administrator's Guide. Fieldset A single fieldset is part of the Security Use Case. Security Use Case Guide Additional Information HPE Logger Brute Force Attack Detection (1.0) Page 11 of 13
l Brute Force Attack Detection To view or edit fieldset details: 1. On the main menu, click Configuration. 2. Under Search, click Fieldsets. 3. The Brute Force fieldset is displayed in the list, with details. For complete details on editing or managing fieldsets, see the Logger Administrator's Guide. Security Use Case Guide Additional Information HPE Logger Brute Force Attack Detection (1.0) Page 12 of 13
Send Documentation Feedback If you have comments about this document, you can contact the documentation team by email. If an email client is configured on this system, click the link above and an email window opens with the following information in the subject line: Feedback on Security Use Case Guide (Logger Brute Force Attack Detection 1.0) Just add your feedback to the email and click send. If no email client is available, copy the information above to a new message in a web mail client, and send your feedback to arc-doc@hpe.com. We appreciate your feedback! HPE Logger Brute Force Attack Detection (1.0) Page 13 of 13

More Related Content

PPTX
Getting started with Splunk
Sanjib Dhar
 
PDF
Brute Force Attack Security Use Case Guide
Protect724manoj
 
PDF
Antivirus Monitoring Security Use Case Guide
Protect724manoj
 
PDF
Reconnaissance Security Use Case
Protect724manoj
 
PPTX
First Responders Course - Session 4 - Forensic Readiness [2004]
Phil Huggins FBCS CITP
 
PDF
Anomalous Traffic Detection Security Use Case Guide
Protect724manoj
 
DOCX
Security Hands-On - Splunklive! Houston
Splunk
 
PDF
Carbanak apt eng
Merve Kara
 
Getting started with Splunk
Sanjib Dhar
 
Brute Force Attack Security Use Case Guide
Protect724manoj
 
Antivirus Monitoring Security Use Case Guide
Protect724manoj
 
Reconnaissance Security Use Case
Protect724manoj
 
First Responders Course - Session 4 - Forensic Readiness [2004]
Phil Huggins FBCS CITP
 
Anomalous Traffic Detection Security Use Case Guide
Protect724manoj
 
Security Hands-On - Splunklive! Houston
Splunk
 
Carbanak apt eng
Merve Kara
 

Similar to Logger Brute Force Attack Detection Security Use Case User's Guide (20)

PPTX
Cyberjutitsu101coleevertzfinal 1296250763392-phpapp02
Mark Evertz
 
PPTX
Cyber Threat Jujitsu 101: Acknowledge. Assess. Avoid. Address.
Tripwire
 
PDF
Logger HIPAA CIP 1.0 Solutions Guide
protect724rkeer
 
PPTX
DR FAT
John Laycock
 
PPTX
Big data security
CloudBees
 
PDF
Can_We_Really_Detect_These_So_Called_Sophisticated_Attacks?
Michael Gough
 
PPTX
Ensuring Security and Compliance in a Data Deluge
Tripwire
 
PPT
RSA 2006 - Visual Security Event Analysis
Raffael Marty
 
PPTX
My Keynote from BSidesTampa 2015 (video in description)
Andrew Case
 
PDF
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
PDF
Logging for hackers SAINTCON
Michael Gough
 
PDF
The Heatmap
 - Why is Security Visualization so Hard?
Raffael Marty
 
PPTX
Operationalizing Security Intelligence [ InfoSec World 2014 ]
Rafal Los
 
PDF
SplunkLive! Amsterdam 2015 - Analytics based security breakout
Splunk
 
PPTX
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
John Bambenek
 
PDF
Testing the OWASP Top 10
andytinkham
 
PDF
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
North Texas Chapter of the ISSA
 
PPTX
Indianapolis Splunk User Group Dec 22
WesComer2
 
PDF
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
fangjiafu
 
PPT
BSidesDC 2016 Beyond Automated Testing
Andrew McNicol
 
Cyberjutitsu101coleevertzfinal 1296250763392-phpapp02
Mark Evertz
 
Cyber Threat Jujitsu 101: Acknowledge. Assess. Avoid. Address.
Tripwire
 
Logger HIPAA CIP 1.0 Solutions Guide
protect724rkeer
 
DR FAT
John Laycock
 
Big data security
CloudBees
 
Can_We_Really_Detect_These_So_Called_Sophisticated_Attacks?
Michael Gough
 
Ensuring Security and Compliance in a Data Deluge
Tripwire
 
RSA 2006 - Visual Security Event Analysis
Raffael Marty
 
My Keynote from BSidesTampa 2015 (video in description)
Andrew Case
 
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Logging for hackers SAINTCON
Michael Gough
 
The Heatmap
 - Why is Security Visualization so Hard?
Raffael Marty
 
Operationalizing Security Intelligence [ InfoSec World 2014 ]
Rafal Los
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
Splunk
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
John Bambenek
 
Testing the OWASP Top 10
andytinkham
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
North Texas Chapter of the ISSA
 
Indianapolis Splunk User Group Dec 22
WesComer2
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
fangjiafu
 
BSidesDC 2016 Beyond Automated Testing
Andrew McNicol
 
Ad

More from protect724rkeer (20)

PDF
Model Import Connector for RepSM Release Notes
protect724rkeer
 
PDF
Actor Model Import Connector for Microsoft Active Directory
protect724rkeer
 
PDF
Actor Model Import Connector for Microsoft Active Directory Release Notes
protect724rkeer
 
PDF
Actor Model Import FlexConnector for Database
protect724rkeer
 
PDF
Actor Model Import FlexConnector for Database Release Notes
protect724rkeer
 
PDF
CIP for PCI 4.0 Solution Guide for ArcSight Logger
protect724rkeer
 
PDF
CIP for PCI 4.0 Release Notes for ArcSight Logger
protect724rkeer
 
PDF
CIP IT Governance 5.0 Solution Guide for ArcSight Logger
protect724rkeer
 
PDF
CIP IT Governance 5.0 Release Notes for ArcSight Logger
protect724rkeer
 
PDF
ArcSight Model Import Connector for RepSM 7.1.7.7607.0 Configuration guide
protect724rkeer
 
PDF
ArcSight ArcSight Model Import Connector for RepSM 7.1.7.7607.0 Release Notes
protect724rkeer
 
PDF
Logger NERC CIP 1.0 Solutions Guide
protect724rkeer
 
PDF
Logger NERC CIP 1.0 Release Notes
protect724rkeer
 
PDF
Logger HIPAA CIP 1.0 Release Notes
protect724rkeer
 
PDF
HPE ArcSight RepSM Plus 1.6 Solution Guide
protect724rkeer
 
PDF
HPE ArcSight RepSM Plus 1.6 Release Notes
protect724rkeer
 
PDF
HPE ArcSight RepSM Plus Model Import Connector Config Guide
protect724rkeer
 
PDF
HPE ArcSight RepSM Plus Model Import Connector Release Notes
protect724rkeer
 
PDF
NERC v6.0 for ESM Release Notes
protect724rkeer
 
PDF
NERC v6.0 for ESM Solution Guide
protect724rkeer
 
Model Import Connector for RepSM Release Notes
protect724rkeer
 
Actor Model Import Connector for Microsoft Active Directory
protect724rkeer
 
Actor Model Import Connector for Microsoft Active Directory Release Notes
protect724rkeer
 
Actor Model Import FlexConnector for Database
protect724rkeer
 
Actor Model Import FlexConnector for Database Release Notes
protect724rkeer
 
CIP for PCI 4.0 Solution Guide for ArcSight Logger
protect724rkeer
 
CIP for PCI 4.0 Release Notes for ArcSight Logger
protect724rkeer
 
CIP IT Governance 5.0 Solution Guide for ArcSight Logger
protect724rkeer
 
CIP IT Governance 5.0 Release Notes for ArcSight Logger
protect724rkeer
 
ArcSight Model Import Connector for RepSM 7.1.7.7607.0 Configuration guide
protect724rkeer
 
ArcSight ArcSight Model Import Connector for RepSM 7.1.7.7607.0 Release Notes
protect724rkeer
 
Logger NERC CIP 1.0 Solutions Guide
protect724rkeer
 
Logger NERC CIP 1.0 Release Notes
protect724rkeer
 
Logger HIPAA CIP 1.0 Release Notes
protect724rkeer
 
HPE ArcSight RepSM Plus 1.6 Solution Guide
protect724rkeer
 
HPE ArcSight RepSM Plus 1.6 Release Notes
protect724rkeer
 
HPE ArcSight RepSM Plus Model Import Connector Config Guide
protect724rkeer
 
HPE ArcSight RepSM Plus Model Import Connector Release Notes
protect724rkeer
 
NERC v6.0 for ESM Release Notes
protect724rkeer
 
NERC v6.0 for ESM Solution Guide
protect724rkeer
 
Ad

Recently uploaded (20)

PDF
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PDF
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 

Logger Brute Force Attack Detection Security Use Case User's Guide

  • 1. HPE ArcSight Logger Brute Force Attack Detection Software Version: 1.0 Security Use Case Guide January 20, 2016
  • 2. Legal Notices Warranty The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. The network information used in the examples in this document (including IP addresses and hostnames) is for illustration purposes only. HPE ArcSight products are highly flexible and function as you configure them. The accessibility, integrity, and confidentiality of your data is your responsibility. Implement a comprehensive security strategy and follow good security practices. This document is confidential. Restricted Rights Legend Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Copyright Notice © Copyright 2016 Hewlett Packard Enterprise Development, LP Follow this link to see a complete statement of copyrights and acknowledgements: http://www.hpenterprisesecurity.com/copyright Support Phone A list of phone numbers is available on the HPE ArcSight Technical Support Page: https://softwaresupport.hp.com/documents/10180/14684/esp-support- contact-list Support Web Site https://softwaresupport.hp.com Protect 724 Community https://protect724.hp.com Contact Information Security Use Case Guide HPE Logger Brute Force Attack Detection (1.0) Page 2 of 13
  • 3. Contents Overview 4 Installation 6 Brute Force Attack Detection Dashboards 7 Modifying the Default Dashboard Settings 8 Brute Force Attack Detection Reports 9 Brute Force Attack Reports 9 Source Reports 9 Failed Login Counts Reports 10 Failed Login Statistics Reports 10 Additional Information 11 Queries 11 Filters 11 Fieldset 11 Send Documentation Feedback 13 HPE Logger Brute Force Attack Detection (1.0) Page 3 of 13
  • 4. Overview Brute force attacks apply trial-and-error methods to hack into a system and obtain encrypted information such as passwords and personal identification numbers (PINs). A brute force program generates a massive number of automated consecutive login attempts. The HPE ArcSight Logger Brute Force Attack Detection Security Use Case helps you identify potential brute force attempts using HPE ArcSight Logger. After identification of a threat, you can take action to investigate the activity and protect your assets. Parameters The Brute Force Attack Detection Security Use Case tracks the following parameters related to brute force attack detection. l Count: The number of login attempts made during a given interval. A count includes both successful and unsuccessful logins. A high count may indicate a possible brute force attack. l Source: The system from which a possible brute force attack originated. l Destination: The target system subject to a possible brute force attack. l User Account: User account associated with the possible brute force attack, used by the source to log in to the destination. These parameters are tracked in two ways: through dashboards and reports. Security Use Case Guide Overview HPE Logger Brute Force Attack Detection (1.0) Page 4 of 13
  • 5. Dashboards The Brute Force Attack Detection dashboards display a count of failed logins for each of the following for the past 6 hours: l Top sources of failed logins l Top destinations of failed logins l Top source destination pairs l Top user account and destination pairs For more information, see "Brute Force Attack Detection Dashboards" on page 7. Reports As part of the Logger Brute Force Attack Detection Security Use Case, these reports are available in Logger. Reports enable you to track failed login trends over any period and are highly customizable to meet your needs. The included reports track information on counts, sources, and trends. For more information, see "Brute Force Attack Detection Reports" on page 9. Security Use Case Guide Overview HPE Logger Brute Force Attack Detection (1.0) Page 5 of 13
  • 6. Installation Installation of the Logger Brute Force Detection Security Use Case is accomplished with the installer file downloaded from the HPE ArcSight Marketplace. You must separately install the use case content (the fieldset, dashboard, and filters). The Logger Brute Force Detection Security Use Case is supported on Logger v6.0 and later versions. To install the Logger Brute Force Detection Security Use Case package: 1. In Logger, on the main menu, click Reports. 2. Click Deploy Report Bundle. 3. Under Step 1: Upload and View Cab Information, browse to the *.cab file containing the Logger Brute Force package, then click Upload. 4. Under Step 2: Deploy Objects on Report Server, review the objects that will be deployed to your report server. Then click Deploy. The objects are added to your server. To install the Logger Brute Force Detection Security Use Case content: 1. In Logger, on the main menu, click Configuration. 2. Under Advanced, click Import Content. 3. Click Choose File. Select the *.gz file containing the fieldset content. Click Import. 4. Repeat Step 3 for the file containing the dashboard content. 5. Repeat Step 3 for the file containing the filter content. Security Use Case Guide Installation HPE Logger Brute Force Attack Detection (1.0) Page 6 of 13
  • 7. Brute Force Attack Detection Dashboards Four dashboards are available as part of the Logger Brute Force Attack Security Use Case. Dashboards give a snapshot of current activity for the defined interval (by default, the interval is 6 hours). To view the Brute Force Attack Detection dashboard: 1. In the Logger main menu, click Dashboards. 2. In the dashboard drop-down list, select Brute Force Attack Detection. 3. The dashboard displays with four panels displaying data on failed logins: l Failed Logins - Top Sources: displays a bar graph of the 10 sources with the highest count of login attempts for the last 6 hours. l Failed Logins - Top Destinations: displays a bar graph of the 10 destinations with the highest count of login attempts for the last 6 hours. l Failed Logins - Top Source & Destination Pairs: displays a table of the 10 source-destination pairs with the highest count of login attempts from the last 6 hours. l Failed Logins - Top User Account and Destination Pairs: displays a table of the 10 user account- destination pairs with the highest count of login attempts from the last 6 hours. Hover your pointer over any colored portion of a graph to display the overall details, including the count of login attempts. Click View on Search Page to display the panel in its own page, including the Saved Search details. Security Use Case Guide Brute Force Attack Detection Dashboards HPE Logger Brute Force Attack Detection (1.0) Page 7 of 13
  • 8. Drilling Down To drill down on the data in a dashboard graph and review details of the data displayed, click the colored portion of any graph. While the graphs displays the 10 items with the highest count, the drill- down page shows the 100 items with the highest count. At the top of the page is a graph with local time as the x-axis, showing groups of events across time as bars. Click any bar shown on the graph to view the details of all events that took place at the indicated time. The Saved Search used to filter data for the dashboard is displayed at the top of the page. The filter can be used as-is, or may be customized by the filter tools. For details on how to modify a filter, consult the Logger Administrator's Guide. To export the dashboard data, click Export. Then, on the Export Options page, select the details of the export. Modifying the Default Dashboard Settings You can modify the default dashboard settings by editing the panel display or by editing the Saved Search used to compile the dashboard. For more information on modifying a dashboard layout, panels, or a Saved Search, see the Logger Administrator's Guide. Security Use Case Guide Brute Force Attack Detection Dashboards HPE Logger Brute Force Attack Detection (1.0) Page 8 of 13
  • 9. Brute Force Attack Detection Reports By running and reviewing the reports included in the Brute Force Attack Detection Security Use Case, you can easily determine trends over time and that could be brute force attacks. Before running a report, verify that the report's period (start and end date) is for the desired time frame. Period can be retained from previously run reports. To access a Brute Force Attack Detection report: 1. On the Logger main menu, click Reports. 2. In the navigation menu, click Report Explorer. 3. Select Brute Force Attack. 4. Select a report to run. 5. Under Actions, select an action to take with the report, such as Run with Default Options. You can run reports, customize, copy or take other actions with any of these reports as you would with other Logger reports. For detailed instructions on how to run, edit, and manage Logger reports, see the Logger Administrator's Guide. Brute Force Attack Reports Brute force attacks show possible brute force attacks by source, user account, and destination. You should run these reports as often as possible (preferably daily) to spot possible brute force attacks early. Alternatively, you can schedule these reports to run automatically in Logger under Scheduled Reports in the navigation menu. Report Description Attempted Brute Force Attack Shows source, user account, and destination involved in an attempted brute force attack. An attempted brute force attack is defined as one where the number of failed login attempts exceeds the report query's threshold (by default, 50 failed attempts per day). Successful Brute Force Attack Shows source, user account, and destination involved in an attempted brute force attack, which resulted in one or more successful logins. Source Reports Source reports display information on the sources of possible brute force attacks. Security Use Case Guide Brute Force Attack Detection Reports HPE Logger Brute Force Attack Detection (1.0) Page 9 of 13
  • 10. Report Description A Source Targeting Destinations Shows a list, sorted by count, of the top 100 sources targeting multiple destinations with failed logins. You can customize the report to isolate one or more sources or destinations. Exploit Attempts of User Accounts by Sources Shows a list, sorted by count, of the top 100 user accounts that failed to log in to any destination. You can customize the report to isolate one or more user accounts, sources, or destinations. Failed Login Counts Reports Failed login counts reports show the trends of the count of failed logins, grouped by different parameters. Using failed login counts reports will let you spot possible trends and other issues. Report Description Failed Login Counts by Days Groups failed login events by day of occurrence. Failed Login Counts by Destinations Groups the top 100 (by count) destinations for failed login events. Failed Login Counts by Sources Groups the top 100 (by count) sources for failed login events. Failed Login Counts by User Accounts Groups the top 100 (by count)user accounts for failed login events. Failed Login Counts by Weeks Groups failed login events by the week in which they occurred. Failed Login Statistics Reports Failed login statistics reports show the statistics of all failed logins, each by different parameters. Report Description Failed Login Statistics by a Destination Shows statistics of all failed login events associated with a destination. Failed Login Statistics by a Source Shows statistics of all failed login events associated with a source. Failed Login Statistics by a User Account Shows statistics of all failed login events associated with a user account. Security Use Case Guide Brute Force Attack Detection Reports HPE Logger Brute Force Attack Detection (1.0) Page 10 of 13
  • 11. Additional Information The dashboard and reports included in the Brute Force Security Use Case make use of the following queries, filters, and fieldset. Queries The Logger Brute Force Detection Attack Security Use Case includes queries for each report discussed under "Brute Force Attack Detection Reports" on page 9 You can view or edit the query details as needed. To view or edit query details: 1. In the main menu, click Reports. 2. In the left navigation menu, click Query Explorer. 3. Select Brute Force Attack in the first column. 4. In the second column, double-click the query you wish to view or edit. For complete details on editing or managing queries, see the Logger Administrator's Guide. Filters These filters are part of the Logger Brute Force Detection Attack Security Use Case. l Brute Force Attack - Failed Login Events l Brute Force Attack - Successful Login Events To view or edit filter details: 1. On the main menu, click Configuration. 2. Under Search, click Filters. 3. The Brute Force filters are displayed in the list. Click any filter to display its details. For complete details on editing or managing filters, see the Logger Administrator's Guide. Fieldset A single fieldset is part of the Security Use Case. Security Use Case Guide Additional Information HPE Logger Brute Force Attack Detection (1.0) Page 11 of 13
  • 12. l Brute Force Attack Detection To view or edit fieldset details: 1. On the main menu, click Configuration. 2. Under Search, click Fieldsets. 3. The Brute Force fieldset is displayed in the list, with details. For complete details on editing or managing fieldsets, see the Logger Administrator's Guide. Security Use Case Guide Additional Information HPE Logger Brute Force Attack Detection (1.0) Page 12 of 13
  • 13. Send Documentation Feedback If you have comments about this document, you can contact the documentation team by email. If an email client is configured on this system, click the link above and an email window opens with the following information in the subject line: Feedback on Security Use Case Guide (Logger Brute Force Attack Detection 1.0) Just add your feedback to the email and click send. If no email client is available, copy the information above to a new message in a web mail client, and send your feedback to arc-doc@hpe.com. We appreciate your feedback! HPE Logger Brute Force Attack Detection (1.0) Page 13 of 13