Reputation Security Monitor (RepSM) v1.01 Solution Guide for ArcSight Express v4.0

Solution Guide
HP Reputation Security Monitor 1.01
ArcSight ESM and ArcSight Express
March 6, 2013

Copyright © 2013 Hewlett-Packard Development Company, L.P.
Confidential computer software. Valid license from HP required for possession, use or copying. Consistent
with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and
Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard
commercial license.
The information contained herein is subject to change without notice. The only warranties for HP products
and services are set forth in the express warranty statements accompanying such products and services.
Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for
technical or editorial errors or omissions contained herein.
Follow this link to see a complete statement of copyrights and acknowledgements:
http://www.hpenterprisesecurity.com/copyright
The network information used in the examples in this document (including IP addresses and hostnames) is
for illustration purposes only.
This document is confidential.
Contact Information
Revision History
Phone A list of phone numbers is available on the HP ArcSight Technical
Support page: http://www8.hp.com/us/en/software-
solutions/software.html?compURI=1345981#.URitMaVwpWI.
Support Web Site http://support.openview.hp.com
Protect 724 Community https://protect724.arcsight.com
Date Product Version Description
3/6/2013 Reputation Security
Monitor Solution 1.01
Final revision for release.

Confidential HP Reputation Security Monitor Solution Guide 3
Contents
Chapter 1: Overview and Architecture ................................................................................ 7
How RepSM Works .......................................................................................................... 7
Reputation Data .............................................................................................................. 8
Reputation Scores ..................................................................................................... 8
Exploit Types ............................................................................................................ 8
What RepSM Can Do for You ............................................................................................. 9
Protect from Advanced Persistent Threats (APTs) .......................................................... 9
Detect and Analyze Zero Day Attacks .......................................................................... 9
Ensure the Reputation of Your Organization’s Assets ...................................................... 9
Identify Suspicious Browsing ...................................................................................... 9
Optimize the Security Operations Center .................................................................... 10
RepSM Detection Use Cases at a Glance ........................................................................... 10
Supported Devices ........................................................................................................ 11
Chapter 2: Installing and Configuring RepSM .................................................................... 13
Installation Overview ..................................................................................................... 13
Verifying Your Environment ............................................................................................ 14
Configuring the ESM Active List Capacity (Required) ......................................................... 14
Installing the RepSM Content ......................................................................................... 15
Troubleshooting Your Installation .............................................................................. 17
Installing the Model Import Connector for RepSM .............................................................. 18
Configuring the RepSM Content ....................................................................................... 18
Assigning User Permissions ...................................................................................... 19
Configuring Active Lists ............................................................................................ 19
Categorizing Assets ................................................................................................. 20
How to Assign Asset Categories .......................................................................... 21
Deploying Rules (Required) ...................................................................................... 21
Setting Thresholds for the Reputation Score ............................................................... 22
Configuring Cases ................................................................................................... 23
Verifying RepSM Content Configuration ...................................................................... 24
Chapter 3: Using RepSM Content ....................................................................................... 25
Best Practices ............................................................................................................... 27
Manage Cases to Ensure Continued Detection ............................................................. 27

Contents
4 HP Reputation Security Monitor Solution Guide Confidential
Get Email About RepSM Service Outages .................................................................... 27
Start With a Host Name or Domain Name ................................................................... 27
Use the Integrated Web Search for Malicious Hosts ...................................................... 27
Sort Displays to Prioritize Your Investigation ............................................................... 28
RepSM Overview ........................................................................................................... 29
Configuration ......................................................................................................... 29
Usage .................................................................................................................... 29
Internal Infected Assets ................................................................................................. 32
Configuration ......................................................................................................... 32
Usage .................................................................................................................... 32
Key Resources ........................................................................................................ 34
Zero Day Attacks .......................................................................................................... 37
Configuration ......................................................................................................... 37
Usage .................................................................................................................... 37
Key Resources ........................................................................................................ 39
Dangerous Browsing ...................................................................................................... 41
Configuration ......................................................................................................... 41
Usage .................................................................................................................... 41
Key Resources ........................................................................................................ 43
Internal Assets Found in Reputation Data ......................................................................... 45
Configuration ......................................................................................................... 45
Usage .................................................................................................................... 46
Key Resources ........................................................................................................ 47
Event Enrichment with Reputation Data ........................................................................... 49
Configuration ......................................................................................................... 49
Usage .................................................................................................................... 49
Key Resources ........................................................................................................ 49
Access from Dangerous Sources ...................................................................................... 52
Configuration ......................................................................................................... 52
Usage .................................................................................................................... 52
Key Resources ........................................................................................................ 54
Access to Dangerous Destinations ................................................................................... 56
Configuration ......................................................................................................... 56
Usage .................................................................................................................... 56
Key Resources ........................................................................................................ 57
RepSM Package Health Status ......................................................................................... 60
Configuration ......................................................................................................... 60
Usage .................................................................................................................... 60
Key Resources ........................................................................................................ 61
Reputation Data Analysis ............................................................................................... 63
Configuration ......................................................................................................... 63
Usage .................................................................................................................... 63
Key Resources ........................................................................................................ 64

Contents
Appendix A: Troubleshooting ............................................................................................ 67
Appendix B: Uninstalling RepSM ....................................................................................... 71
Preparing to Uninstall .................................................................................................... 71
Generating a List of Resource Changes ............................................................................. 71
Backing Up a Solution Package ........................................................................................ 72
Uninstalling the Content Package ..................................................................................... 72
Appendix C: RepSM Service Messages ............................................................................... 75
Service Activation Messages ........................................................................................... 75
Data Retrieval Messages ................................................................................................ 76
Appendix D: RepSM Resource Reference ........................................................................... 77
Access from Dangerous Sources ...................................................................................... 77
Access to Dangerous Destinations ................................................................................... 86
Dangerous Browsing ...................................................................................................... 97
Event Enrichment with Reputation Data ...........................................................................108
Internal Assets Found in Reputation Data ........................................................................113
Internal Infected Assets ................................................................................................115
RepSM Overview ..........................................................................................................123
RepSM Package Health Status ........................................................................................136
Reputation Data Analysis ...............................................................................................151
Zero Day Attacks .........................................................................................................156

Contents

Chapter 1
Overview and Architecture
This chapter discusses the following topics:
How RepSM Works
The HP Reputation Security Monitor (RepSM) solution uses internet threat intelligence to
detect malware infection, zero day attacks, and dangerous browsing on your network.
RepSM consists of the following components:
 The HP RepSM service, powered by HP TippingPoint Reputation Digital Vaccine
(RepDV), provides reputation data from the comprehensive RepDV database of
malicious IP addresses, host names, and domain names. RepDV uses IPv4 and
Domain Name System (DNS) security intelligence feeds from multiple sources to
provide a broad set of reputation data.
 The HP Model Import Connector for RepSM imports the reputation data at regular
intervals from the RepSM service to ArcSight ESM or ArcSight Express.
 The HP RepSM content running on ArcSight ESM or ArcSight Express, correlates the
reputation data and security events to detect and remediate security incidents and
issues that would otherwise be undetectable. RepSM content is organized into several
use cases, which address specific objectives.
The following figure shows how the RepSM components work together.
“How RepSM Works” on page 7
“Reputation Data” on page 8
“What RepSM Can Do for You” on page 9
“RepSM Detection Use Cases at a Glance” on page 10
“Supported Devices” on page 11

1 Overview and Architecture
Reputation Data
RepSM stores the reputation data from the RepSM service in active lists; one list for IP
addresses and another list for host names and domain names. Those active lists are
collectively referred to as the reputation database. Each IP address, host name, or domain
name in the reputation database has a reputation score and exploit type, as described in
the following sections.The RepSM use cases detect various kinds of malicious activity based
on the reputation scores and exploit types.
Reputation Scores
The reputation score is a number from 0 to 100 that indicates the potential security risk of
the IP address, host name, or domain name, based on current threat intelligence from
RepDV. The higher the score, the greater the potential for risk. Scores below 40 represent
undesirable but not malicious activity. Scores below 20 are unlikely to pose any threat.
Exploit Types
The exploit type indicates the threat attributed to the malicious host, as described below:
Entities with a score of 0 pose no threat at all, but are maintained in the
reputation database because they are considered candidates for malicious
activity. By default, the RepSM use cases ignore entities that have a score of
0.
Blended
Threat
The malicious host is classified as having multiple exploit types.
Botnet The malicious host is either a member of a botnet or a command
and control center for a botnet.
Malware The malicious host is one of the following:
• A web server that distributes malware to users who browse
sites located on the server.
• A command and control center for computers infected with
malware.
Miscellaneous The host is considered malicious, but there is insufficient
information to classify it as another, more specific exploit type.
Misuse and
Abuse
The malicious host scans the internet for vulnerable systems, or
serves adult content.
P2P The malicious host is part of a peer-to-peer (P2P) network, such as
eMule or BitTorrent. The malicious host might be the central node
for the network or a member of the network.
Phishing The malicious host sends phishing emails, or the malicious host’s
URL appears in the text of phishing emails.
Spam The malicious host sends spam emails.
Spyware The malicious host distributes spyware or other suspicious
software.
Web
Application
Attacker
The malicious host initiates application layer attacks, such as SQL
injection and Cross Site Scripting, against web servers.
Worm The malicious host is infected by a worm.

What RepSM Can Do for You
By analyzing communications with known disreputable internet hosts, RepSM can help you
achieve the following objectives:
 “Protect from Advanced Persistent Threats (APTs)” on page 9
 “Detect and Analyze Zero Day Attacks” on page 9
 “Ensure the Reputation of Your Organization’s Assets” on page 9
 “Identify Suspicious Browsing” on page 9
 “Optimize the Security Operations Center” on page 10
Protect from Advanced Persistent Threats (APTs)
APTs are sophisticated cyber attacks in which an adversarial group targets previously
identified computers and installs malware on those computers. The malware then
establishes communications with an external command and control center, and extracts
information from your network. APTs typically operate undetected for an extended period
of time, however, RepSM enables you to:
 Detect APTs early by correlating events regarding communication from internal
computers to external command and control centers.
 Analyze the past activity of infected computers for forensic investigation.
The Internal Infected Assets use case provides resources to perform these activities.
For more information, see “Internal Infected Assets” on page 32.
Detect and Analyze Zero Day Attacks
Zero day attacks exploit newly found software vulnerabilities before vendors have the
opportunity to correct the vulnerability. By detecting successful communications to internal
assets from disreputable sources, RepSM provides early detection of attacks that would not
be detected by standard, signature based security controls. The Zero Day Attacks use
case provides a dashboard of this inbound traffic. For more information about the use case,
see “Zero Day Attacks” on page 37.
Ensure the Reputation of Your Organization’s Assets
RepSM can provide an early warning that your organization's assets have been included in
the reputation database, indicating a potential security breach. Conversely, assets might be
falsely included in the database, but still require investigation to avoid negative operational
effects, such as e-mail from your organization being marked as spam.
The Internal Assets Found in Reputation Data use case focuses on assets that have
been listed in the reputation database and require attention. For more information about
the use case, see “Internal Assets Found in Reputation Data” on page 45.
Identify Suspicious Browsing
The Access to Dangerous Destinations use case detects users browsing to dangerous
web sites and provides tools for investigating their activity. Operators can then take
remedial action, such as using Threat Response Manager (TRM) to quarantine the user’s
computer. For more information about the use case, see “Access to Dangerous
Destinations” on page 56.

Optimize the Security Operations Center
RepSM enables security analysts to analyze events within the context of global threat
intelligence to avoid false positives and focus on key events. By correlating events with
reputation data, RepSM can depict risk more accurately in reports and dashboards.
The Event Enrichment with Reputation Data use case provides global variables that
you can use to add reputation intelligence to non-RepSM resources. For more information,
see “Event Enrichment with Reputation Data” on page 49.
RepSM Detection Use Cases at a Glance
The following table summarizes some key points about the RepSM use cases that use
threat intelligence to detect problems. This summary can help you understand the
distinction between the use cases.
For detailed information about these and other RepSM use cases, see Chapter 3‚ Using
RepSM Content‚ on page 25.
Use Case
Name
Direction of
Communication
Outcome of
Communication
Malicious Host
Exploit Type
The Use Case
Detects Assets
that are:
Internal
Infected Assets
Outbound to
malicious host
Success and
failure
Botnet, P2P not categorized as
Public-Facinga
a.If you classify assets in this category, the use case produces better results and fewer false positives.
If you do not classify assets in this category, the use case applies to all assets.
All exploit typesb
b.For a complete list of exploit types, see “Exploit Types” on page 8.
categorized as
Public-Facing
Zero Day
Attacks
Inbound from
malicious host
Success Botnet,
Miscellaneous,
Misuse and Abuse,
P2P, Web
Application Attacker,
Worm
categorized as
Internal Non
Public-Facing
Dangerous
Browsing
Outbound to
malicious host
Success and
failure
Phishing, Malware not categorized as
Public-Facinga
Access to
Dangerous
Destinations
Outbound to
malicious host
Success and
failure
Blended Threat,
Miscellaneous,
Misuse and Abuse,
Spam, Spyware,
Web Application
Attacker, Worm
not categorized as
Public-Facinga
Access from
Dangerous
Sources
Inbound from
malicious host
Success Blended Threat,
Malware, Phishing,
Spam, Spyware
categorized as
Internal Non
Public-Facing
All exploit typesb not categorized as
Internal Non
Public-Facinga

Supported Devices
Any event that identifies a source or destination host (through its host name or IP address)
or a request URL that contains similar information, applies to the RepSM use cases. The
following device types typically produce those events:
 Firewalls
 Intrusion Prevention Systems (IPSs)
 Network equipment, such as routers, switches, and wireless access points
 Network monitors, managers, and traffic analyzers
 Virtual Private Networks (VPNs)
 Web proxy servers

Chapter 2
Installing and Configuring RepSM
This chapter describes how to install and configure the RepSM solution and discusses the
following topics.
Installation Overview
Perform the installation tasks in the following order:
1 Verify your ArcSight ESM or ArcSight Express environment. See “Verifying Your
Environment” on page 14.
2 For ArcSight ESM, increase the maximum capacity for active lists. See “Configuring the
ESM Active List Capacity (Required)” on page 14.
For ArcSight Express, this step is not required; the default active list capacity supports
RepSM.
3 For ArcSight ESM, install the content package (.arb file). See “Installing the RepSM
Content” on page 15.
For ArcSight Express, this step is not required; the RepSM content package is
pre-installed.
4 Install the Model Import Connector for RepSM. See “Installing the Model Import
Connector for RepSM” on page 18.
5 Configure the RepSM content. Minimally, you must deploy the RepSM rules to ensure
that the use cases produce results. See “Configuring the RepSM Content” on page 18.
Installation Overview, described below
“Verifying Your Environment” on page 14
“Configuring the ESM Active List Capacity (Required)” on page 14
“Installing the RepSM Content” on page 15
“Installing the Model Import Connector for RepSM” on page 18
“Configuring the RepSM Content” on page 18

2 Installing and Configuring RepSM
Verifying Your Environment
Before you install RepSM, make sure that you are running a supported version of ArcSight
ESM or ArcSight Express. The Reputation Security Monitor 1.01 Release Notes indicate the
supported versions.
Configuring the ESM Active List Capacity (Required)
By default, the maximum capacity for ArcSight ESM active lists is 500,000 entries. Before
you install the RepSM content, this capacity must be increased to 1,000,000 to enable
RepSM to monitor up to one million entries of reputation data. Otherwise, the installation
of the RepSM content package will fail with the following error:
Install Failed: ActiveList capacity cannot be greater than 500000
To increase the active list maximum capacity:
1 Add the following line to the server.properties file located in
<ARCSIGHT_HOME>config:
activelist.max_capacity=1000000
2 Restart the ArcSight Manager for the new setting to take effect.
For more information about the server.properties file, see the Configuration chapter
of the ESM Administrator’s Guide.
The ArcSight ESM Manager Java heap memory size must be set to at least
4 GB to support RepSM. For information about setting the heap size, see the
ArcSight ESM Installation and Configuration Guide.
For ArcSight Express, the Java heap memory size is set to support RepSM.
For ArcSight Express, the RepSM content package is pre-installed and the
default active list capacity is one million; skip this section and go to
“Installing the Model Import Connector for RepSM” on page 18 and then
“Configuring the RepSM Content” on page 18. Some basic configuration is
required or recommended to tailor the content for your operating
environment.

Installing the RepSM Content
Follow the procedure below to install the RepSM content package on ArcSight ESM.
To install the RepSM content package:
1 Make sure the maximum capacity for active lists is set to 1,000,000, as described in
“Configuring the ESM Active List Capacity (Required)” on page 14.
2 Download the following RepSM content package bundle to the machine where you
plan to run the ArcSight Console:
ArcSight-SolutionPackage-RepSM.1.0.0<nnnn>.0.arb
Where <nnnn> is the 4 character build number specified in the Reputation Security
Monitor 1.01 Release Notes.
Internet Explorer sometimes converts the ARB file to a ZIP file during
download. If this occurs, rename the ZIP file back to an ARB file before
importing.
3 Log into the ArcSight Console with an account that has administrative privileges.
4 In the Navigator panel, click the Packages tab.
5 Click Import ( ).
6 In the Open dialog, browse and select the package bundle file, and then select Open.
The Progress tab of the Importing Packages dialog shows how the package bundle
import is progressing.
When the import is complete, the Results tab of the Importing Packages dialog is
displayed together with the Packages for Installation dialog, as shown in the following
For ArcSight Express, the RepSM content package is pre-installed; skip this
section and go to “Installing the Model Import Connector for RepSM” on
page 18 and then “Configuring the RepSM Content” on page 18. Some basic
configuration is required or recommended to tailor the content for your
operating environment.
The RepSM content is a self-contained solution that does not rely on any
other ArcSight solution. You can install the RepSM content package alongside
other solutions on the same ArcSight Manager. Before installing a new
solution, HP recommends that you back up any existing solutions installed on
the ArcSight Manager. For detailed instructions, see Appendix B‚ Uninstalling
RepSM‚ on page 71.

figure.
7 In the Packages for Installation dialog, leave the Reputation Security Monitor
1.0 checkbox selected and click Next.
The Installing Packages dialog opens. The Progress tab shows how the installation is
progressing. When the installation is complete, the Results tab displays the Summary
Report.
8 In the Installing Packages dialog, click OK.
9 In the Importing Packages dialog, click OK.
10 On the Packages tab of the Navigator panel, expand the Reputation Security
Monitor 1.0 group to verify that the installation is successful and that the content

is accessible in the Navigator panel.
Troubleshooting Your Installation
If the installation is not successful, refer to the contact information below.
After you install the RepSM package, perform any required configuration of
the RepSM content to ensure that the use cases produce results. For more
information, see “Configuring the RepSM Content” on page 18.
Resource Description
Support web site http://support.openview.hp.com provides access to incident
reporting, the knowledge base, software downloads, help, and
the customer forum.

For additional, post-installation troubleshooting information, see Appendix A‚
Troubleshooting‚ on page 67.
Installing the Model Import Connector for RepSM
The Model Import Connector for RepSM forwards reputation data from the RepSM service
to ArcSight ESM or ArcSight Express. An active subscription to the RepSM service is
required. (If you do not have an active RepSM service subscription and would like to
purchase one, contact your HP ArcSight sales representative.)
To install and configure the Model Import Connector for RepSM, follow the instructions in
the Model Import Connector for RepSM Configuration Guide.
For the supported versions of the Model Import Connector for RepSM, see the Reputation
Security Monitor 1.01 Release Notes.
Configuring the RepSM Content
Several of the RepSM content resources need to be configured with values specific to your
environment. Depending on the features you want to implement and how your network is
set up, some configuration is required and some is optional. The list below shows the
general configuration tasks for the RepSM resources. Specific configuration tasks for the
RepSM use cases are described in Chapter 3‚ Using RepSM Content‚ on page 25.
 “Assigning User Permissions” on page 19
 “Configuring Active Lists” on page 19
 “Categorizing Assets” on page 20
 “Deploying Rules (Required)” on page 21
 “Setting Thresholds for the Reputation Score” on page 22
 “Configuring Cases” on page 23
 “Verifying RepSM Content Configuration” on page 24
Protect 724
Community
https://protect724.arcsight.com offers a place for customers
to:
• Share content, collaborate on best practices, and get
feedback
• Ask and answer questions
• Network with each other
• Find product roadmaps
• Sign up to receive email notifications about RepSM service
outages from the RepSM group
If you need to back up or uninstall the RepSM content at a later date, see
Appendix B‚ Uninstalling RepSM‚ on page 71.
Resource Description

Assigning User Permissions
By default, users in the Default user group can view RepSM content, and users in the
ArcSight Administrators and Analyzer Administrators user groups have read
and write access to the solution content. Depending on how you set up user access
controls within your organization, you might need to adjust those controls to make sure the
new content is accessible to the right users in your organization.
The following process assumes that you have user groups set up and users assigned to
those groups.
In the following procedure, assign user permissions to all the following resource types:
 Active Channels
 Active lists
 Cases
 Dashboards
 Data monitors
 Field Sets
 Filters
 Queries
 Query Viewers
 Reports
 Rules
 Trends
To assign user permissions:
2 For all the resource types listed above, change the user permissions:
a In the Navigator panel, go to the resource type and navigate to ArcSight
Solutions/Reputation Security Monitor 1.0.
b Right-click the Reputation Security Monitor 1.0 group and select Edit Access
Control to open the ACL editor in the Inspect/Edit panel.
c In the ACL editor of the Inspect/Edit panel, select the user groups for which you
want to grant permissions to the RepSM resources and click OK.
Configuring Active Lists
The RepSM active lists retain data that is cross-referenced dynamically during run-time by
ArcSight resources that use conditions, such as filters and rules.

Required Configuration
The following active lists require configuration to ensure that the use case produces
results:
Optional Configuration
The following active lists contain default exploit types for the use cases listed below, but
you can add or remove exploit types as needed:
For specific configuration information, see the “Configuration” section in the use case
sections listed above. For a description of exploit types, see “Exploit Types” on page 8.
For detailed instructions on adding entries to active lists, see the ArcSight Console User’s
Guide.
Categorizing Assets
Categorizing assets adds valuable business context to the events evaluated by the RepSM
use cases. The RepSM content relies on the following asset categories to distinguish
between internal, public, and non-public assets:
Asset categorization is required to activate some use cases, and optional but recommended
for other use cases to ensure better results with fewer false positives. The following table
Active List Used by this Use Case
Internal Domains for Reputation Monitoring
Internal Network Addresses for Reputation Monitoring
Internal Assets for Reputation Monitoring
“Internal Assets Found in Reputation
Data” on page 45
Active List Used by this Use Case
Critical Exploit Types “Internal Infected Assets” on page 32
Dangerous Browsing Exploit Types “Dangerous Browsing” on page 41
Zero Day Attack Exploit Types “Zero Day Attacks” on page 37
Asset Category Description URI
Protected This standard asset category classifies
internal assets (those that are inside your
organization’s network).
By default, any address contained in the
Private Address Space Zones is categorized
as Protected.
Site Asset
Categories/Address Spaces
Public-Facing This RepSM asset category classifies internal
assets that are accessible from the internet.
ArcSight
Solutions/Reputation
Security Monitor
Internal Non
Public-Facing
This RepSM asset category classifies internal
assets that are not accessible from the
internet.
ArcSight
Security Monitor

lists the use cases that rely on asset categorization. For more information, see the use case
section referenced in the table below.
For more information about how categorization affects the use cases, see “RepSM
Detection Use Cases at a Glance” on page 10.
How to Assign Asset Categories
The RepSM asset categories can be assigned using one of the following methods:
One by One Using the Console
Use this method if you have only a few assets to categorize. An asset can be categorized in
more than one RepSM asset category. For more information, see the ArcSight Console
User’s Guide.
ArcSight Asset Import Connector
If you have many assets to categorize, you can use the ArcSight Asset Import Connector.
The ArcSight Asset Import Connector is available as part of the SmartConnector download.
For instructions about how to use this connector to categorize your assets for RepSM, see
the ArcSight Asset Import SmartConnector Configuration Guide.
Network Model Wizard
The Network Model wizard provides the ability to quickly populate the ArcSight network
model by batch loading asset and zone information from Comma Separated Files (CSV)
files. The wizard is available from the ArcSight Console menu option Tools > Network
Model. For more information about the wizard, see the ArcSight Console User’s Guide.
Deploying Rules (Required)
In order for the RepSM rules to process events, the rules must be deployed to the
Real-time Rules group. By default, RepSM rules are not deployed.
To deploy the RepSM rules to the Real-time Rules group:
1 From the Resources tab in the Navigator panel, go to Rules and navigate to the
ArcSight Solutions/Reputation Security Monitor 1.0 group.
2 Right-click the Reputation Security Monitor 1.0 group and select Deploy
Real-time Rule(s).
After a few seconds, the rules in the group will be listed under the Real-time
Rules/Reputation Security Monitor 1.0 group.
The rules in this group are linked to the rules in the ArcSight
Solutions/Reputation Security Monitor 1.0 group.
Use Case Asset Category Categorization is:
“Access from Dangerous Sources” on page 52 Internal Non Public-Facing Recommended
“Access to Dangerous Destinations” on page 56 Public-Facing Recommended
“Dangerous Browsing” on page 41 Public-Facing Recommended
“Internal Infected Assets” on page 32 Public-Facing Recommended
“Zero Day Attacks” on page 37 Internal Non Public-Facing Required

For more information about working with rules, see the ArcSight Console online Help.
Setting Thresholds for the Reputation Score
Several RepSM use cases provide rules that rely on a reputation score threshold. Only IP
addresses, host names, and domain names that have a score equal to or greater than the
threshold are considered malicious by the use cases.
You can set different thresholds for the domain names and IP addresses. By default, the
thresholds are set to 1, so reputation scores from 1 to 100 are considered.
The threshold is defined in several global variables provided by the use cases, as described
in Table 2-1:
Table 2-1 Reputation Score Threshold Variables
By default, these variables use the same generic variable,
solnGenericHighScoreThreshold, which defines the score threshold for both IP
addresses and domains.
To change the thresholds, you can either set the threshold in the generic variable, which
will affect all of the use cases listed in Table 2-1, or you can override the generic variable
and specify thresholds in the individual use cases, as described below.
To set the threshold in the generic variable:
1 From the Navigator panel Resources tab, select Field Sets from the drop-down list,
click the Fields & Global Variables tab, and then navigate to:
Field Sets/Shared/All Field Sets/ArcSight Solutions/Reputation
Security Monitor 1.0/Configuration
2 Double-click solnGenericHighScoreThreshold to open it in the Inspect/Edit
panel.
Variable Use Case
Access from Dangerous Sources Reputation Domain Score Threshold
Access from Dangerous Sources Reputation IP Score Threshold
“Access from Dangerous
Sources” on page 52
Access to Dangerous Destinations Reputation Domain Score Threshold
Access to Dangerous Destinations Reputation IP Score Threshold
“Access to Dangerous
Destinations” on page 56
Dangerous Browsing Reputation Domain Score Threshold
Dangerous Browsing Reputation IP Score Threshold
“Dangerous Browsing”
on page 41
Internal Infected Assets Reputation Domain Score Threshold
Internal Infected Assets Reputation IP Score Threshold
“Internal Infected
Assets” on page 32
Zero Day Attacks Reputation Domain Score Threshold
Zero Day Attacks Reputation IP Score Threshold
“Zero Day Attacks” on
page 37

3 Click the Parameters tab and change one of the Number arguments, as shown
below:
4 Click OK to save your changes.
To set the threshold in an individual use case:
1 From the Navigator panel Resources tab, select Field Sets from the drop-down list,
click the Fields & Global Variables tab, and then navigate to:
Field Sets/Shared/All Field Sets/ArcSight Solutions/Reputation
Security Monitor 1.0/Configuration
2 Double-click the variable to open it in the Inspect/Edit panel. (The variables are listed
Table 2-1 on page 22.)
3 Click the Parameters tab and do one of the following:
 Specify a value in the bottom Number field. That value will be added to the value
in the generic variable.
To see the current value of solnGenericHighScoreThreshold, click the
pull-down menu, and hover the mouse over the variable in the list.
 Remove the generic variable by changing Field to Integer, and then specify a
value in either of the Number fields.
4 Click OK to save your changes.
Configuring Cases
Cases are a trouble-ticket system that can be used as-is or in conjunction with a third-party
trouble-ticket system. Some RepSM rules create a case if certain conditions are met.
RepSM includes the ArcSight Solutions/Reputation Security Monitor 1.0
group, which holds the cases generated by some RepSM rules.
You can add more groups to the ArcSight Solutions/Reputation Security
Monitor 1.0 group or add your own group if you want to add more differentiations. If
you do add more groups, modify the rules that generate cases to use your new case
groups.

For more important information about cases, see “Manage Cases to Ensure Continued
Detection” on page 27.
Verifying RepSM Content Configuration
After you have finished configuring the RepSM content, you can use the Events Analyzed
by RepSM Use Cases dashboard to see how many events have been evaluated by each use
case, and which devices generated those events. For more information, see “RepSM
Package Health Status” on page 60.

Chapter 3
Using RepSM Content
RepSM provides the use cases listed in the following table. For a detailed comparison of
some of the use cases, see “RepSM Detection Use Cases at a Glance” on page 10.
Use Case Purpose of Use Case
“RepSM Overview”
on page 29
The RepSM Overview use case provides quick access to the overview
dashboards provided by the other RepSM use cases, and is especially helpful
if you are unfamiliar with the RepSM content.
“Internal Infected
Assets” on page 32
The Internal Infected Assets use case helps protect from Advanced Persistent
Threat (APT) attacks by identifying internal assets that attempted to
communicate with a command and control center, or a member of a botnet.
Even if the communication attempt failed, the attempt itself indicates that
malicious software might exist on the asset.
“Zero Day Attacks”
on page 37
The Zero Day Attack use case helps detect attacks that exploit previously
unknown vulnerabilities in software — before vendors of security software,
such as antivirus, IDS, and IPS, have time to address the vulnerability. This
use case attempts to detect such compromises if they originate from
malicious IP addresses or domains. The use case identifies successful
communication to internal, non-public facing assets from external malicious
entities that have an exploit type of Botnet, Misuse and Abuse, Miscellaneous,
P2P, Web Application Attacker, and Worm. The exploit types are configurable,
as described in “Configuration” on page 37.
“Dangerous
Browsing” on
page 41
The Dangerous Browsing use case focuses on users who browse dangerous
web sites. Dangerous browsing can happen intentionally when a user
browses directly to an illegitimate web site, or unintentionally when a user
follows malicious links on a legitimate web site. Dangerous browsing can also
occur when a user is fooled by a phishing scheme, in which an illegitimate
web site imitates a legitimate web site, usually with the intention of stealing
credentials.
“Internal Assets
Found in
Reputation Data”
on page 45
The Internal Assets Found in Reputation Data use case helps ensure the
reputation of your organization’s assets by detecting when those assets
appear in the reputation database. This situation can indicate that assets
have been compromised and are being used for malicious purposes. However,
even if an asset is wrongly included in the database, it should be investigated
to avoid issues such as email from your organization being marked as spam.
You can also use this use case to detect when the assets of trusted partners
and suppliers appear in the reputation database.
“Event Enrichment
with Reputation
Data” on page 49
The Event Enrichment with Reputation Data use case provides resources that
let you add reputation data to non-RepSM resources. By enriching those
resources with global threat intelligence, security analysts can focus on key
events involving known malicious entities.

3 Using RepSM Content
The following use cases provide tools for evaluating the status of the RepSM package and
reputation database.
“Access from
Dangerous
Sources” on
page 52
The Access from Dangerous Sources use case detects successful inbound
communications to non-public facing internal assets from malicious entities
that have an exploit type of Blended Threat, Malware, Phishing, Spam, or
Spyware.
“Access to
Dangerous
Destinations” on
page 56
The Access to Dangerous Destinations use case detects outbound
communication to hosts that are involved in illegitimate activity such as
sending spam or hosting spyware. Such communication can indicate either
risky behavior on the part of users, or the existence of malware in the
network. Although this type of communication is not as critical as
communication with botnets and command and control centers, it can
threaten the security of the network or harm the organization's reputation,
and should be investigated to determine the root cause.
“RepSM Package
Health Status” on
page 60
The RepSM Package Health Status use case provides information about the
operational status of important RepSM resources. Various dashboards show
the state of important rules and trends; the number of events evaluated by
each RepSM use case and the devices that generated those events; and
messages from the Model Import Connector for RepSM and the RepSM
service.
“Reputation Data
Analysis” on
page 63
The Reputation Data Analysis use case provides statistical information about
the entries in the reputation data. It also indicates when the data was last
updated.

Best Practices
The following general recommendations apply to several of the RepSM use cases.
Manage Cases to Ensure Continued Detection
Some use cases open a case (trouble-ticket) when they detect a potentially compromised
asset. The case name includes the address and host name of the asset. When you close or
delete the case, the asset is removed from the use case’s overview dashboard. If the asset
becomes compromised again, a new case is opened, using the same case name.
If you choose to close instead of delete the case, HP recommends that you move the case
to another location to ensure that RepSM detects issues with the asset in the future.
You can access the cases from the Navigator panel Resources tab, by selecting Cases from
the drop-down list and navigating to:
Cases/Shared/All Cases/ArcSight Solutions/Reputation Security
Monitor 1.0
Get Email About RepSM Service Outages
A RepSM service outage can affect the data displayed in several of the use case
dashboards. Register for a Protect 724 account so you can sign up to receive email
notifications about such outages.
To receive emails, log in to Protect 724, select Browse > Places and navigate to the
RepSM group, and then click Receive Email Notifications in the Actions panel.
Start With a Host Name or Domain Name
Many of the RepSM use case resources provide reputation data for either IP addresses or
host names and domain names. In general, IP addresses indicate clients, while host and
domain names indicate servers. Host and domain names often include the name of the
owning organization, which makes it easier to determine the source of an attack,
investigate the attack, and contact the responsible party. You can often expedite your
investigation by starting with a host or domain name.
Use the Integrated Web Search for Malicious Hosts
Throughout the RepSM use cases, you can get information about a malicious host by
right-clicking its name and selecting Integration Commands > Search Selected Item
in Google.
For the following use cases, which detect outbound communication:
 Internal Infected Assets
 Dangerous Browsing
 Access to Dangerous Destinations
if the web search results indicate that the site is dangerous, find out whether the user of
the internal asset has a valid reason to browse the site. Even if they do, you should inspect
the internal asset for malware and take it offline if necessary.

If you think the site is not dangerous, consider deleting its entry from the Malicious
Domains or Malicious IP Addresses active lists. To have the site removed more permanently
from the reputation data, contact Customer Support.
Sort Displays to Prioritize Your Investigation
Many of the use case tabular displays have column headings that indicate key information,
such as the number of malicious hosts that communicated with an internal asset, or the
number of interactions between a host and asset. Typically, the higher the number, the
greater the risk. To help you decide which host or asset to investigate first, sort the display
by clicking these column headings.

RepSM Overview
The RepSM Overview use case provides quick access to the overview dashboards provided
by the other RepSM use cases, and is especially helpful if you are unfamiliar with the
RepSM content.
Configuration
No configuration is required for this use case.
Usage
To get started:
1 Click the Use Cases tab in the Navigator panel and open the RepSM Overview use
case located in:
Use Cases/Shared/All Use Cases/ArcSight Solutions/Reputation
Security Monitor 1.0
2 Open the RepSM Overview dashboard.
The dashboard provides a high-level, consolidated view of the RepSM use cases that
detect issues based on threat intelligence:
 Internal Infected Assets
 Zero Day Attacks
 Access from Dangerous Sources
 Access to Dangerous Destinations
 Dangerous Browsing

By using drilldowns, you can move from this dashboard to other use case dashboards
for increasingly detailed information—including exploit types, reputation scores,
detection times, attack counts, and event counts—and then finally to the base events
that caused an asset to appear on the dashboard.
3 Right-click any component and select Drilldown > Overview of... to display the
overview dashboard for the use case. For more information about the overview
dashboards, see the section for that use case in the remainder of this chapter.
(To enable the drilldown in the data monitors at the top of the dashboard, you might
need to click the AssetID in a row before right-clicking.)

4 Return to the use case tab and open the Geographical View of Malicious
Communications dashboard to see a map of malicious communication. Use the tabs at
the bottom of the map to show either access to or attacks from malicious entities.
For a complete list of the resources that support this use case, see “RepSM Overview” on
page 123.

Internal Infected Assets
The Internal Infected Assets use case helps protect from Advanced Persistent Threat (APT)
attacks by identifying internal assets that attempted to communicate with a command and
control center, or a member of a botnet. Even if the communication attempt failed, the
attempt itself indicates that malicious software might exist on the asset.
For more information, see “Protect from Advanced Persistent Threats (APTs)” on page 9.
This use case provides information about internal assets that are either:
 Public-facing and communicating with a malicious entity, regardless of its exploit type.
These assets are typically servers that do not normally initiate outbound
communication, so initiating communication with a malicious entity is of particular
interest.
 Not public-facing and communicating with a malicious entity that has an exploit type
of Botnet or P2P. These assets might be participating in a botnet or peer-to-peer
network.
The exploit types are configurable, as described in “Configuration” on page 32.
Configuration
Configure the Internal Infected Assets use case as follows for your environment:
 Optional, but recommended. Categorize your organization’s public assets (those that
are accessible from the internet) as Public-Facing.
For more information, see “Categorizing Assets” on page 20.
 Optional. Add entries to the Critical Exploit Types active list.
By default, the use case identifies communications to malicious hosts that have an
exploit type of Botnet and P2P. These exploit types are the most likely to indicate an
infected asset, but you can add additional exploit types to the active list. For a list of
exploit types, see “Exploit Types” on page 8.
For details about adding entries to an active list, see “Configuring Active Lists” on
page 19.
 Optional. Set the reputation score threshold in the rules used by the use case.
You can set different thresholds for the domain names and IP addresses. By default,
the thresholds are set to 1, so reputation scores from 1 to 100 are considered. The
thresholds are set in the following global variables:
 Internal Infected Assets Reputation IP Score Threshold
 Internal Infected Assets Reputation Domain Score Threshold
For details, see “Setting Thresholds for the Reputation Score” on page 22.
Usage
This section describes a likely scenario for investigating internal infected assets and
highlights some key features of the use case.
This use case opens a case for every detected internal infected asset. For
important information about cases, see “Manage Cases to Ensure Continued
Detection” on page 27.

1 Click the Use Cases tab in the Navigator panel and open the Internal Infected
Assets use case located in:
Review the resources provided by the use case. The overview dashboard is a good
starting point for your investigation.
2 Open the Overview of Internal Infections dashboard. Each component on the
dashboard provides a different aspect of the infected assets detected by this use case.
3 Review the information in the Summary of Infected Assets component on the
dashboard. The internal assets in this list are assumed to be infected by potentially
dangerous malware and should be investigated immediately.
4 Double-click an infected asset to display additional information, including the
command and control centers or botnet servers the asset tried to contact.
From this display, several drilldown options are available to investigate the infection
further, down to the base event level.
5 Right-click an asset and select Drilldown to see the options. You can drilldown to:
 the base events that represent direct communication with a malicious entity
 other internal assets that might have been infected by the infected asset
To help prioritize your investigation, sort the display by clicking the
Contacted Malicious Entities column heading. Typically, the higher the
number, the greater the risk.

 all inbound and outbound communications with the infected asset, which might
reveal other possible malicious entities
6 Select any of the drilldowns to display the events associated with the infected asset.
7 In the resulting display, right-click a row and select Investigate > Show Event
Details to show the base event in the Event Inspector. This provides additional event
fields and values that are not shown in the query viewer.
8 Return to the overview dashboard and examine the other components.
The Summary of Contacted Malicious Entities component focuses on command and
control centers that the internal asset contacted. Double-click a malicious entity to see
which assets have communicated with it and then use the drilldowns to continue your
investigation, as described in Step 5 and Step 7.
9 A case is opened for every detected internal infected asset. The Open Case Status
Distribution component on the overview dashboard shows the status of these cases.
Click the pie chart to display detailed information about the cases.
For more information about cases, see “Manage Cases to Ensure Continued Detection”
on page 27.
10 Return to the use case tab to review the other resources in the use case.
You can run reports that provide stakeholders with information about current and long
term asset infections. You can use the active channels to see real time events to and
from infected assets.
Key Resources
The following table lists the key resources in this use case that might require configuration
or that you might use during your investigation.
For a complete list of all the resources that support this use case, including the key
resources, see “Internal Infected Assets” on page 115.
Table 3-1 Resources that Support the Internal Infected Assets Use Case
Resource Description Type URI
Monitor Resources
All
Interactions
with Malicious
Entities
Detected
During the
Last 2 Hours
This active channel shows all the
occurrences of rules that
triggered to detect internal
infections in this use case in the
last two hours.
Active
Channel
ArcSight
Security Monitor
1.0/Internal Infected
Assets/
All Events To
or From
Infected
Assets During
the Last 2
Hours
This active channel shows all
events to or from the infected
machines in the last two hours.
Active
Channel
ArcSight
Security Monitor
Assets/

Overview of
Internal
Infections
This dashboard provides an
overview of internal infected
assets, including hosts that are
communicating with external
malicious entities, and the trend
of infections over time. You can
drilldown from the summary
query viewers to specific
interactions or base events.
Dashboard ArcSight
Security Monitor
Assets/
Interactions
with Malicious
Entities During
the Last 24
Hours
This report shows all interactions
with certain malicious entities by
internal assets. These assets are
then considered infected. Note
that an internal asset might be
involved in multiple interactions,
depending on its
communications, but will be
reported under a single case.
Report ArcSight
Security Monitor
1.0/Internal Infection
Assets/
Currently
Infected
Assets and
Recorded
Interactions
with Malicious
Entities
This report shows the internal
assets that are considered to be
infected through their
communications with external
malicious hosts.
Report ArcSight
Security Monitor
Assets/
Assets
Infected for
More Than A
Week
This report shows all infected
internal machines that have
remained in the infection list for
over one week. This might mean
that the related cases have not
yet been investigated or are still
being investigated. By default,
when a case on internal infection
asset is deleted or closed, the
related asset will be removed
from the infection list.
Report ArcSight
Security Monitor
Assets/
Overview of
Infected
Assets During
the Last 30
Days
This report shows an overview of
internal infections over the last
one month (up to and including
yesterday). Its content is based
on a daily trend which stores the
daily snapshot of the Infected
Internal Assets active list.
Report ArcSight
Security Monitor
Assets/
Library Resources
Critical Exploit
Types
This active list contains all exploit
types considered as critical for
monitoring purposes.
Active List ArcSight
Security Monitor
Assets/
Public-Facing This is a solutions asset category. Asset
Category
ArcSight
Security Monitor

Internal
Infected
Assets
Reputation
Domain Score
Threshold
This variable stores the score
threshold for reputation domain
names used in the Internal
Infected Assets use case.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
Internal
Infected
Assets
Reputation IP
Score
Threshold
threshold for reputation IP
addresses used in the Internal
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/

Zero Day Attacks
The Zero Day Attack use case helps detect attacks that exploit previously unknown
vulnerabilities in software — before vendors of security software, such as antivirus, IDS,
and IPS, have time to address the vulnerability. This use case attempts to detect such
compromises if they originate from malicious IP addresses or domains. The use case
identifies successful communication to internal, non-public facing assets from external
malicious entities that have an exploit type of Botnet, Misuse and Abuse, Miscellaneous,
P2P, Web Application Attacker, and Worm. The exploit types are configurable, as described
in “Configuration” on page 37.
Configuration
Configure the Zero Day Attacks use case as follows for your environment:
 Required. Categorize the assets in your organization that are not public-facing (those
that are not accessible from the internet) as Internal Non Public-Facing.
 Optional. Add entries to the Zero Day Attack Exploit Types active list.
By default, the use case identifies communications to malicious hosts that have an
exploit type of Botnet, Misuse and Abuse, Miscellaneous, P2P, Web Application
Attacker, and Worm. You can add additional exploit types to the active list. For a list of
exploit types, see “Exploit Types” on page 8.
page 19.
 Optional. Set the reputation score threshold in the rules used by the use case. These
thresholds determine the minimum reputation score to track and report zero day
attacks.
 Zero Day Attacks Reputation Domain Score Threshold
 Zero Day Attacks Reputation IP Score Threshold
Usage
This section describes a likely scenario for investigating zero day attacks and highlights
some key features of the use case.
1 Click the Use Cases tab in the Navigator panel and open the Zero Day Attacks use
case located in:
The overview dashboard is a good starting point for your investigation.
This use case opens a case for every detected asset that is the target of a
zero day attack. For important information about cases, see “Manage Cases
to Ensure Continued Detection” on page 27.

2 Open the Overview of Zero Day Attacks dashboard. Each component on the dashboard
provides a different aspect of the infected assets detected by this use case.
3 Review the information in the Internal Assets Targeted by Zero Day Attacks
component on the dashboard. The internal assets in this list are assumed to have been
attacked by zero day exploits and should be investigated immediately.
4 Double-click an attacked asset to display additional information about the attacker.
5 In the resulting display, double-click an attacked asset to see the events involved in
the attack.
6 In the resulting display, right-click a row and select Investigate > Simple Rule
Chain to show both the correlation event and the base event in the Event Inspector.
This provides additional event fields and values that are not shown in the query
viewer.
You can use the Zero Day Attackers component to begin your investigation with the
attacker, rather than the internal asset. Double-click a malicious entity to see which
assets it has communicated with and then use the drilldowns to continue your
investigation.
8 A case is opened for every detected zero day attack. The Zero Day Attack Cases
component on the overview dashboard shows the status of these cases. Click the pie
chart to display detailed information about the cases.
on page 27.

Key Resources
For a complete list of all the resources explicitly assigned to this use case and any
dependant resources, see “Zero Day Attacks” on page 156.
Table 3-2 Resources that Support the Zero Day Attacks Use Case
Monitor Resources
Overview of
Zero Day
Attacks
This dashboard shows an
overview of all zero day attacks.
You can drilldown to more
information about the related
sources and targets and the base
events.
Dashboard ArcSight
Security Monitor 1.0/Zero
Day Attacks/
Zero Day
Attacks - One
Year Trend
This report provides information
about zero day attacks to internal
assets during the last year. Do
not change the default value for
the custom parameter
AttackType.
Report ArcSight
Day Attacks/
Zero Day
Attacks During
the Last 7
Days
about zero day attacks on
internal assets during the last
seven days. Do not change the
default value for the custom
parameter AttackType.
Report ArcSight
Day Attacks/
Zero Day
Attacks - 30
Day Trend
about zero day attacks by
malicious entities on internal
assets during the last 30 days.
Do not change the default value
for the custom parameter
AttackType.
Report ArcSight
Day Attacks/
Zero Day
Attacks During
the Last 24
Hours
assets during the last 24 hours.
Report ArcSight
Day Attacks/
Library Resources
Zero Day
Attack Exploit
Types
types considered as relevant for
zero day attacks. By default, it
contains Web Application
Attacker, P2P, Botnet, Worm,
Misuse and Abuse, Miscellaneous.
Day Attacks/

Internal Non
Public-Facing
This is a solutions asset category. Asset
Category
ArcSight
Security Monitor
Zero Day
Attacks
Reputation IP
Score
Threshold
addresses used in the Zero Day
Attacks use case.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
Zero Day
Attacks
Reputation
Domain Score
Threshold
threshold for malicious domain
names used in the Zero Day
Attacks use case.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/

Dangerous Browsing
The Dangerous Browsing use case focuses on users who browse dangerous web sites.
Dangerous browsing can happen intentionally when a user browses directly to an
illegitimate web site, or unintentionally when a user follows malicious links on a legitimate
web site. Dangerous browsing can also occur when a user is fooled by a phishing scheme,
in which an illegitimate web site imitates a legitimate web site, usually with the intention of
stealing credentials.
Although browsing dangerous web sites does not necessarily compromise your
organization, such activities should be investigated and stopped because they can put the
organization at legal risk, harm its reputation, and compromise security.
This use case detects outbound communications from internal assets, which are not
public-facing, to malicious entities that have an exploit type of Phishing or Malware. The
exploit types are configurable, as described in “Configuration” on page 41.
This use case does not open any cases.
Configuration
Configure the Dangerous Browsing use case as follows for your environment:
are accessible from the internet) as Public-Facing. This reduces the number of
unintended events detected by the use case and helps eliminate false positives.
This categorization is used by both the Dangerous Browsing use case and the Access
to Dangerous Destinations use case.
 Dangerous Browsing Reputation IP Score Threshold
 Dangerous Browsing Reputation Domain Score Threshold
 Optional. Add entries to the Dangerous Browsing Exploit Types active list.
By default, the use case detects outbound communications to malicious hosts that
have an exploit type of Phishing or Malware. You can add additional exploit types to
the active list. For a list of exploit types, see “Exploit Types” on page 8.
page 19.
Usage
This section describes a likely scenario for investigating users browsing to dangerous web
sties and highlights some key features of the use case.
1 Click the Use Cases tab in the Navigator panel and open the Dangerous Browsing
use case located in:

2 Open the Overview of Dangerous Browsing dashboard.
3 Review the information in the Internal Assets Involved in Dangerous Browsing
component on the dashboard.
4 Double-click an internal asset to display its dangerous browsing activities.
5 In the resulting display, double-click an asset to display the base events that involved
this asset during the last 24 hours.
6 In the resulting display, right-click an event and select Investigate > Show Simple
Rule Chain to show both the correlation even and the base event in the Event
Inspector. This provides additional event fields and values that are not shown in the
query viewer.
7 Return to the overview dashboard and open the Dangerous Sites Accessed by Internal
Asset component.
To get more information about a dangerous site, right-click its name and select
Integration Commands > Search Selected Item in Google. (You can use this
command in most of the RepSM use cases.)
If the search results indicate the site is dangerous, find out whether the user of the
internal asset has a valid reason to browse the site. Even if they do, you should inspect
the internal asset for malware and take it offline if necessary.
If you think the site is not dangerous, consider deleting its entry from the Malicious
Domains or Malicious IP Addresses active lists. To have the site removed more
permanently from the reputation data, contact Customer Support.

term dangerous browsing.
Key Resources
dependant resources, see “Dangerous Browsing” on page 97.
Table 3-3 Resources that Support the Dangerous Browsing Use Case
Monitor Resources
Overview of
Dangerous
Browsing
overview of all dangerous
browsing activities and access to
dangerous destinations. You can
drilldown to get to more
destinations and the base events.
Dashboard ArcSight
Security Monitor
1.0/Dangerous Browsing/
Dangerous
Browsing
Activities - 30
Day Trend
about dangerous browsing
activities by internal assets
during the last 30 days.
Report ArcSight
Security Monitor
Dangerous
Browsing
Activities -
One Year
Trend
during the last year.
Report ArcSight
Security Monitor
Dangerous
Browsing
Activities
During the
Last 24 Hours
- Long Form
about browsing activities by
internal assets to malicious
destinations during the last 24
hours.
Report ArcSight
Security Monitor
Dangerous
Browsing
Activities
During the
Last 24 Hours
- Short Form
hours. It shows less data than
the longer counterpart.
Report ArcSight
Security Monitor
Dangerous
Browsing
Activities
During the
Last 7 Days
Report ArcSight
Security Monitor
Library Resources

Dangerous
Browsing
Exploit Types
types considered as dangerous
browsing. By default, it contains
Malware and Phishing.
Security Monitor
1.0/Access to Dangerous
Destinations/
Dangerous
Browsing
Reputation IP
Score
Threshold
addresses used in the Dangerous
Browsing use case.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
Dangerous
Browsing
Reputation
Domain Score
Threshold
names used in the Dangerous
Browsing use case.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/

Internal Assets Found in Reputation Data
The Internal Assets Found in Reputation Data use case helps ensure the reputation of your
organization’s assets by detecting when those assets appear in the reputation database.
This situation can indicate that assets have been compromised and are being used for
malicious purposes. However, even if an asset is wrongly included in the database, it
should be investigated to avoid issues such as email from your organization being marked
as spam. You can also use this use case to detect when the assets of trusted partners and
suppliers appear in the reputation database.
Configuration
This use case relies on queries or active lists, which must be configured with domain
names and IP addresses as described below.
 Specify the domain names to monitor.
The Internal Domain Reputation Detector hourly trend detects domain names in the
reputation database. You can specify those domain names in either a query or an
active list, depending on how many domain names you need to monitor.
 If you have only a few domains to monitor, specify the domain names directly in
the Internal Domain Reputation Detector (List Based) - Trend Base query.
Edit the query and specify each domain name by using the Domain condition. The
query contains a sample condition, which you can copy and change as needed.
For example, you might specify Domain endsWith .xyzCompany.com.
 If you have many domains to monitor, add the domain names to the Internal
Domains for Reputation Monitoring active list. Specify the second-level and
third-level domains that represent your organization, for example, hp.com or
hp.co.uk.
For details, see “Configuring Active Lists” on page 19.
 Specify the IP addresses to monitor.
If the IP addresses are already represented as assets in ArcSight ESM or ArcSight
Express, no configuration is needed. RepSM captures all the assets whose IP
addresses are found in the reputation database. For information about modeling your
network assets, see the ESM 101 guide.
If the IP addresses are not represented as assets, or if you want to monitor a range of
IP addresses, or a subnet, configure the Internal Asset Reputation Detector (List
Based) - Trend Base query.
The query contains sample conditions for several types of addresses:
 A network address in Classless Inter-Domain Routing (CIDR) format:
192.168.1.100–192.168.1.150.
 A specific network address prefix: 192.168.1.
 A class A, B, or C network address, which you specify in the Internal Network
Addresses for Reputation Monitoring active list.
 A specific IP address, which you specify in the Internal Assets for Reputation
Monitoring active list.
This use case opens a case for every detected asset found in the reputation
data. For important information about cases, see “Manage Cases to Ensure
Continued Detection” on page 27.

Determine which conditions best suit your network environment and then specify the
addresses either directly in the query or in the active lists.
To minimize the overhead associated with the query, delete the conditions
that you do not use.
Usage
This section highlights some key features of the use case.
1 Click the Use Cases tab in the Navigator panel and open the Internal Assets Found
in Reputation Data use case located in:
Review the resources provided by the use case.
2 Open the Internal Assets and Domains Found in Reputation Data dashboard.
3 Right-click a domain name, host name, or IP address and use the drilldowns to show
the events to or from the asset within the last 24 hours.
4 A case is opened for every internal asset found in the reputation database. You can
access the cases from the Navigator panel Resources tab, by selecting Cases from the
drop-down list and navigating to:
Cases/Shared/All Cases/ArcSight Solutions/RepSM/Internal Assets
Found in Reputation Data

To simplify your investigation, the case name includes the IP address or domain name
of the asset. Open a case and click the Events tab to see the events associated with
the asset.
on page 27.
You can run a report that provides stakeholders with information about the internal
assets found in the reputation database.
If you think an asset should not be included in the reputation database,
consider deleting its entry from the Malicious Domains or Malicious IP
Addresses active lists. However, the next time the data is refreshed by the
Model Import Connector for RepSM, the asset might reappear in the active
lists. To remove the asset more permanently, contact Customer Support.
Key Resources
resources, see “Internal Assets Found in Reputation Data” on page 113.
Table 3-4 Resources that Support the Internal Assets Found in Reputation Data Use Case
Monitor Resources
Internal
Assets and
Domains
Found in
Reputation
Data
This dashboard provides
information around internal
assets or domain names reported
in the reputation database.
Dashboard ArcSight
Security Monitor
1.0/Internal Assets Found
in Reputation Data/
Internal
Assets Found
in Reputation
Data
This report shows the list of
internal IP addresses and internal
domain names found in
reputation data.
Report ArcSight
Security Monitor
in Reputation Data/
Library Resources
Internal
Assets for
Reputation
Monitoring
This active list stores the
addresses of all local assets that
need to be monitored for
existence in the reputation
database.
Security Monitor
in Reputation Data/
Internal
Domains for
Reputation
Monitoring
This active list contains the
domain names to be monitored
for existence in the reputation
database. The domain names in
this list should be just the top
two or three levels, such as
hp.com or hp.co.uk.
Security Monitor
in Reputation Data/

Internal
Network
Addresses for
Reputation
Monitoring
This active list stores all local
public network addresses (only
class A, B or C) to be monitored
database. If your network does
not use these classes (for
example, it uses CIDR instead),
you can use the smallest class
that fully represents your
network. For example, a network
address of 192.168.1.1/26 can
be represented by a class C
network of 192.168.1.0, so you
can put 192.168.0. in this list.
Note that for each network
address entry, a dot (.) character
is required.
Security Monitor
in Reputation Data/
Internal Asset
Reputation
Detector (List
Based) - Trend
Base
This query returns all internal
hosts that appear in the
reputation IP database. It runs
on top of the reputation IP
database and correlates with the
assets to be monitored, as
defined in an active list.
Query ArcSight
Security Monitoring
in Reputation Data/
Internal
Domain
Reputation
Detector (List
Based) - Trend
Base
domain names that appear in the
reputation domain database. It
runs on top of the reputation
domain database and correlates
with the specified domain names.
Query ArcSight
Security Monitoring
in Reputation Data/

Event Enrichment with Reputation Data
The Event Enrichment with Reputation Data use case provides resources that let you add
reputation data to non-RepSM resources. By enriching those resources with global threat
intelligence, security analysts can focus on key events involving known malicious entities.
Configuration
No special configuration is required for this use case.
Usage
You can enrich your existing ArcSight resources with data about malicious entities to
provide better context when investigating an incident. The global variables described in
Table 3-5 provide that data and can be included in all ArcSight resources.
For example, you can enhance an existing active channel, which you already use to
monitor suspicious events from an IDS, to include information such as whether the attacker
is a known malicious host, and if so, the attacker’s reputation score and exploit type. To do
so, you could add the following global variables to the active channel's field set:
 RepSM Product
 Source Domain Reputation Score
 Source Domain Reputation Exploit Type
This is just one example; for a description and the location of these and other variables,
see Table 3-5.
For more information about global variables, see the ArcSight Console User’s Guide.
Key Resources
resources, see “Event Enrichment with Reputation Data” on page 108.
Table 3-5 Resources that Support the Event Enrichment with Reputation Data Use Case
Library Resources
Destination
Domain
Reputation
Score
This variable returns the
reputation score of a malicious
target (or a destination) address
based on the reputation domain
data.
Global
Variable
ArcSight
Security Monitor 1.0/Event
Enrichment with Reputation
Data/
Source
Address
Reputation
Exploit Type
This variable returns the exploit
type of a malicious attacker (or a
source) IP address based on the
reputation IP data.
Global
Variable
ArcSight
Data/

Source
Domain
Reputation
Score
attacker (or a source) host name
data.
Global
Variable
ArcSight
Data/
Source
Domain
Reputation
Exploit Type
source) host name based on the
reputation domain data.
Global
Variable
ArcSight
Data/
Request URL
Domain
Reputation
Score
This variable returns the score of
a domain from a URL request
data.
Global
Variable
ArcSight
Data/
Source
Address
Reputation
Score
based on the reputation IP data.
Global
Variable
ArcSight
Data/
Destination
Address
Reputation
Exploit Type
type of a malicious target (or a
destination) IP based on the
reputation IP data.
Global
Variable
ArcSight
Data/
Request URL
Reputation
Domain
reputation domain from a URL
request based on the reputation
domain data.
Global
Variable
ArcSight
Data/
Destination
Address
Reputation
Score
target (or a destination) host
name based on the reputation IP
data.
Global
Variable
ArcSight
Data/
Request URL
Domain
Reputation
Exploit Type
type of a domain from a URL
domain data.
Global
Variable
ArcSight
Data/
Destination
Domain
Reputation
Exploit Type
destination) host name based on
the reputation domain data.
Global
Variable
ArcSight
Data/
Source
Reputation
Domain
reputation domain (or host
name) related to a malicious
attacker (or source) host name
data.
Global
Variable
ArcSight
Data/

Destination
Reputation
Domain
reputation domain related to a
malicious target (or destination)
host name based on the
Global
Variable
ArcSight
Data/
RepSM
Product
This global variables returns
Reputation Security Monitor for
events with reputation
information. Otherwise, it returns
the original Device Product.
Global
Variable
ArcSight
Data/
Reputation
Domain
Enrichment
This field set contains fields with
reputation domain information
for event enrichment purposes.
Field Set ArcSight
Security Monitor 1.0/
Reputation IP
Enrichment
reputation IP information for
event enrichment purposes.
Field Set ArcSight
Request URL
Enrichment
reputation information (based on
the request URL) for event
enrichment purposes.
Field Set ArcSight
Events with
Requests to
Malicious
Hosts
This filter identifies events with
requests to hosts found in the
Filter ArcSight
Security Monitor
1.0/Events Enrichment with
Reputation Data/
Events from
Malicious
Sources
This filter identifies events whose
attackers are found in the
Filter ArcSight
Security Monitor
Reputation Data/
Events to
Malicious
Targets
targets are found in the
Filter ArcSight
Security Monitor
Reputation Data/
RepSM
Relevant
Events
This filter identifies events that
contains information related to
reputation data (for example,
host address or request URL).
Filter ArcSight
Security Monitor
Reputation Data/

Access from Dangerous Sources
The Access from Dangerous Sources use case detects successful inbound communications
to non-public facing internal assets from malicious entities that have an exploit type of
Blended Threat, Malware, Phishing, Spam, or Spyware.
Configuration
Configure the Access from Dangerous Sources use case as follows for your environment:
 Optional, but recommended. Categorize the assets in your organization that are not
public-facing (those that are not accessible from the internet) as Internal Non
Public-Facing.
 Access from Dangerous Sources Reputation Domain Score Threshold
 Access from Dangerous Sources Reputation IP Score Threshold
Usage
This section describes a likely scenario for investigating access from dangerous sources and
highlights some key features of the use case.
1 Click the Use Cases tab in the Navigator panel and open the Access from
Dangerous Sources use case located in:

2 Open the Overview of Access from Dangerous Sources dashboard. Each component on
the dashboard provides a different aspect of access from dangerous sources.
3 Review the information in the Internal Assets Accessed by Dangerous Sources on the
dashboard. The internal assets in this list are assumed to have been contacted by
dangerous sources and should be investigated immediately.
4 Double-click an asset to display additional information about the malicious entities that
have communicated with the asset.
5 In the resulting display, double-click an asset to display the events associated with the
infected asset.
6 In the resulting display, right-click a row and select Investigate > Show Simple
Rule Chain to show both the correlation event and the base event in the Event
Inspector. This provides additional event fields and values that are not shown in the
query viewer.
You can use the Dangerous Sources component to begin your investigation with the
malicious entities, instead of the internal assets. Double-click a malicious entity to see
which assets it has communicated with and then use the drilldowns to continue your
investigation.

Key Resources
dependant resources, see “Access from Dangerous Sources” on page 77.
Table 3-6 Resources that Support the Access from Dangerous Sources Use Case
Monitor Resources
Overview of
Access from
Dangerous
Sources
overview of successful access
from dangerous sources to
internal, non public-facing assets.
You can drilldown to see the base
events related to the hosts
involved.
Dashboard ArcSight
Security Monitor
1.0/Access from Dangerous
Sources/
Access from
Dangerous
Sources
During the
Last 24 Hours
This report shows data about
access from dangerous sources
to non public-facing, internal
Report ArcSight
Security Monitor
Sources/
Access from
Dangerous
Sources - 30
Day Trend
access from dangerous malicious
entities to non public-facing,
internal assets during the last 30
days. Do not change the default
value for the custom parameter
AttackType.
Report ArcSight
Security Monitor
Sources/
Access from
Dangerous
Sources - One
Year Trend
to internal assets during the last
year. Do not change the default
AttackType.
Report ArcSight
Security Monitor
Sources/
Access from
Dangerous
Sources
During the
Last 7 Days
assets during the last seven
AttackType.
Report ArcSight
Security Monitor
Sources/
Library Resources
Access from
Dangerous
Sources
Reputation
Domain Score
Threshold
names used in the Access from
Dangerous Sources use case.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/

Access from
Dangerous
Sources
Reputation IP
Score
Threshold
addresses used in the Access
from Dangerous Sources use
case.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/

Access to Dangerous Destinations
The Access to Dangerous Destinations use case detects outbound communication to hosts
that are involved in illegitimate activity such as sending spam or hosting spyware. Such
communication can indicate either risky behavior on the part of users, or the existence of
malware in the network. Although this type of communication is not as critical as
communication with botnets and command and control centers, it can threaten the security
of the network or harm the organization's reputation, and should be investigated to
determine the root cause.
This use case detects outbound communication from internal assets, which are not
public-facing, to malicious hosts that have an exploit type of Blended Threat,
Miscellaneous, Misuse and Abuse, Spam, Spyware, Web Application Attacker, or Worm.
Configuration
Configure the Access to Dangerous Destinations use case as follows for your environment:
are accessible from the internet) as Public-Facing. This provides a better context for
the detected events and helps reduces false positives.
This categorization is used by both the Dangerous Browsing use case and the Access
to Dangerous Destinations use case.
 Access to Dangerous Destinations Reputation Domain Score Threshold
 Access to Dangerous Destinations Reputation IP Score Threshold
Usage
This section describes a likely scenario for investigating access to dangerous destinations
and highlights some key features of the use case.
1 Click the Use Cases tab in the Navigator panel and open the Access to Dangerous
Destination use case located in:

2 Open the Overview of Access to Dangerous Destinations dashboard.
3 In the Internal Assets Communicated with Dangerous Destinations component,
double-click an internal asset to display the dangerous destinations it has contacted.
4 In the resulting display, double-click an internal asset to display the correlation events
for that asset.
5 In the resulting display, right-click an event and select Investigate > Show Simple
Rule Chain to show both the correlation event and base event in the Event Inspector.
This provides additional event fields and values that are not shown in the query
viewer.
The Dangerous Destinations Accessed by Internal Assets component enables you to
start your investigation with the malicious entity and drilldown to the assets that
contacted it, and then to the events involving them.
term access to dangerous destinations.
Key Resources
dependant resources, see “Access to Dangerous Destinations” on page 86.

Table 3-7 Resources that Support the Access to Dangerous Destinations Use Case
Monitor Resources
Overview of
Access to
Dangerous
Destinations
overview of all access to
drilldown to more information
about the related destinations
and the correlation or base
events.
Dashboard ArcSight
Security Monitor
Destinations/
Access to
Dangerous
Destinations -
One Year
Trend
about access to dangerous
destinations by internal assets
during the last year. It uses the
same queries as the counterpart
report for dangerous browsing
activities, but with a different
activity type. Because of this, do
not change the default value of
the custom variable ActivityType.
Report ArcSight
Security Monitor
Destinations/
Access to
Dangerous
Destinations
During the
Last 24 Hours
- Short Form
destinations, which have exploit
types that are not defined in the
Dangerous Browsing Exploit
Types active list, by internal
assets during the last 24 hours. It
contains less information than
the long counterpart.
Report ArcSight
Security Monitor
Destinations/
Access to
Dangerous
Destinations -
30 Day Trend
during the last 30 days. It uses
the same queries as the
counterpart report for dangerous
browsing activities, but with a
different activity type. Because of
this, do not change the default
value of the custom variable
ActivityType.
Report ArcSight
Security Monitor
Destinations/
Access to
Dangerous
Destinations
During the
Last 24 Hours
- Long Form
destinations of non-browsing
exploit types by internal assets
during the last 24 hours.
Report ArcSight
Security Monitor
Destinations/

Access to
Dangerous
Destinations
During the
Last 7 Days
during the last seven days. It
uses the same queries as the
browsing destinations, but with a
ActivityType.
Report ArcSight
Security Monitor
Destinations/
Library Resources
Access to
Dangerous
Destinations
Reputation
Domain Score
Threshold
names used in the Access to
Dangerous Destinations use case.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
Access to
Dangerous
Destinations
Reputation IP
Score
Threshold
addresses used in the Access to
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/

RepSM Package Health Status
The RepSM Package Health Status use case provides information about the operational
status of important RepSM resources. Various dashboards show the state of important
rules and trends; the number of events evaluated by each RepSM use case and the devices
that generated those events; and messages from the Model Import Connector for RepSM
and the RepSM service.
For an explanation of RepSM service messages, see Appendix C‚ RepSM Service Messages‚
on page 75.
Configuration
Usage
1 Click the Use Cases tab in the Navigator panel and open the RepSM Package
Health Status use case located in:
2 Open the Events Analyzed by RepSM Use Cases dashboard.
Each component on the dashboard shows the total number of events, per device type,
evaluated by a particular use case within the last hour.
If a component does not display any events, make sure the use case is configured
properly. For example, the empty Events Monitored by Zero Day Attack Use Case
component shown in the dashboard above might indicate that assets are not
categorized as Internal Non Public-Facing, as required by that particular use case.

For more information about why a dashboard does not display events, see Appendix A‚
Troubleshooting‚ on page 67.
3 Double-click one of the charts to see the events that originated from that device.
4 Return to the use case tab and open the RepSM Resource Health dashboard to review
diagnostic information, such as messages from the Model Import Connector for
RepSM, rule error logs, and trend query failures.
This dashboard also displays messages about RepSM service activation and data
retrieval. For an explanation of those messages, see Appendix C‚ RepSM Service
Messages‚ on page 75.
5 Return to the use case tab and open the RepSM Rules Health dashboard to make sure
there are no disabled or deleted rules.
ArcSight automatically disables rules that trigger too often. If this occurs, the cause
should be investigated, as it might indicate an incorrect entry in the reputation data, or
an incorrectly configured event source.
6 Return to the use case tab and open the RepSM Trend Health dashboard to check the
status of trend queries.
A status of Failed might indicate that the query executed for too long and was stopped
by ArcSight, or that a tablespace had insufficient free space.
Key Resources
resources, see “RepSM Package Health Status” on page 136.
Table 3-8 Resources that Support the RepSM Package Health Status Use Case
Monitor Resources
Inbound
Events
This active channel shows events
the RepSM package considers as
inbound.
Active
Channel
ArcSight
Security Monitor 1.0/RepSM
Package Health Status/
Outbound
Events
outbound.
Active
Channel
ArcSight
RepSM Rules
Health
overview of rules in the RepSM
package, including their status
and logs.
Dashboard ArcSight
RepSM Trend
Health
This dashboard displays the Last
10 Trend Query Failures, Last 10
Trend Queries Returning No
Results, and Trend Query
Duration data monitors.
Dashboard ArcSight

Events
Analyzed by
RepSM Use
Cases
overview of the traffic monitored
for reputation data.
Dashboard ArcSight
RepSM
Resource
Health
overview of the rule and trend
functionality, as well as important
connector events. For the RepSM
solution to function properly it is
important that all trends and
rules are enabled and that the
Model Import Connector regularly
updates the malicious entries
lists. You can drill down from this
dashboard to more specific rule
and trend dashboards.
Dashboard ArcSight

Reputation Data Analysis
The Reputation Data Analysis use case provides statistical information about the entries in
the reputation data. It also indicates when the data was last updated.
Configuration
Usage
1 Click the Use Cases tab in the Navigator panel and open the Reputation Data
Analysis use case located in:
2 Open the Reputation Data Overview dashboard to see when the reputation data was
last updated by the Model Import Connector for RepSM.
If the data has not been updated within the last 24 hours, there might be a problem
with the connector.
You can review messages from the connector and determine its status by opening the
RepSM Resource Health dashboard in the RepSM Package Health Status use case.

3 Return to the use case tab and open the Reputation Domain Database Overview
dashboard to see the distribution of domains by exploit type and reputation score.
4 Double-click either the pie chart or histogram to display a list of the malicious domains
by exploit type or reputation score, respectively.
The Reputation IP Database Overview dashboard provides similar information for IP
addresses.
5 Return to the use case tab to review the reports available for the use case.
Key Resources
The following table lists the key resources in this use case that you might use during your
investigation.
dependant resources, see “Reputation Data Analysis” on page 151.
Table 3-9 Resources that Support the Reputation Data Analysis Use Case
Monitor Resources
Reputation
Domain
Database
Overview
overview of the reputation
domain database (stored in an
active list) in the system.
Dashboard ArcSight
Security Monitor
1.0/Reputation Data
Analysis/
Reputation IP
Database
Overview
overview of the reputation IP
database (stored in an active list)
in the system.
Dashboard ArcSight
Security Monitor
1.0/Reputation Data
Analysis/
Reputation
Data Overview
This dashboard provides a single
view of the information in the
malicious IP addresses and
domain lists. You can double click
the Number of Entries line in the
middle component to drill down
to a more detailed view of the
specific list.
Dashboard ArcSight
Security Monitor
1.0/Reputation Data
Analysis/
Reputation IP
Entries
This query viewer shows the top
1,000,000 IP entries in the
reputation IP active list.
Query
Viewer
ArcSight
Security Monitor
1.0/Reputation Data
Analysis/
Reputation
Domain
Entries
1,000,000 domain entries in the
reputation domain active list.
Query
Viewer
ArcSight
Security Monitor
1.0/Reputation Data
Analysis/

Reputation
Database
Changes
During the
Last 1 Year -
Exploit Type
Specific
This report shows the changes of
a specific reputation exploit type
Report ArcSight
Security Monitor
1.0/Reputation Data
Analysis/
Reputation
Database
Changes
During the
Last 1 Week -
Exploit Type
Specific
during the last week.
Report ArcSight
Security Monitor
1.0/Reputation Data
Analysis/
Reputation
Database
Changes
During the
Last 1 Year
This report shows the reputation
domain and IP database changes
Report ArcSight
Security Monitor
1.0/Reputation Data
Analysis/
Reputation
Database
Changes
During the
Last 1 Week
Report ArcSight
Security Monitor
1.0/Reputation Data
Analysis/

Appendix A
Troubleshooting
This appendix provides information to help you resolve problems that might occur while
installing and using RepSM.
Table A-1 RepSM Troubleshooting (Sheet 1 of 3)
Problem Solution
On ArcSight ESM, the installation of the
RepSM content package fails with the
following error:
Install Failed: ActiveList
capacity cannot be greater than
500000
Increase the active list maximum capacity, as described
in “Configuring the ESM Active List Capacity
(Required)” on page 14.
On ArcSight ESM, the Manager slows
down or stops responding during the
import of reputation data from the
RepSM service.
Increase the ArcSight Manager Java heap memory size
to at least 4 GB, as described in the ArcSight ESM
Installation and Configuration Guide.

A Troubleshooting
The RepSM use cases do not appear to
be working; their dashboards and
reports do not display any events or
reputation data.
In the following order:
• Make sure the Model Import Connector for RepSM is
running.
• Make sure the Model Import Connector for RepSM is
not out of memory. Look for an OutOfMemoryError
message in the
$ARCSIGHT_HOMEcurrentlogsagent.log. If
necessary, increase the Model Import Connector for
RepSM Java heap memory size to at least 2 GB, as
described in the Model Import Connector for RepSM
Configuration Guide.
• Make sure the Model Import User is configured in
the ArcSight Manager, as described in the Model
Import Connector for RepSM Configuration Guide.
Otherwise, the Manager cannot accept reputation
data from the RepSM service.
• Make sure the ArcSight Manager is collecting events
from the devices described in “Supported Devices”
on page 11.
• Make sure the RepSM rules are deployed, as
described in “Deploying Rules (Required)” on
page 21.
• Make sure the use case is configured properly.
Several use cases require asset categorization or
other configuration to capture events. For
configuration details, see “Configuring the RepSM
Content” on page 18 and Chapter 3‚ Using RepSM
Content‚ on page 25.
• Make sure inbound events are being sent to
ArcSight Manager. Check the Inbound Events active
channel.
• Make sure outbound events are being sent to
ArcSight Manager. Check the Outbound Events
active channel.
• Make sure the event source connector and ArcSight
Manager are synchronized; the Manager Receipt
Time should be no more than a few seconds later
than the event End Time. Use the Inbound Events
or Outbound Events active channel to open an event
in the Event Inspector and compare these times.
The number of reputation data entries
imported into the ArcSight Manager
seems very low.
There might also be reputation data
archive files that have a file extension of
xml.bad in
ARCSIGHT_HOMEarchivewebservices.
Make sure the following Model Import Connector for
RepSM property is set in the agent.properties file
located at ARCSIGHT_HOMEcurrentuseragent:
buildmodeldelay=60000
(one minute expressed in milliseconds)
This property controls how frequently the archives are
sent to the Manager. If it is set too low, the connector
will send archives too frequently. For more information
abou this property, see the Model Import Connector for
RepSM Configuration Guide.
Problem Solution

A Troubleshooting
The RepSM use case dashboards do not
show any recent activity; the data seems
stale.
Check the Reputation Data Overview dashboard in the
Reputation Data Analysis use case to see when the
reputation data active lists were last updated. If the
active lists have not been updated in the last 12 hours
or so, there might be a problem with either the RepSM
service or the Model Import Connector for RepSM. For
example, the service might have expired or the
connector might need to be restarted.
To check the status of either component, open the
RepSM Package Health Status use case and review the
messages in the RepSM Resource Health dashboard.
For an explanation of the service messages, see
Appendix C‚ RepSM Service Messages‚ on page 75.
If the messages do not reveal any obvious issues,
search the connector log at
$ARCSIGHT_HOMEcurrentlogsagent.log for
network error messages, such as:
• connection timeout
• host cannot be reached
and address those network issues.
If there are no obvious network issues, look for an
OutOfMemoryError message in the
$ARCSIGHT_HOMEcurrentlogsagent.log. If
necessary, increase the Model Import Connector for
RepSM Java heap memory size to at least 2 GB, as
described in the Model Import Connector for RepSM
Configuration Guide.
While less likely, the problem might be caused by a
planned outage of the RepSM service. Check the RepSM
group on Protect 724 to see if there is a planned
outage:
https://protect724.arcsight.com/groups/repsm
If you cannot determine cause of the problem, contact
Customer Support.
The reputation data includes an entry for
an IP address, host name, or domain
name that is not malicious.
Delete its entry from the Malicious Domains or
Malicious IP Addresses active lists. However, the next
time the data is refreshed by the Model Import
Connector for RepSM, the entry might reappear in the
active lists.
To remove the entry more permanently, gather the
following information and contact Customer Support.
• The IP address, host name, or domain name to be
removed.
• Any relevant event details (depending on the source
of the event), such as the request URL, source port,
destination port, and matching signature.
On ArcSight ESM, some dashboards
display numerical exploit types. (Exploit
types should be text, such as Botnet,
Spam, Spyware, or P2P.)
Increase the ArcSight Manager Java heap memory size
to at least 4 GB, as described in the ArcSight ESM
Installation and Configuration Guide, and restart the
Manager.
Problem Solution

A Troubleshooting

Appendix B
Uninstalling RepSM
This chapter provides instructions on how to uninstall RepSM and discusses the following
topics.
Preparing to Uninstall
Before you uninstall the RepSM content package, make sure you back up the content.
Performing a backup ensures that the content is preserved. See “Backing Up a Solution
Package” on page 72.
Optionally, before you back up the content, you can generate a list of the resource changes
since the last time the package was exported to a package bundle. You can then back up
only those resources that have been modified or added. See “Generating a List of Resource
Changes” on page 71.
Generating a List of Resource Changes
Before backing up and uninstalling a solution content package, you can generate a list of
the resource changes since the last time the package was exported to a package bundle.
The current resources associated with the selected package are compared against the
resources saved in the package bundle and any new, modified or deleted resources are
reported.
To generate a list of resource changes:
2 In the Packages tab of the Navigator panel, navigate to the ArcSight Solutions
group.
3 Right-click the Reputation Security Monitor 1.01 package ( ) and select
Compare Archive with Current Package Contents.
Preparing to Uninstall, described below
Generating a List of Resource Changes, described below
“Backing Up a Solution Package” on page 72
“Uninstalling the Content Package” on page 72
Every time a package is exported, the change history is reset.

B Uninstalling RepSM
In the Viewer panel, a list of resources associated with the package are displayed. In
the right column called Change Since Archive, any changes with the resource
since the last export are displayed, either Added, Modified, or Removed.
4 Optional—For future reference, you can copy and paste the cells from this table into a
spreadsheet.
Backing Up a Solution Package
HP recommends that you keep a backup of the current state before making content
changes or installing and uninstalling solution packages. Before backing up a solution, you
can obtain a list of changed resources. You can then back up only those resources that
have been modified or added. For detailed instructions, see “Generating a List of Resource
Changes” on page 71.
You can back up the solution content to a package bundle file that ends in the .arb
extension as described in the process below.
To back up a solution package:
2 In the Packages tab of the Navigator panel, navigate to the solution group.
For RepSM, navigate to ArcSight Solutions/.
3 Right-click the package ( ) (such as Reputation Security Monitor 1.01) and
select Export Package to Bundle.
The Package Bundle Export dialog displays.
4 In the Package Bundle Export dialog, browse for a directory location, specify a file
name and click Next.
The Progress tab of the Export Packages dialog displays the progress of the export.
5 When the export is complete, click OK.
The resources are saved into the package bundle file that ends with the .arb extension.
You can restore the contents of this package at a later time by importing this package
bundle file.
Uninstalling the Content Package
Before uninstalling the RepSM content package, back up all the packages ( ) for all the
solutions currently installed. For example, if the RepSM content and the CIP for SOX
solution are both installed on the same ArcSight ESM, export the package for each solution

before uninstalling either solution. Back up the CIP for SOX package into a package bundle
(.arb) file and then back up the RepSM content package into a different package bundle
(.arb) file before uninstalling either solution. For detailed instructions, see Backing Up a
Solution Package, above. To generate a list of resource changes before the uninstall, see
“Generating a List of Resource Changes” on page 71.
To uninstall the content package:
2 Click the Packages tab in the Navigator panel.
3 Navigate to ArcSight Solutions, right-click the Reputation Security
Monitor 1.0 package ( ), and select Uninstall Package.
4 In the Uninstall Packages dialog, click OK. The progress of the uninstall displays in the
Progress tab of the Uninstalling Packages dialog.
If a message displays indicating that there is a conflict, select an option in the
Resolution Options area and click OK.
5 When the uninstall is complete, review the summary and click OK.

Appendix C
RepSM Service Messages
This appendix explains some of the more important RepSM service messages that appear
in the RepSM Resource Health dashboard of the RepSM Package Health Status use case.
Service Activation Messages
The following messages are issued during the activation of the RepSM service.
Message Explanation User Action
1:Invalid key The activation of the RepSM service
failed due to an invalid activation
key.
Specify a valid activation key by
reconfiguring the Model Import
Connector for RepSM. The activation
key is provided by HP. For more
information, see the Model Import
Connector for RepSM Configuration
Guide.
If the activation continues to fail,
contact HP ArcSight Customer
Support.
3:Trial period
expired on
YYYY-MM-DDThh:
mm:ssZ
The activation of the RepSM service
failed because the trial license
expired on the date shown in the
message.
Contact your HP ArcSight sales
representative to obtain a new
license.
4:Key expired on
YYYY-MM-DDThh:
mm:ssZ
failed because the activation key
expired on the date shown in the
message.
Contact your HP ArcSight sales
representative to obtain a new
activation key.
5:Service
terminated on
YYYY-MM-DDThh:
mm:ssZ
failed because the service was
terminated on the date shown in the
message.
If your organization requested the
termination, no action is required.
If your organization did not request
the termination, contact HP ArcSight
Customer Support.

C RepSM Service Messages
Data Retrieval Messages
The following messages are issued by the Model Import Connector for RepSM when it
attempts to retrieve reputation data from the RepSM service.
Message Explanation User Action
0:OK The request to retrieve data from
the RepSM service was
successful.
No action is required.
1:Invalid service key The request to retrieve data from
the RepSM service failed because
the service key cannot be found
in the database, or the service
key is invalid.
Contact HP ArcSight Customer
Support.
3:Database not found
with requested version
An incremental update of data
from the RepSM service was not
available, so a full import will be
performed. The RepSM active lists
will be repopulated with new
entries from the full import.
4:Service terminated
on
DD-MM-YYYYThh:mm:s
s
The request to retrieve data from
the RepSM service failed because
the license was terminated on the
date shown in the message.
If your organization requested the
termination, no action is required.
If your organization did not request
the termination, contact HP ArcSight
Customer Support.
5:Service will expire in
nn days
The request to retrieve data from
the RepSM service was
successful, but the service will
expire soon. (This message will
be implemented in a future
release.

Appendix D
RepSM Resource Reference
This appendix lists all of the resources explicitly assigned to each RepSM use case, and any
dependent resources. The resources are organized by use case, as follows:
For information about the key resources for each use case, see the “Key Resources”
sections in Chapter 3‚ Using RepSM Content‚ on page 25. Key resources are those that you
use during an investigation or that might require configuration.
Access from Dangerous Sources
The following table lists all the resources explicitly assigned to this use case and any
dependant resources.
Table D-1 Resources that Support the Access from Dangerous Sources Use Case
“Access from Dangerous Sources” on page 77
“Access to Dangerous Destinations” on page 86
“Dangerous Browsing” on page 97
“Event Enrichment with Reputation Data” on page 108
“Internal Assets Found in Reputation Data” on page 113
“Internal Infected Assets” on page 115
“Reputation Data Analysis” on page 151
“RepSM Overview” on page 123
“RepSM Package Health Status” on page 136
“Zero Day Attacks” on page 156
Monitor Resources
Overview of
Access from
Dangerous
Sources
overview of successful access
from dangerous sources to
internal, non public-facing assets.
You can drilldown to see the base
events related to the hosts
involved.
Dashboard ArcSight
Security Monitor
Sources/

D RepSM Resource Reference
Dangerous
Sources
This query viewer shows the
dangerous sources accessing
internal, non public facing assets,
ordered by the highest score, the
type of the attacker, the number
of internal assets it attacked, and
the last communication time.
Query
Viewer
ArcSight
Security Monitor
Sources/
Trend of
Access from
Dangerous
Sources
This query viewer shows the daily
number of dangerous access
events during the last seven
days. It is based on a trend so it
might not show most recent data.
Query
Viewer
ArcSight
Security Monitor
Sources/
Internal
Assets
Accessed by
Dangerous
Sources
summary of internal assets
accessed by dangerous sources,
including the number of attacking
sources, the highest reputation
score of these attackers, the total
number of events detected and
the time of the latest attack.
Query
Viewer
ArcSight
Security Monitor
Sources/
Access from
Dangerous
Sources
During the
Last 24 Hours
Report ArcSight
Security Monitor
Sources/
Access from
Dangerous
Sources - 30
Day Trend
access from dangerous malicious
entities to non public-facing,
internal assets during the last 30
AttackType.
Report ArcSight
Security Monitor
Sources/
Access from
Dangerous
Sources - One
Year Trend
to internal assets during the last
year. Do not change the default
AttackType.
Report ArcSight
Security Monitor
Sources/
Access from
Dangerous
Sources
During the
Last 7 Days
assets during the last seven
AttackType.
Report ArcSight
Security Monitor
Sources/
Library - Correlation Resources
Zero Day
Attacks:
Successful
Inbound
Communicatio
ns from
Malicious
Domain - First
Occurrence
This rule captures the first event
of all successful inbound
communications to assets
categorized as internal, non
public-facing from reputation
domain names with zero day
attack exploit types. It will open
a case for each internal target.
Rule ArcSight
Day Attacks/

Access from
Dangerous
Sources:
Successful
Inbound
Communicatio
ns from
Malicious
Domain
communications to internal, non
public-facing assets from
reputation domain names with
zero day attack exploit types. It
will open a case for each internal
target.
Rule ArcSight
Security Monitor
Sources/
Zero Day
Attacks:
Successful
Inbound
Communicatio
ns from
Malicious
Address - First
Occurrence
public-facing from reputation IP
addresses with zero day attack
exploit types. It will open a case
for each internal target.
Rule ArcSight
Day Attacks/
Zero Day
Attacks:
Successful
Inbound
Communicatio
ns from
Malicious
Address
This rule captures all successful
inbound communications to
assets categorized as internal,
non public-facing from reputation
IP addresses with zero day attack
exploit types.These are flagged
as potential zero day attacks.
Rule ArcSight
Day Attacks/
Zero Day
Attacks:
Successful
Inbound
Communicatio
ns from
Malicious
Domain
attack exploit types.These are
flagged as potential zero day
attacks.
Rule ArcSight
Day Attacks/
Access from
Dangerous
Sources:
Successful
Inbound
Communicatio
ns from
Malicious
Address
inbound communications from
reputation IP addresses not
already captured as zero day
attacks.These are flagged as
access from dangerous sources.
Rule ArcSight
Security Monitor
Sources/
Library Resources
Malicious IP
Addresses
This active list stores up to 1
million reputation IP addresses
from the RepDV database.
Zero Day
Attack Exploit
Types
Day Attacks/

Zero Day
Attacks and
Access from
Dangerous
Sources
This list contains all successful
inbound communications from a
malicious host with Zero-Day
attack exploit type. The lists of
such exploit types are defined by
the Zero Day Attack Exploit Types
active list.
Security Monitor
Sources/
Malicious
Domains
million reputation domain names
Malicious Host
Names in
Dangerous
Sources
Access and
Zero Day
Attacks
This active list stores all malicious
host names involved in
interactions with dangerous
sources and zero day attacks. It
is used internally to show all base
events, and has a time-to-live of
7 days.
Security Monitor
Sources/
Protected This is a site asset category. Asset
Category
Site Asset
Internal Non
Public-Facing
Category
ArcSight
Security Monitor
Most Recent
Access from
Dangerous
Sources
This data monitor shows the last
20 access activities from
dangerous sources to non
public-facing internal assets.
Data
Monitor
ArcSight
Security Monitor
Sources/
solnGetAttack
erReputationD
omainLevel1Li
stEntry
This variable returns the entry in
the reputation domain list
corresponding to the attacker
domain level 1.
Global
Variable
ArcSight
solnGetAttack
erDomainExpl
oitType
type of an attacker in the
reputation domain list used for
real time correlation.
Global
Variable
ArcSight
Security Monitor 1.0/Main
Final Variables/
solnGetAttack
erDomainLevel
3
This variable returns the three
rightmost subdomains of an
attacker's host name that follows
the dotted format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
Source
Domain
Reputation
Score
data.
Global
Variable
ArcSight
Data/
solnGenericHi
ghScoreThresh
old
This global variable defines the
generic threshold for high
reputation scores.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetReques
tURLDomainLe
vel4ListEntry
the reputation domain database
corresponding to the request URL
domain level 4.
Global
Variable
ArcSight

Zero Day
Attacks
Reputation
Domain Score
Threshold
Attacks use case.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetLowerA
ttackerHostNa
me
This variable returns the attacker
host name in lower case.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
Zero Day
Attacks
Reputation IP
Score
Threshold
Attacks use case.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
Access from
Dangerous
Sources
Reputation
Domain Score
Threshold
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetAttack
erReputationD
omainEntry
This variable returns the entry of
an attacker in the reputation
domain list used for real time
correlation.
Global
Variable
ArcSight
Final Variables/
solnGetAttack
erDomainLevel
4
This variable returns the 4 right
most subdomains of an attacker's
host name that follows the dotted
format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetAttack
erDomainLevel
2
This variable returns the two
the dotted format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
Source
Address
Reputation
Exploit Type
reputation IP data.
Global
Variable
ArcSight
Data/
solnGetAttack
erDomainLevel
1
This variable returns the right
most subdomain of an attacker's
format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
Source
Domain
Reputation
Exploit Type
Global
Variable
ArcSight
Data/
solnGetAttack
erReputationH
ostNameListEn
try
an attacker host name in the
Global
Variable
ArcSight

Source
Address
Reputation
Score
Global
Variable
ArcSight
Data/
Access from
Dangerous
Sources
Reputation IP
Score
Threshold
case.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetAttack
erReputationD
omainLevel2Li
stEntry
domain level 2.
Global
Variable
ArcSight
solnGetAttack
erReputationD
omainLevel4Li
stEntry
domain level 4.
Global
Variable
ArcSight
solnGetAttack
erReputationD
omainLevel3Li
stEntry
domain level 3.
Global
Variable
ArcSight
solnGetReques
tURLDomain
This variable returns the domain
substring of a request URL.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetReques
tURLDomainLe
vel4
most subdomains of the
requested URL.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetAttack
erReputationIP
ListEntry
address entry in the reputation IP
database.
Global
Variable
ArcSight
Final Variables/
Event Limit This filter limits the events
processed and reported by the
solution to only the events that
are relevant to the regulation.
This filter is included in the
conditions of all other resources
in the package, such as rules,
queries, and filters, either
directly or indirectly. Edit this
filter to change the events
processed and reported by this
solution.
Filter ArcSight
Security Monitor
1.0/General/
Zero Day
Attack
Reputation IP
Exploit Types
This filter identifies events from
malicious IP addresses having
zero day attack exploit types.
Filter ArcSight
Day Attacks/Support/

Inbound
Communicatio
n from
Malicious IP
Addresses
This filter identifies all inbound
traffic from IP addresses in the
reputation IP active list for real
time correlation.
Filter ArcSight
Security Monitor
1.0/General/Malicious
Communications/
Non
Public-Facing
Internal
Targets
This filter identifies all events
whose targets are categorized as
non public-facing internal.
Filter ArcSight
Security Monitor
1.0/General/
Internal
Attackers
This filter identifies events
coming from systems inside the
network in your organization.
Filter ArcSight
Security Monitor
1.0/General/
Inbound
Events
coming from outside the network
in your organization targeting the
Filter ArcSight
Security Monitor
1.0/General/
Inbound
Communicatio
n from
Malicious
Domains
traffic from domain names in the
Filter ArcSight
Security Monitor
Communications/
Access from
Dangerous
Sources
This filter identifies all access
from dangerous sources. By
default, any successful inbound
communication not flagged as
zero-day attack is flagged as
such.
Filter ArcSight
Security Monitor
Sources/
Internal
Targets
targeting systems inside the
Filter ArcSight
Security Monitor
1.0/General/
Zero Day
Attack
Reputation
Domain
Exploit Types
malicious domain names or host
names having zero-day attack
exploit types.
Filter ArcSight
Access from
Dangerous
Sources - Rule
Firings
This filter identifies all correlation
events generated by rules that
detect access from dangerous
sources.
Filter ArcSight
Security Monitor
Sources/
Daily Count of
Access from
Dangerous
Sources
During the
Last 7 Days
This query returns the daily count
of access from dangerous sources
during the last 7 days. It is based
on a trend so it might not show
most recent data.
Query ArcSight
Security Monitoring
Sources/

Zero Day
Attacks per
Reputation
Type During
the Last 30
Days
This query returns the number of
zero day attacks per reputation
(exploit) type within the last 30
days. This query is based on a
trend so it might not show the
most recent data.
Query ArcSight
Security Monitoring
1.0/Zero Day Attacks/
Summary of
Dangerous
Sources
This query returns the dangerous
sources accessing internal, non
public facing assets, ordered by
the highest score, the type of the
attacker, the number of internal
assets it attacked, and the last
communication time.
Query ArcSight
Security Monitoring
Sources/
Top 10 Zero
Day Attackers
During the
Last 7 Days
This query returns the top zero
day attackers (based on event
count) during the last 7 days.
This query is based on a trend so
it might not show the most
recent data.
Query ArcSight
Security Monitoring
Top 10 Zero
Day Attackers
Attacked Most
Internal Hosts
During the
Last 7 Days
This query returns the zero day
attackers that attacked the
highest number of internal hosts
during the last 7 days. This query
is based on a trend so it might
not show the most recent data.
Query ArcSight
Security Monitoring
Monthly Count
of Zero Day
Attacks During
the Last One
Year
zero day attacks per month
within the last 1 year. This query
Query ArcSight
Security Monitoring
Zero Day
Attacks per
Reputation
Type During
the Last 7
Days
most recent data.
Query ArcSight
Security Monitoring
Monthly Count
of Zero Day
Attacks per
Type During
the Last One
Year
This query returns the monthly
count of zero day attacks per
exploit type within the last 1
year. This query is based on a
most recent data.
Query ArcSight
Security Monitoring
Summary of
Internal
Assets
Accessed by
Dangerous
Sources
This query returns the summary
of internal assets accessed by
dangerous sources, including the
number of attacking sources, the
highest reputation score of these
attackers, the total number of
events detected and the time of
the latest attack.
Query ArcSight
Security Monitoring
Sources/

Top Assets
Most Attacked
During the
Last 7 Days
This query returns the internal
assets received most zero day
attacks during the last 7 days.
recent data.
Query ArcSight
Security Monitoring
Weekly Count
of Zero Day
Attacks per
Type During
the Last 30
Days
This query returns the weekly
most recent data.
Query ArcSight
Security Monitoring
Top Accessed
Assets During
the Last 24
Hours
assets being accessed the most
Query ArcSight
Security Monitoring
Sources/
Weekly Count
of Zero Day
Attacks During
the Last 30
Days
zero day attacks per week within
the last 30 days. This query is
based on a trend so it might not
show the most recent data.
Query ArcSight
Security Monitoring
Zero Day
Attacks and
Access from
Dangerous
Sources -
Trend Base
This query returns all firings of
rules that detect zero day attacks
or access from dangerous
sources within the last 24 hours.
Query ArcSight
Security Monitoring
Monthly Count
of Zero Day
Attacks per
Target Zone
During the
Last One Year
source zone within the last 1
most recent data.
Query ArcSight
Security Monitoring
Access from
Dangerous
Sources per
Reputation
Type During
the Last 24
Hours
This query returns the count of
per reputation (exploit) type
within the last 24 hours.
Query ArcSight
Security Monitoring
Sources/
Access from
Dangerous
Sources in the
Last 24 Hours
This query returns all access from
dangerous sources in the last 24
hours.
Query ArcSight
Security Monitoring
Sources/
Zero Day
Attack Details
During the
Last 7 Days
This query returns the details of
zero day attacks within the last 7
most recent data.
Query ArcSight
Security Monitoring

Access to Dangerous Destinations
Table D-2 Resources that Support the Access to Dangerous Destinations Use Case
Weekly Count
of Zero Day
Attacks per
Target Zone
During the
Last 30 Days
target zone within the last 30
most recent data.
Query ArcSight
Security Monitoring
Zero Day
Attacks per
Reputation
Type During
the Last One
Year
most recent data.
Query ArcSight
Security Monitoring
Zero Day
Attacks and
Access from
Dangerous
Sources
This trend stores all firings of
sources.
Trend ArcSight
Security Monitor
Sources/
Monitor Resources
Overview of
Access to
Dangerous
Destinations
overview of all access to
drilldown to more information
about the related destinations
and the correlation or base
events.
Dashboard ArcSight
Security Monitor
Destinations/
Dangerous
Destinations
Accessed by
Internal
Assets
summary of dangerous
destinations contacted by internal
hosts.
Query
Viewer
ArcSight
Security Monitor
Destinations/
Internal
Assets
Communicate
d with
Dangerous
Destinations
summary of internal assets that
communicated with a dangerous
destination.
Query
Viewer
ArcSight
Security Monitor
Destinations/

Trend of
Access to
Dangerous
Destinations
daily count of communications
with dangerous destinations
(domain, host name or IP
address) during the last 7 days.
It is based on a trend so it might
not show most recent data.
Query
Viewer
ArcSight
Security Monitor
Destinations/
Access to
Dangerous
Destinations -
One Year
Trend
during the last year. It uses the
same queries as the counterpart
report for dangerous browsing
activities, but with a different
activity type. Because of this, do
not change the default value of
the custom variable ActivityType.
Report ArcSight
Security Monitor
Destinations/
Access to
Dangerous
Destinations
During the
Last 24 Hours
- Short Form
destinations, which have exploit
types that are not defined in the
Dangerous Browsing Exploit
Types active list, by internal
assets during the last 24 hours. It
contains less information than
the long counterpart.
Report ArcSight
Security Monitor
Destinations/
Access to
Dangerous
Destinations -
30 Day Trend
during the last 30 days. It uses
the same queries as the
browsing activities, but with a
ActivityType.
Report ArcSight
Security Monitor
Destinations/
Access to
Dangerous
Destinations
During the
Last 24 Hours
- Long Form
destinations of non-browsing
exploit types by internal assets
Report ArcSight
Security Monitor
Destinations/
Access to
Dangerous
Destinations
During the
Last 7 Days
during the last seven days. It
uses the same queries as the
browsing destinations, but with a
ActivityType.
Report ArcSight
Security Monitor
Destinations/

Access to
Dangerous
Destinations:
Outbound
Requests to
Malicious
Domains
This rule captures all outbound
URL requests from non
public-facing internal assets to
high scores and non-critical
exploit types.
Rule ArcSight
Security Monitor
Destinations/
Access to
Dangerous
Destinations:
Outbound
Communicatio
ns to Malicious
Domains
traffic from non public-facing
assets to reputation domain
names with high scores and
non-critical exploit types.
Rule ArcSight
Security Monitor
Destinations/
Access to
Dangerous
Destinations:
Outbound
Communicatio
ns to Malicious
IPs
assets to reputation IP addresses
with high scores and non-critical
exploit types.
Rule ArcSight
Security Monitor
Destinations/
Dangerous
Browsing:
Outbound
Requests to
Malicious
Domains
This rule captures all dangerous
browsing activities with URL
requests from non public-facing
internal assets to reputation
domain names with high scores
and non-critical exploit types.
Rule ArcSight
Security Monitor
Dangerous
Browsing:
Outbound
Communicatio
ns to Malicious
Domains
browsing activities from non
public-facing assets to reputation
Rule ArcSight
Security Monitor
Dangerous
Browsing:
Outbound
Communicatio
ns to Malicious
IPs
IP addresses with high scores
Rule ArcSight
Security Monitor
Library Resources
Malicious IP
Addresses
Critical Exploit
Types
Security Monitor
Assets/
Dangerous
Browsing
Exploit Types
Security Monitor
Destinations/

Malicious
Domains
Malicious Host
Names in
Dangerous
Destination
Interactions
and
Dangerous
Browsing
destinations and dangerous sites.
It is used internally to show all
base events, and has a
time-to-live of 7 days.
Security Monitor
Destinations/
Interactions
with
Dangerous
Destinations
and
Dangerous
Sites
This list contains all outbound
communications from a non
public-facing assets to a
malicious host with non-critical
exploit types (the critical types
are defined in the Critical Exploit
Types active list and handled by
the Internal Infected Assets use
case). Each malicious destination
is further classified as dangerous
browsing or just dangerous
destination, depending on the
exploit type. The lists of
dangerous browsing exploit types
are defined by the Dangerous
Browsing Exploit Types active list.
Security Monitor
Destinations/
Category
Site Asset
Category
ArcSight
Security Monitor
Most Recent
Access to
Dangerous
Destination
20 access to dangerous
destination activities from non
Data
Monitor
ArcSight
Security Monitor
Destinations/
solnGetTarget
DomainLevel4
most subdomains of a target's
format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetReques
tURLDomainLe
vel1
most subdomain of the requested
URL.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetTarget
ReputationIPLi
stEntry
This variable returns the target
database.
Global
Variable
ArcSight
Final Variables/

Access to
Dangerous
Destinations
Reputation
Domain Score
Threshold
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGenericHi
ghScoreThresh
old
reputation scores.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
Destination
Address
Reputation
Exploit Type
reputation IP data.
Global
Variable
ArcSight
Data/
solnGetReques
tURLDomainLe
vel3ListEntry
domain level 3.
Global
Variable
ArcSight
solnGetBaseRe
questURLDom
ainEntry
a base request URL in the
Global
Variable
ArcSight
solnGetTarget
ReputationDo
mainLevel4List
Entry
corresponding to the target
domain level 4.
Global
Variable
ArcSight
solnGetReques
tURLDomainLe
vel4ListEntry
domain level 4.
Global
Variable
ArcSight
solnGetReques
tURLDomainLe
vel1ListEntry
domain level 1.
Global
Variable
ArcSight
solnGetReques
tURLDomainLe
vel2
rightmost subdomains of the
requested URL.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetReques
tURLDomainEx
ploitType
type of the request URL in the
Global
Variable
ArcSight
Final Variables/
Access to
Dangerous
Destinations
Reputation IP
Score
Threshold
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetTarget
DomainLevel2
rightmost subdomains of a
target's host name that follows
the dotted format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/

solnGetTarget
DomainLevel3
the dotted format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetTarget
ReputationDo
mainEntry
a target in the reputation domain
list used for real time correlation.
Global
Variable
ArcSight
Final Variables/
solnGetTarget
DomainExploit
Type
type of a target in the reputation
correlation.
Global
Variable
ArcSight
Final Variables/
solnGetLowerT
argetHostNam
e
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetTarget
ReputationHos
tNameListEntr
y
a target host name in the
Global
Variable
ArcSight
solnGetTarget
DomainLevel1
most (top) subdomain of a
the dotted format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
Dangerous
Browsing
Reputation
Domain Score
Threshold
Browsing use case.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetTarget
ReputationDo
mainLevel2List
Entry
domain level 2.
Global
Variable
ArcSight
solnGetReques
tURLReputatio
nDomainEntry
a request URL in the reputation
correlation.
Global
Variable
ArcSight
Final Variables/
Request URL
Domain
Reputation
Exploit Type
domain data.
Global
Variable
ArcSight
Data/
Destination
Domain
Reputation
Exploit Type
Global
Variable
ArcSight
Data/
Dangerous
Browsing
Reputation IP
Score
Threshold
Browsing use case.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/

solnGetTarget
ReputationDo
mainLevel3List
Entry
domain level 3.
Global
Variable
ArcSight
solnGetReques
tURLDomain
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetReques
tURLDomainLe
vel2ListEntry
domain level 2.
Global
Variable
ArcSight
solnGetReques
tURLDomainLe
vel3
requested URL.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetTarget
ReputationDo
mainLevel1List
Entry
domain level 1.
Global
Variable
ArcSight
solnGetReques
tURLDomainLe
vel4
requested URL.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
Dangerous
Browsing
Request
Domain
Exploit Types
This filter identifies requested
URLs to reputation domain or
host name with dangerous
browsing exploit types.
Filter ArcSight
Security Monitor
Destinations/Support/
Outbound
Communicatio
n to
Reputation
Domains
This filter identifies all outbound
traffic to domain names in the
reputation domain active list
used for real time correlation.
Filter ArcSight
Security Monitor
Communications/
Internal
Attackers
Filter ArcSight
Security Monitor
1.0/General/
Internal
Targets
Filter ArcSight
Security Monitor
1.0/General/
Critical Target
Reputation
Domain
Exploit Types
This filter identifies critical target
reputation domain or host name
exploit types.
Filter ArcSight
Security Monitor
Assets/Support/
Request to
Reputation
Domains
This filter identifies all URL
requests to domain names in the
Filter ArcSight
Security Monitor
Communications/

Critical Target
Reputation IP
Exploit Types
reputation IP exploit types.
Filter ArcSight
Security Monitor
Assets/Support/
Interactions
with
Dangerous
Destinations -
Rule Firings
This filter identifies all firings of
rules that detect interactions with
dangerous destinations (i.e.
non-browsing exploit types).
Filter ArcSight
Security Monitor
Destinations/
solution.
Filter ArcSight
Security Monitor
1.0/General/
Target Host
Name Present
This filter checks if the Target
Host Name field is populated.
Filter ArcSight
Security Monitor
1.0/General/
Dangerous
Destinations
and
Dangerous
Browsing:
Outbound
Communicatio
n to Malicious
IPs
communication from non
public-facing assets to any
reputation IP with non critical
exploit type and high score.
Filter ArcSight
Security Monitor
Destinations/
Outbound
Events
coming from inside the network
public network.
Filter ArcSight
Security Monitor
1.0/General/
Access to
Dangerous
Destinations
This filter identifies all access to
dangerous destinations.
Filter ArcSight
Security Monitor
Destinations/
Critical
Request
Domain
Exploit Types
host name with critical exploit
types.
Filter ArcSight
Security Monitor
Assets/Support/
Dangerous
Browsing
Target
Reputation IP
Exploit Types
This filter identifies events to
target reputation IP addresses
considered as of dangerous
Filter ArcSight
Security Monitor

Dangerous
Destinations
and
Dangerous
Browsing:
Outbound URL
Requests to
Malicious
Domains
reputation domain with non
critical exploit type and high
score.
Filter ArcSight
Security Monitor
Destinations/
Outbound
Communicatio
n to
Reputation IP
Addresses
traffic to reputation IP addresses.
Filter ArcSight
Security Monitor
Communications/
Public-Facing
Attackers
whose attackers are categorized
as public-facing assets.
Filter ArcSight
Security Monitor
1.0/General/
Dangerous
Destinations
and
Dangerous
Browsing:
Outbound
Communicatio
n to Malicious
Domains
communication non public-facing
assets to malicious entities with
non critical exploit types and high
scores.
Filter ArcSight
Security Monitor
Destinations/
Dangerous
Browsing
Target
Reputation
Domain
Exploit Types
target reputation domain or host
name considered as of dangerous
Filter ArcSight
Security Monitor
Top Assets
with Most
Dangerous
Browsing
Activities
During the
Last 7 Days
assets with most browsing
activities during the last 7 days.
recent data.
Query ArcSight
Security Monitoring
Dangerous
Browsing
Activities per
Reputation
Type During
the Last 30
Days
dangerous browsing activities per
reputation (exploit) type within
Query ArcSight
Security Monitoring
Weekly Count
of Dangerous
Browsing
Activities
During the
Last 30 Days
week within the last 30 days. This
query is based on a trend so it
might not show the most recent
data.
Query ArcSight
Security Monitoring

Top 10
Dangerous
Browsing
Destinations
Most Accessed
During the
Last 7 Days
This query returns the top
dangerous browsing destinations
address) that were accessed the
most during the last 7 days. This
data.
Query ArcSight
Security Monitoring
Monthly Count
of Dangerous
Browsing
Activities per
Type During
the Last One
Year
count of dangerous browsing
activities per exploit type within
the last 1 year. This query is
Query ArcSight
Security Monitoring
Top Assets
Interacted
Most with
Dangerous
Destinations
During the
Last 24 Hours
assets that interacted most with
dangerous destinations (ie. of
non-browsing exploit types)
Query ArcSight
Security Monitoring
Destinations/
Weekly Count
of Dangerous
Browsing
Activities per
Type During
the Last 30
Days
Query ArcSight
Security Monitoring
Dangerous
Destinations
Accessed by
Internal
Assets
of dangerous destinations
contacted by internal hosts.
Query ArcSight
Security Monitoring
Destinations/
Interactions
with
Dangerous
Destinations in
the Last 24
Hours
This query returns all interactions
with dangerous destinations
(non-browsing types only) in the
last 24 hours.
Query ArcSight
Security Monitoring
Destinations/
Internal
Assets
Communicate
d with
Dangerous
Destinations
of internal assets that
communicated with a dangerous
destination.
Query ArcSight
Security Monitoring
Destinations/
Top 10
Dangerous
Destinations
Most Accessed
During the
Last 24 Hours
dangerous destinations (domain,
host name or IP address) of
non-browsing exploit types that
were accessed the most during
the last 24 hours.
Query ArcSight
Security Monitoring
Destinations/

Dangerous
Browsing
Activities per
Reputation
Type During
the Last One
Year
Query ArcSight
Security Monitoring
Daily
Communicatio
ns with
Dangerous
Destinations
During the
Last 7 Days
This query returns the top daily
count of communications with
host name or IP address) during
the last 7 days. It is based on a
trend so it might not show most
recent data.
Query ArcSight
Security Monitoring
Destinations/
Weekly Count
of Dangerous
Browsing
Activities per
Source Zone
During the
Last 30 Days
activities per source zone within
Query ArcSight
Security Monitoring
Top 10
Dangerous
Destinations
Accessed by
Most Internal
Assets During
the Last 24
Hours
non-browsing types that have the
highest number of internal assets
interacted with during the last 24
hours.
Query ArcSight
Security Monitoring
Destinations/
Top 10
Dangerous
Browsing
Destinations
Accessed by
Most Internal
Assets During
the Last 7
Days
address) that have the highest
number of internal assets
accessed during the last 7 days.
recent data.
Query ArcSight
Security Monitoring
Dangerous
Browsing
Activities
During the
Last 7 Days
This query returns dangerous
browsing activities within the last
7 days. This query is based on a
most recent data.
Query ArcSight
Security Monitoring
Monthly Count
of Dangerous
Browsing
Activities per
Source Zone
During the
Last One Year
Query ArcSight
Security Monitoring

Dangerous Browsing
Table D-3 Resources that Support the Dangerous Browsing Use Case
Dangerous
Browsing and
Interactions
with
Dangerous
Destinations -
Trend Base
rules that detect dangerous
browsing or access to dangerous
destinations within the last 24
hours.
Query ArcSight
Security Monitoring
Destinations/
Interactions
with
Dangerous
Destinations
per Reputation
Type During
the Last 24
Hours
interactions to dangerous
destinations (non-browsing
types) per reputation (exploit)
type within the last 24 hours.
Query ArcSight
Security Monitoring
Destinations/
Monthly Count
of Dangerous
Browsing
Activities
During the
Last One Year
month within the last 1 year. This
data.
Query ArcSight
Security Monitoring
Dangerous
Browsing
Activities per
Reputation
Type During
the Last 7
Days
Query ArcSight
Security Monitoring
Dangerous
Browsing and
Interactions to
Dangerous
Destinations
This trend stores firings of rules
that detect interactions to all
dangerous destinations (browsing
and non-browsing types).
Trend ArcSight
Security Monitor
Destinations/
Monitor Resources
Overview of
Dangerous
Browsing
overview of all dangerous
browsing activities and access to
drilldown to get to more
destinations and the base events.
Dashboard ArcSight
Security Monitor

Trend of
Dangerous
Browsing
Activities
During the
Last 7 Days
daily count of dangerous
browsing activities (based on
target domain, host name or IP
address) during the last 7 days.
It is based on a trend so it might
not show most recent data.
Query
Viewer
ArcSight
Security Monitor
Internal
Assets
Involved in
Dangerous
Browsing
involved in dangerous browsing.
Query
Viewer
ArcSight
Security Monitor
Dangerous
Sites Accessed
by Internal
Asset
summary of dangerous web sites
accessed by internal hosts.
Query
Viewer
ArcSight
Security Monitor
Dangerous
Browsing
Activities - 30
Day Trend
Report ArcSight
Security Monitor
Dangerous
Browsing
Activities -
One Year
Trend
Report ArcSight
Security Monitor
Dangerous
Browsing
Activities
During the
Last 24 Hours
- Long Form
hours.
Report ArcSight
Security Monitor
Dangerous
Browsing
Activities
During the
Last 24 Hours
- Short Form
hours. It shows less data than
the longer counterpart.
Report ArcSight
Security Monitor
Dangerous
Browsing
Activities
During the
Last 7 Days
Report ArcSight
Security Monitor
Access to
Dangerous
Destinations:
Outbound
Requests to
Malicious
Domains
exploit types.
Rule ArcSight
Security Monitor
Destinations/

Access to
Dangerous
Destinations:
Outbound
Communicatio
ns to Malicious
Domains
Rule ArcSight
Security Monitor
Destinations/
Access to
Dangerous
Destinations:
Outbound
Communicatio
ns to Malicious
IPs
exploit types.
Rule ArcSight
Security Monitor
Destinations/
Dangerous
Browsing:
Outbound
Requests to
Malicious
Domains
Rule ArcSight
Security Monitor
Dangerous
Browsing:
Outbound
Communicatio
ns to Malicious
Domains
Rule ArcSight
Security Monitor
Dangerous
Browsing:
Outbound
Communicatio
ns to Malicious
IPs
Rule ArcSight
Security Monitor
Library Resources
Malicious IP
Addresses
Critical Exploit
Types
Security Monitor
Assets/
Dangerous
Browsing
Exploit Types
Security Monitor
Destinations/
Malicious
Domains

Malicious Host
Names in
Dangerous
Destination
Interactions
and
Dangerous
Browsing
Security Monitor
Destinations/
Interactions
with
Dangerous
Destinations
and
Dangerous
Sites
Security Monitor
Destinations/
Category
Site Asset
Category
ArcSight
Security Monitor
Most Recent
Dangerous
Browsing
Activities
20 dangerous browsing activities
from non public-facing internal
assets.
Data
Monitor
ArcSight
Security Monitor
solnGetTarget
DomainLevel4
format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetReques
tURLDomainLe
vel1
URL.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetTarget
ReputationIPLi
stEntry
database.
Global
Variable
ArcSight
Final Variables/
Access to
Dangerous
Destinations
Reputation
Domain Score
Threshold
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/

solnGenericHi
ghScoreThresh
old
reputation scores.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
Destination
Address
Reputation
Exploit Type
reputation IP data.
Global
Variable
ArcSight
Data/
solnGetReques
tURLDomainLe
vel3ListEntry
domain level 3.
Global
Variable
ArcSight
solnGetBaseRe
questURLDom
ainEntry
Global
Variable
ArcSight
solnGetTarget
ReputationDo
mainLevel4List
Entry
domain level 4.
Global
Variable
ArcSight
solnGetReques
tURLDomainLe
vel4ListEntry
domain level 4.
Global
Variable
ArcSight
solnGetReques
tURLDomainLe
vel1ListEntry
domain level 1.
Global
Variable
ArcSight
solnGetReques
tURLDomainLe
vel2
requested URL.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetReques
tURLDomainEx
ploitType
Global
Variable
ArcSight
Final Variables/
Access to
Dangerous
Destinations
Reputation IP
Score
Threshold
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetTarget
DomainLevel2
the dotted format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetTarget
DomainLevel3
the dotted format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/

solnGetTarget
ReputationDo
mainEntry
Global
Variable
ArcSight
Final Variables/
solnGetTarget
DomainExploit
Type
correlation.
Global
Variable
ArcSight
Final Variables/
solnGetLowerT
argetHostNam
e
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetTarget
ReputationHos
tNameListEntr
y
Global
Variable
ArcSight
solnGetTarget
DomainLevel1
the dotted format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
Dangerous
Browsing
Reputation
Domain Score
Threshold
Browsing use case.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetTarget
ReputationDo
mainLevel2List
Entry
domain level 2.
Global
Variable
ArcSight
solnGetReques
tURLReputatio
nDomainEntry
correlation.
Global
Variable
ArcSight
Final Variables/
Request URL
Domain
Reputation
Exploit Type
domain data.
Global
Variable
ArcSight
Data/
Destination
Domain
Reputation
Exploit Type
Global
Variable
ArcSight
Data/
Dangerous
Browsing
Reputation IP
Score
Threshold
Browsing use case.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetTarget
ReputationDo
mainLevel3List
Entry
domain level 3.
Global
Variable
ArcSight

solnGetReques
tURLDomain
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetReques
tURLDomainLe
vel2ListEntry
domain level 2.
Global
Variable
ArcSight
solnGetReques
tURLDomainLe
vel3
requested URL.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetTarget
ReputationDo
mainLevel1List
Entry
domain level 1.
Global
Variable
ArcSight
solnGetReques
tURLDomainLe
vel4
requested URL.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
Dangerous
Browsing
Request
Domain
Exploit Types
Filter ArcSight
Security Monitor
Outbound
Communicatio
n to
Reputation
Domains
Filter ArcSight
Security Monitor
Communications/
Dangerous
Browsing
Activities -
Rule Firings
browsing activities.
Filter ArcSight
Security Monitor
Internal
Attackers
Filter ArcSight
Security Monitor
1.0/General/
Internal
Targets
Filter ArcSight
Security Monitor
1.0/General/
Critical Target
Reputation
Domain
Exploit Types
exploit types.
Filter ArcSight
Security Monitor
Assets/Support/
Request to
Reputation
Domains
Filter ArcSight
Security Monitor
Communications/

Critical Target
Reputation IP
Exploit Types
Filter ArcSight
Security Monitor
Assets/Support/
Interactions
with
Dangerous
Destinations -
Rule Firings
Filter ArcSight
Security Monitor
Destinations/
solution.
Filter ArcSight
Security Monitor
1.0/General/
Target Host
Name Present
Filter ArcSight
Security Monitor
1.0/General/
Dangerous
Destinations
and
Dangerous
Browsing:
Outbound
Communicatio
n to Malicious
IPs
Filter ArcSight
Security Monitor
Destinations/
Outbound
Events
public network.
Filter ArcSight
Security Monitor
1.0/General/
Dangerous
Browsing
This filter identifies all dangerous
Filter ArcSight
Security Monitor
Critical
Request
Domain
Exploit Types
types.
Filter ArcSight
Security Monitor
Assets/Support/
Dangerous
Browsing
Target
Reputation IP
Exploit Types
Filter ArcSight
Security Monitor

Dangerous
Destinations
and
Dangerous
Browsing:
Outbound URL
Requests to
Malicious
Domains
score.
Filter ArcSight
Security Monitor
Destinations/
Outbound
Communicatio
n to
Reputation IP
Addresses
Filter ArcSight
Security Monitor
Communications/
Public-Facing
Attackers
Filter ArcSight
Security Monitor
1.0/General/
Dangerous
Destinations
and
Dangerous
Browsing:
Outbound
Communicatio
n to Malicious
Domains
scores.
Filter ArcSight
Security Monitor
Destinations/
Dangerous
Browsing
Target
Reputation
Domain
Exploit Types
Filter ArcSight
Security Monitor
Dangerous
Browsing
Activities in
the Last 24
Hours
This query returns all dangerous
browsing activities in the last 24
hours.
Query ArcSight
Security Monitoring
Top Assets
with Most
Dangerous
Browsing
Activities
During the
Last 7 Days
assets with most browsing
activities during the last 7 days.
recent data.
Query ArcSight
Security Monitoring
Top 10
Dangerous
Browsing
Destinations
Most Accessed
During the
Last 7 Days
most during the last 7 days. This
data.
Query ArcSight
Security Monitoring

Weekly Count
of Dangerous
Browsing
Activities
During the
Last 30 Days
week within the last 30 days. This
data.
Query ArcSight
Security Monitoring
Dangerous
Browsing
Activities per
Reputation
Type During
the Last 30
Days
Query ArcSight
Security Monitoring
Monthly Count
of Dangerous
Browsing
Activities per
Type During
the Last One
Year
Query ArcSight
Security Monitoring
Daily
Dangerous
Browsing
Activities
During the
Last 7 Days
This query returns the top daily
count of dangerous activities
most recent data.
Query ArcSight
Security Monitoring
Top 10
Dangerous
Browsing
Destinations
Most Accessed
During the
Last 24 Hours
most during the last 24 hours.
Query ArcSight
Security Monitoring
Weekly Count
of Dangerous
Browsing
Activities per
Type During
the Last 30
Days
Query ArcSight
Security Monitoring
Dangerous
Browsing
Activities per
Reputation
Type During
the Last One
Year
Query ArcSight
Security Monitoring
Top Assets
with Most
Dangerous
Browsing
Activities
During the
Last 24 Hours
assets that interacted most with
dangerous destinations (ie. of
non-browsing exploit types)
Query ArcSight
Security Monitoring

Top 10
Dangerous
Destinations
Accessed by
Most Internal
Assets During
the Last 24
Hours
non-browsing types that have the
highest number of internal assets
interacted with during the last 24
hours.
Query ArcSight
Security Monitoring
Destinations/
Top 10
Dangerous
Browsing
Destinations
Accessed by
Most Internal
Assets During
the Last 7
Days
address) that have the highest
number of internal assets
accessed during the last 7 days.
recent data.
Query ArcSight
Security Monitoring
Dangerous
Browsing
Activities
During the
Last 7 Days
This query returns dangerous
browsing activities within the last
7 days. This query is based on a
most recent data.
Query ArcSight
Security Monitoring
Weekly Count
of Dangerous
Browsing
Activities per
Source Zone
During the
Last 30 Days
Query ArcSight
Security Monitoring
Monthly Count
of Dangerous
Browsing
Activities per
Source Zone
During the
Last One Year
Query ArcSight
Security Monitoring
Dangerous
Browsing
Activities per
Reputation
Type During
the Last 24
Hours
the last 24 hours.
Query ArcSight
Security Monitoring
Dangerous
Browsing and
Interactions
with
Dangerous
Destinations -
Trend Base
hours.
Query ArcSight
Security Monitoring
Destinations/
Monthly Count
of Dangerous
Browsing
Activities
During the
Last One Year
month within the last 1 year. This
data.
Query ArcSight
Security Monitoring

Event Enrichment with Reputation Data
Table D-4 Resources that Support the Event Enrichment with Reputation Data Use Case
Dangerous
Browsing
Activities per
Reputation
Type During
the Last 7
Days
Query ArcSight
Security Monitoring
Dangerous
Browsing and
Interactions to
Dangerous
Destinations
Trend ArcSight
Security Monitor
Destinations/
Library Resources
Malicious IP
Addresses
Malicious
Domains
solnGetTarget
DomainLevel4
format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetTarget
ReputationIPLi
stEntry
database.
Global
Variable
ArcSight
Final Variables/
solnGetReques
tURLDomainLe
vel1
URL.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
Source
Domain
Reputation
Score
data.
Global
Variable
ArcSight
Data/
solnGetBaseRe
questURLDom
ainEntry
Global
Variable
ArcSight

solnGetReques
tURLDomainLe
vel4ListEntry
domain level 4.
Global
Variable
ArcSight
solnGetReques
tURLDomainLe
vel2
requested URL.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetLowerA
ttackerHostNa
me
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetAttack
erReputationD
omainEntry
correlation.
Global
Variable
ArcSight
Final Variables/
solnGetAttack
erDomainLevel
4
format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetTarget
DomainLevel1
the dotted format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetReques
tURLReputatio
nDomainEntry
correlation.
Global
Variable
ArcSight
Final Variables/
solnGetAttack
erReputationD
omainLevel2Li
stEntry
domain level 2.
Global
Variable
ArcSight
Request URL
Reputation
Domain
reputation domain from a URL
domain data.
Global
Variable
ArcSight
Data/
Destination
Address
Reputation
Score
data.
Global
Variable
ArcSight
Data/
Request URL
Domain
Reputation
Exploit Type
domain data.
Global
Variable
ArcSight
Data/
solnGetAttack
erReputationD
omainLevel3Li
stEntry
domain level 3.
Global
Variable
ArcSight

solnGetReques
tURLDomain
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetTarget
ReputationDo
mainLevel3List
Entry
domain level 3.
Global
Variable
ArcSight
solnGetReques
tURLDomainLe
vel3
requested URL.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
Destination
Reputation
Domain
reputation domain related to a
malicious target (or destination)
host name based on the
Global
Variable
ArcSight
Data/
solnGetAttack
erReputationIP
ListEntry
database.
Global
Variable
ArcSight
Final Variables/
solnGetAttack
erReputationD
omainLevel1Li
stEntry
domain level 1.
Global
Variable
ArcSight
solnGetAttack
erDomainLevel
3
the dotted format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
Request URL
Domain
Reputation
Score
data.
Global
Variable
ArcSight
Data/
Destination
Address
Reputation
Exploit Type
reputation IP data.
Global
Variable
ArcSight
Data/
solnGetReques
tURLDomainLe
vel3ListEntry
domain level 3.
Global
Variable
ArcSight
solnGetTarget
ReputationDo
mainLevel4List
Entry
domain level 4.
Global
Variable
ArcSight
solnGetReques
tURLDomainLe
vel1ListEntry
domain level 1.
Global
Variable
ArcSight

solnGetTarget
DomainLevel2
the dotted format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetTarget
DomainLevel3
the dotted format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetTarget
ReputationDo
mainEntry
Global
Variable
ArcSight
Final Variables/
solnGetLowerT
argetHostNam
e
Global
Variable
ArcSight
Security Monitor
1.0/Support/
Destination
Domain
Reputation
Score
data.
Global
Variable
ArcSight
Data/
solnGetTarget
ReputationHos
tNameListEntr
y
Global
Variable
ArcSight
solnGetAttack
erDomainLevel
2
the dotted format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
Source
Address
Reputation
Exploit Type
reputation IP data.
Global
Variable
ArcSight
Data/
Source
Domain
Reputation
Exploit Type
Global
Variable
ArcSight
Data/
solnGetAttack
erDomainLevel
1
format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetAttack
erReputationH
ostNameListEn
try
Global
Variable
ArcSight
solnGetTarget
ReputationDo
mainLevel2List
Entry
domain level 2.
Global
Variable
ArcSight

Source
Address
Reputation
Score
Global
Variable
ArcSight
Data/
solnGetAttack
erReputationD
omainLevel4Li
stEntry
domain level 4.
Global
Variable
ArcSight
Destination
Domain
Reputation
Exploit Type
Global
Variable
ArcSight
Data/
solnGetReques
tURLDomainLe
vel2ListEntry
domain level 2.
Global
Variable
ArcSight
Source
Reputation
Domain
data.
Global
Variable
ArcSight
Data/
RepSM
Product
This global variables returns
Reputation Security Monitor for
events with reputation
information. Otherwise, it returns
the original Device Product.
Global
Variable
ArcSight
Data/
solnGetReques
tURLDomainLe
vel4
requested URL.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetTarget
ReputationDo
mainLevel1List
Entry
domain level 1.
Global
Variable
ArcSight
Reputation
Domain
Enrichment
reputation domain information
for event enrichment purposes.
Field Set ArcSight
Reputation IP
Enrichment
reputation IP information for
event enrichment purposes.
Field Set ArcSight
Request URL
Enrichment
reputation information (based on
the request URL) for event
enrichment purposes.
Field Set ArcSight
Events with
Requests to
Malicious
Hosts
This filter identifies events with
requests to hosts found in the
Filter ArcSight
Security Monitor
Reputation Data/

Internal Assets Found in Reputation Data
Table D-5 Resources that Support the Internal Assets Found in Reputation Data Use Case
Events from
Malicious
Sources
attackers are found in the
Filter ArcSight
Security Monitor
Reputation Data/
Events to
Malicious
Targets
targets are found in the
Filter ArcSight
Security Monitor
Reputation Data/
RepSM
Relevant
Events
This filter identifies events that
contains information related to
reputation data (for example,
host address or request URL).
Filter ArcSight
Security Monitor
Reputation Data/
Monitor Resources
Internal
Assets and
Domains
Found in
Reputation
Data
This dashboard provides
information around internal
assets or domain names reported
in the reputation database.
Dashboard ArcSight
Security Monitor
in Reputation Data/
All Internal
Domains and
Hosts Found
This query viewer shows all local
domain names and hosts
appeared in the reputation
domain database.
Query
Viewer
ArcSight
Security Monitor
in Reputation Data/
All Internal IP
Addresses
Found
This query viewer shows all local
IP addresses appeared in the
reputation domain database.
Query
Viewer
ArcSight
Security Monitor
in Reputation Data/
Internal
Assets Found
in Reputation
Data
This report shows the list of
internal IP addresses and internal
domain names found in
reputation data.
Report ArcSight
Security Monitor
in Reputation Data/
Library Resources
Malicious IP
Addresses

Internal
Assets for
Reputation
Monitoring
This active list stores the
addresses of all local assets that
need to be monitored for
existence in the reputation
database.
Security Monitor
in Reputation Data/
Internal
Domains
Found in
Reputation
Data
This active list stores the local
Entries in the list should be
investigated.
Security Monitor
in Reputation Data/
Internal
Domains for
Reputation
Monitoring
This active list contains the
domain names to be monitored
database. The domain names in
this list should be just the top
two or three levels, such as
hp.com or hp.co.uk.
Security Monitor
in Reputation Data/
Malicious
Domains
Internal IP
Addresses
Found in
Reputation
Data
This active list stores all local IP
addresses that appear in the
reputation IP database.
Security Monitor
in Reputation Data/
Internal
Network
Addresses for
Reputation
Monitoring
This active list stores all local
public network addresses (only
class A, B or C) to be monitored
database. If your network does
not use these classes (for
example, it uses CIDR instead),
you can use the smallest class
that fully represents your
network. For example, a network
address of 192.168.1.1/26 can
be represented by a class C
network of 192.168.1.0, so you
can put 192.168.0. in this list.
Note that for each network
address entry, a dot (.) character
is required.
Security Monitor
in Reputation Data/
All Internal IP
Addresses
Found
This query returns all local IPs
appeared in the reputation
domain database.
Query ArcSight
Security Monitoring
in Reputation Data/
Internal Asset
Reputation
Detector (List
Based) - Trend
Base
hosts that appear in the
reputation IP database. It runs
on top of the reputation IP
database and correlates with the
assets to be monitored, as
defined in an active list.
Query ArcSight
Security Monitoring
in Reputation Data/

Internal Infected Assets
Table D-6 Resources that Support the Internal Infected Assets Use Case
Internal
Domain
Reputation
Detector (List
Based) - Trend
Base
reputation domain database. It
runs on top of the reputation
domain database and correlates
with the specified domain names.
Query ArcSight
Security Monitoring
in Reputation Data/
All Internal
Domains
Found
This query returns all local
domains appeared in the
Query ArcSight
Security Monitoring
in Reputation Data/
Monitor Resources
All
Interactions
with Malicious
Entities
Detected
During the
Last 2 Hours
This active channel shows all the
occurrences of rules that fired to
detect internal infections in this
use case in the last two hours.
Active
Channel
ArcSight
Security Monitor
Assets/
All Events To
or From
Infected
Assets During
the Last 2
Hours
This active channel shows all
events to or from the infected
machines in the last two hours.
Active
Channel
ArcSight
Security Monitor
Assets/
Overview of
Internal
Infections
overview of internal infected
assets, including hosts that are
communicating with external
malicious entities, and the trend
of infections over time. You can
drilldown from the summary
query viewers to specific
interactions or base events.
Dashboard ArcSight
Security Monitor
Assets/
Infected Asset
Count per
Month
count of internal infected assets
per month over the last year.
Query
Viewer
ArcSight
Security Monitor
Assets/

Open Case
Status
Distribution
This query viewer shows all open
cases on internal infected assets,
grouped by case status.
Query
Viewer
ArcSight
Security Monitor
Assets/
Summary of
Contacted
Malicious
Entities
summary of malicious hosts
contacted by infected internal
hosts.
Query
Viewer
ArcSight
Security Monitor
Assets/
Summary of
Infected
Assets
summary of internal infected
machines detected through
communications with reputation
IP addresses or domain names.
Query
Viewer
ArcSight
Security Monitor
Assets/
Interactions
with Malicious
Entities During
the Last 24
Hours
This report shows all interactions
with certain malicious entities by
internal assets. These assets are
then considered infected. Note
that an internal asset might be
involved in multiple interactions,
depending on its
communications, but will be
reported under a single case.
Report ArcSight
Security Monitor
Assets/
Currently
Infected
Assets and
Recorded
Interactions
with Malicious
Entities
This report shows the internal
assets that are considered to be
infected through their
communications with external
malicious hosts.
Report ArcSight
Security Monitor
Assets/
Assets
Infected for
More Than A
Week
This report shows all infected
internal machines that have
remained in the infection list for
over one week. This might mean
that the related cases have not
yet been investigated or are still
being investigated. By default,
when a case on internal infection
asset is deleted or closed, the
related asset will be removed
from the infection list.
Report ArcSight
Security Monitor
Assets/
Overview of
Infected
Assets During
the Last 30
Days
This report shows an overview of
internal infections over the last
one month (up to and including
yesterday). Its content is based
on a daily trend which stores the
daily snapshot of the Infected
Internal Assets active list.
Report ArcSight
Security Monitor
Assets/

Infected
Internal
Assets:
Outbound
Communicatio
ns to Malicious
Domains
traffic either from internal assets
to reputation domain names with
high scores and critical exploit
types, or from public-facing
assets to any reputation domain
names.
Rule ArcSight
Security Monitor
Assets/
Infected
Internal
Assets:
Outbound
Communicatio
ns to Malicious
IPs
to reputation IP addresses with
assets to any reputation IP.
Rule ArcSight
Security Monitor
Assets/
Infected
Internal
Assets:
Outbound
Requests to
Malicious
Domains
URL requests either from internal
critical exploit types, or from
reputation domain names.
Rule ArcSight
Security Monitor
Assets/
Library Resources
Malicious IP
Addresses
Critical Exploit
Types
Security Monitor
Assets/
Malicious Host
Names
Involved in
Internal
Infections
host names involved in internal
infection incidents. It is used
internally to show all base
one day span.
Security Monitor
Assets/
Malicious
Domains
Infected
Internal
Assets
This list contains all internal
assets that were found to be
communicating with malicious
hosts (whose exploit types are
defined in the Critical Exploit
Types list). These assets are
considered to be infected and
thus should be investigated
carefully. By default, each asset
in this list will be reported under
a case opened. Once the case is
closed, the asset will be
automatically removed from this
list.
Security Monitor
Assets/

Category
Site Asset
Category
ArcSight
Security Monitor
solnGetTarget
DomainLevel4
format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
Internal
Infected
Assets
Reputation
Domain Score
Threshold
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetTarget
ReputationIPLi
stEntry
database.
Global
Variable
ArcSight
Final Variables/
solnGetReques
tURLDomainLe
vel1
URL.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGenericHi
ghScoreThresh
old
reputation scores.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetReques
tURLDomainLe
vel3ListEntry
domain level 3.
Global
Variable
ArcSight
solnGetBaseRe
questURLDom
ainEntry
Global
Variable
ArcSight
solnGetTarget
ReputationDo
mainLevel4List
Entry
domain level 4.
Global
Variable
ArcSight
solnGetReques
tURLDomainLe
vel4ListEntry
domain level 4.
Global
Variable
ArcSight
solnGetReques
tURLDomainLe
vel1ListEntry
domain level 1.
Global
Variable
ArcSight
solnGetReques
tURLDomainLe
vel2
requested URL.
Global
Variable
ArcSight
Security Monitor
1.0/Support/

solnGetReques
tURLDomainEx
ploitType
Global
Variable
ArcSight
Final Variables/
solnGetTarget
DomainLevel2
the dotted format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetTarget
DomainLevel3
the dotted format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetTarget
ReputationDo
mainEntry
Global
Variable
ArcSight
Final Variables/
solnGetTarget
DomainExploit
Type
correlation.
Global
Variable
ArcSight
Final Variables/
solnGetLowerT
argetHostNam
e
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetTarget
ReputationHos
tNameListEntr
y
Global
Variable
ArcSight
solnGetTarget
DomainLevel1
the dotted format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetTarget
ReputationDo
mainLevel2List
Entry
domain level 2.
Global
Variable
ArcSight
solnGetReques
tURLReputatio
nDomainEntry
correlation.
Global
Variable
ArcSight
Final Variables/
Internal
Infected
Assets
Reputation IP
Score
Threshold
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetTarget
ReputationDo
mainLevel3List
Entry
domain level 3.
Global
Variable
ArcSight

solnGetReques
tURLDomain
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetReques
tURLDomainLe
vel2ListEntry
domain level 2.
Global
Variable
ArcSight
solnGetReques
tURLDomainLe
vel3
requested URL.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetTarget
ReputationDo
mainLevel1List
Entry
domain level 1.
Global
Variable
ArcSight
solnGetReques
tURLDomainLe
vel4
requested URL.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
Standard null Field Set /All Field Sets/ArcSight
System/Event Field
Sets/Active Channels
Internal
Infections
This field set provides the fields
relevant to the correlation events
generated by the detection rules
in this use case.
Field Set ArcSight
Outbound
Communicatio
n to
Reputation
Domains
Filter ArcSight
Security Monitor
Communications/
Internal
Attackers
Filter ArcSight
Security Monitor
1.0/General/
Infected
Assets:
Outbound
Communicatio
n to Malicious
IPs
Filter ArcSight
Security Monitor
Assets/
Infected
Assets:
Outbound URL
Requests to
Malicious
Domains
reputation domain.
Filter ArcSight
Security Monitor
Assets/
Internal
Targets
Filter ArcSight
Security Monitor
1.0/General/

Critical Target
Reputation
Domain
Exploit Types
exploit types.
Filter ArcSight
Security Monitor
Assets/Support/
Request to
Reputation
Domains
Filter ArcSight
Security Monitor
Communications/
Critical Target
Reputation IP
Exploit Types
Filter ArcSight
Security Monitor
Assets/Support/
solution.
Filter ArcSight
Security Monitor
1.0/General/
Outbound
Events
public network.
Filter ArcSight
Security Monitor
1.0/General/
Target Host
Name Present
Filter ArcSight
Security Monitor
1.0/General/
Critical
Request
Domain
Exploit Types
types.
Filter ArcSight
Security Monitor
Assets/Support/
Infected
Assets:
Outbound
Communicatio
n to Malicious
Domains
assets to any reputation domain.
Filter ArcSight
Security Monitor
Assets/
Outbound
Communicatio
n to
Reputation IP
Addresses
Filter ArcSight
Security Monitor
Communications/

Public-Facing
Attackers
Filter ArcSight
Security Monitor
1.0/General/
Internal
Infected Asset
Count per
Month
internal infected assets per
month over the last 1 year
period.
Query ArcSight
Security Monitoring
Assets/
Summary of
Contacted
Malicious
Hosts
of malicious hosts contacted by
infected internal hosts.
Query ArcSight
Security Monitoring
Assets/
Summary of
Currently
Infected
Assets
of internal infected machines
detected through
IPs or domains.
Query ArcSight
Security Monitoring
Assets/
Internal
Infected Asset
Count per
Week
over the last month.
Query ArcSight
Security Monitoring
Assets/
Assets
Infected for
More Than A
Week
This query returns all infected
internal assets that have
remained in the infected list over
one week. This usually means the
related cases have not been or
are still being investigated.
Query ArcSight
Security Monitoring
Assets/
Infected Asset
List Snapshot
- Trend Base
This query returns a snapshot of
internal infected assets. It is used
by a daily trend for long term
data analysis.
Query ArcSight
Security Monitoring
Assets/
All
Interactions
with Malicious
Entities
Detected
During the
Last 24 Hours
This query returns all incidents of
internal infections based on the
detection rule firings in the last
24 hours.
Query ArcSight
Security Monitoring
Assets/
Infection
Types over
Last Month
over the last month.
Query ArcSight
Security Monitoring
Assets/
Status
Distribution of
Open Cases on
Internal
Infected
Assets
This query returns all open cases
on internal infected assets,
Query ArcSight
Security Monitoring
Assets/

RepSM Overview
The following table lists resources explicitly assigned to this use case and any dependant
resources.
Table D-7 Resources that Support the RepSM Overview Use Case
Currently
Infected
Assets and
Recorded
Interactions
with Malicious
Entities
infected assets detected through
IPs or domains.
Query ArcSight
Security Monitoring
Assets/
Daily Internal
Infected Asset
Snapshots
This trend stores snapshots of
the internal infected asset list on
a daily basis.
Trend ArcSight
Security Monitor
Assets/
Monitor Resources
RepSM
Overview
overview of traffic from
reputation hosts in the last 24
hours (not real time).
Dashboard ArcSight
Security Monitor
1.0/Overview/
Geographical
View of
Malicious
Communicatio
ns
overview of traffic to reputation
hosts.
Dashboard ArcSight
Security Monitor
1.0/Overview/
Access to
Dangerous
Destinations
by Exploit
Types
This query viewer shows the total
count of access to dangerous
destinations (domain, host name
or IP address) during the last
seven days. It is based on a trend
so it might not show most recent
data.
Query
Viewer
ArcSight
Security Monitor
1.0/Overview/
Trend of
Access from
Dangerous
Sources
number of dangerous access
events during the last seven
Query
Viewer
ArcSight
Security Monitor
Sources/
Access to
Dangerous
Destinations:
Outbound
Requests to
Malicious
Domains
exploit types.
Rule ArcSight
Security Monitor
Destinations/

Zero Day
Attacks:
Successful
Inbound
Communicatio
ns from
Malicious
Domain - First
Occurrence
Rule ArcSight
Day Attacks/
Access to
Dangerous
Destinations:
Outbound
Communicatio
ns to Malicious
Domains
Rule ArcSight
Security Monitor
Destinations/
Access from
Dangerous
Sources:
Successful
Inbound
Communicatio
ns from
Malicious
Domain
target.
Rule ArcSight
Security Monitor
Sources/
Access to
Dangerous
Destinations:
Outbound
Communicatio
ns to Malicious
IPs
exploit types.
Rule ArcSight
Security Monitor
Destinations/
Zero Day
Attacks:
Successful
Inbound
Communicatio
ns from
Malicious
Address - First
Occurrence
Rule ArcSight
Day Attacks/
Zero Day
Attacks:
Successful
Inbound
Communicatio
ns from
Malicious
Address
Rule ArcSight
Day Attacks/
Zero Day
Attacks:
Successful
Inbound
Communicatio
ns from
Malicious
Domain
attacks.
Rule ArcSight
Day Attacks/

Dangerous
Browsing:
Outbound
Requests to
Malicious
Domains
Rule ArcSight
Security Monitor
Access from
Dangerous
Sources:
Successful
Inbound
Communicatio
ns from
Malicious
Address
Rule ArcSight
Security Monitor
Sources/
Dangerous
Browsing:
Outbound
Communicatio
ns to Malicious
Domains
Rule ArcSight
Security Monitor
Dangerous
Browsing:
Outbound
Communicatio
ns to Malicious
IPs
Rule ArcSight
Security Monitor
Library Resources
Zero Day
Attack Exploit
Types
Day Attacks/
Malicious IP
Addresses
Zero Day
Attacks and
Access from
Dangerous
Sources
active list.
Security Monitor
Sources/
Critical Exploit
Types
Security Monitor
Assets/
Dangerous
Browsing
Exploit Types
Security Monitor
Destinations/

Malicious
Domains
Malicious Host
Names in
Dangerous
Sources
Access and
Zero Day
Attacks
7 days.
Security Monitor
Sources/
Malicious Host
Names in
Dangerous
Destination
Interactions
and
Dangerous
Browsing
Security Monitor
Destinations/
Interactions
with
Dangerous
Destinations
and
Dangerous
Sites
Security Monitor
Destinations/
Category
Site Asset
Category
ArcSight
Security Monitor
Internal Non
Public-Facing
Category
ArcSight
Security Monitor
Recent
Dangerous
Browsing
Destinations
20 dangerous browsing
destinations from non
Data
Monitor
ArcSight
Security Monitor
1.0/Overview/
Internal
Infected
Assets
20 internal infections. Select an
entry and then right click to
drilldown into the Overview of
Internal Infections dashboard.
Data
Monitor
ArcSight
Security Monitor
1.0/Overview/

Zero Day
Attacks
20 zero day attacks. Right click to
drilldown into the Overview of
Zero Day Attacks dashboard.
Data
Monitor
ArcSight
Security Monitor
1.0/Overview/
Access to
Malicious
Entities
This data monitor shows a
geographical view of all
(successful or failed) access to
malicious hosts or IP addresses.
Data
Monitor
ArcSight
Security Monitor
1.0/Overview/
Attacks from
Malicious
Entities
This data monitor shows a
geographical view of all
(successful or failed) inbound
communications from malicious
hosts or IP addresses.
Data
Monitor
ArcSight
Security Monitor
1.0/Overview/
solnGetTarget
DomainLevel4
format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetTarget
ReputationIPLi
stEntry
database.
Global
Variable
ArcSight
Final Variables/
solnGetReques
tURLDomainLe
vel1
URL.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
Source
Domain
Reputation
Score
data.
Global
Variable
ArcSight
Data/
solnGenericHi
ghScoreThresh
old
reputation scores.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetBaseRe
questURLDom
ainEntry
Global
Variable
ArcSight
solnGetReques
tURLDomainLe
vel4ListEntry
domain level 4.
Global
Variable
ArcSight
solnGetReques
tURLDomainLe
vel2
requested URL.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetReques
tURLDomainEx
ploitType
Global
Variable
ArcSight
Final Variables/

solnGetLowerA
ttackerHostNa
me
Global
Variable
ArcSight
Security Monitor
1.0/Support/
Zero Day
Attacks
Reputation IP
Score
Threshold
Attacks use case.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetAttack
erReputationD
omainEntry
correlation.
Global
Variable
ArcSight
Final Variables/
solnGetAttack
erDomainLevel
4
format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetTarget
DomainLevel1
the dotted format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetReques
tURLReputatio
nDomainEntry
correlation.
Global
Variable
ArcSight
Final Variables/
solnGetAttack
erReputationD
omainLevel2Li
stEntry
domain level 2.
Global
Variable
ArcSight
Destination
Address
Reputation
Score
data.
Global
Variable
ArcSight
Data/
Request URL
Domain
Reputation
Exploit Type
domain data.
Global
Variable
ArcSight
Data/
Dangerous
Browsing
Reputation IP
Score
Threshold
Browsing use case.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetReques
tURLDomain
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetTarget
ReputationDo
mainLevel3List
Entry
domain level 3.
Global
Variable
ArcSight

solnGetAttack
erReputationD
omainLevel3Li
stEntry
domain level 3.
Global
Variable
ArcSight
solnGetReques
tURLDomainLe
vel3
requested URL.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetAttack
erReputationIP
ListEntry
database.
Global
Variable
ArcSight
Final Variables/
solnGetAttack
erReputationD
omainLevel1Li
stEntry
domain level 1.
Global
Variable
ArcSight
Access to
Dangerous
Destinations
Reputation
Domain Score
Threshold
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetAttack
erDomainExpl
oitType
Global
Variable
ArcSight
Final Variables/
solnGetAttack
erDomainLevel
3
the dotted format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
Request URL
Domain
Reputation
Score
data.
Global
Variable
ArcSight
Data/
solnGetReques
tURLDomainLe
vel3ListEntry
domain level 3.
Global
Variable
ArcSight
Destination
Address
Reputation
Exploit Type
reputation IP data.
Global
Variable
ArcSight
Data/
solnGetTarget
ReputationDo
mainLevel4List
Entry
domain level 4.
Global
Variable
ArcSight
Zero Day
Attacks
Reputation
Domain Score
Threshold
Attacks use case.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/

solnGetReques
tURLDomainLe
vel1ListEntry
domain level 1.
Global
Variable
ArcSight
Access to
Dangerous
Destinations
Reputation IP
Score
Threshold
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetTarget
DomainLevel2
the dotted format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetTarget
DomainLevel3
the dotted format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetTarget
ReputationDo
mainEntry
Global
Variable
ArcSight
Final Variables/
solnGetTarget
DomainExploit
Type
correlation.
Global
Variable
ArcSight
Final Variables/
solnGetLowerT
argetHostNam
e
Global
Variable
ArcSight
Security Monitor
1.0/Support/
Access from
Dangerous
Sources
Reputation
Domain Score
Threshold
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
Destination
Domain
Reputation
Score
data.
Global
Variable
ArcSight
Data/
solnGetTarget
ReputationHos
tNameListEntr
y
Global
Variable
ArcSight
solnGetAttack
erDomainLevel
2
the dotted format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/

Source
Address
Reputation
Exploit Type
reputation IP data.
Global
Variable
ArcSight
Data/
Source
Domain
Reputation
Exploit Type
Global
Variable
ArcSight
Data/
solnGetAttack
erDomainLevel
1
format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
Dangerous
Browsing
Reputation
Domain Score
Threshold
Browsing use case.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetAttack
erReputationH
ostNameListEn
try
Global
Variable
ArcSight
Source
Address
Reputation
Score
Global
Variable
ArcSight
Data/
solnGetTarget
ReputationDo
mainLevel2List
Entry
domain level 2.
Global
Variable
ArcSight
Access from
Dangerous
Sources
Reputation IP
Score
Threshold
case.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetAttack
erReputationD
omainLevel4Li
stEntry
domain level 4.
Global
Variable
ArcSight
Destination
Domain
Reputation
Exploit Type
Global
Variable
ArcSight
Data/
solnGetReques
tURLDomainLe
vel2ListEntry
domain level 2.
Global
Variable
ArcSight

Source
Reputation
Domain
data.
Global
Variable
ArcSight
Data/
solnGetReques
tURLDomainLe
vel4
requested URL.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetTarget
ReputationDo
mainLevel1List
Entry
domain level 1.
Global
Variable
ArcSight
Events with
Target
Reputation
Information
target reputation domain or IP
address information.
Field Set ArcSight
Events with
Source
Reputation
Information
source reputation domain or IP
address information.
Field Set ArcSight
Outbound
Communicatio
n to
Reputation
Domains
Filter ArcSight
Security Monitor
Communications/
Non
Public-Facing
Internal
Targets
Filter ArcSight
Security Monitor
1.0/General/
Request to
Reputation
Domains
Filter ArcSight
Security Monitor
Communications/
Reputation
Outbound
Communicatio
n
This filter identifies all
communications to a malicious
host or IP address.
Filter ArcSight
Security Monitor
1.0/Overview/
Internal
Infected Asset
Case Creation
or Removal
generated when the active list
storing internal infection records
is modified.
Filter ArcSight
Security Monitor
1.0/Overview/
Outbound
Events
public network.
Filter ArcSight
Security Monitor
1.0/General/

Dangerous
Destinations
and
Dangerous
Browsing:
Outbound
Communicatio
n to Malicious
IPs
Filter ArcSight
Security Monitor
Destinations/
Zero Day
Attack
Reputation IP
Exploit Types
Filter ArcSight
Critical
Request
Domain
Exploit Types
types.
Filter ArcSight
Security Monitor
Assets/Support/
Inbound
Communicatio
n from
Malicious
Domains
Filter ArcSight
Security Monitor
Communications/
Dangerous
Destinations
and
Dangerous
Browsing:
Outbound URL
Requests to
Malicious
Domains
score.
Filter ArcSight
Security Monitor
Destinations/
Dangerous
Destinations
and
Dangerous
Browsing:
Outbound
Communicatio
n to Malicious
Domains
scores.
Filter ArcSight
Security Monitor
Destinations/
Public-Facing
Attackers
Filter ArcSight
Security Monitor
1.0/General/
Dangerous
Browsing
Request
Domain
Exploit Types
Filter ArcSight
Security Monitor
Zero Day
Attack List
Manipulation
generated when the active list
storing zero day attack records is
modified.
Filter ArcSight
Security Monitor
1.0/Overview/

Internal
Attackers
Filter ArcSight
Security Monitor
1.0/General/
Internal
Targets
Filter ArcSight
Security Monitor
1.0/General/
Critical Target
Reputation
Domain
Exploit Types
exploit types.
Filter ArcSight
Security Monitor
Assets/Support/
Critical Target
Reputation IP
Exploit Types
Filter ArcSight
Security Monitor
Assets/Support/
solution.
Filter ArcSight
Security Monitor
1.0/General/
Target Host
Name Present
Filter ArcSight
Security Monitor
1.0/General/
Inbound
Communicatio
n from
Malicious IP
Addresses
time correlation.
Filter ArcSight
Security Monitor
Communications/
Dangerous
Browsing
This filter identifies all dangerous
Filter ArcSight
Security Monitor
Inbound
Events
Filter ArcSight
Security Monitor
1.0/General/
Dangerous
Browsing
Target
Reputation IP
Exploit Types
Filter ArcSight
Security Monitor

Outbound
Communicatio
n to
Reputation IP
Addresses
Filter ArcSight
Security Monitor
Communications/
Zero Day
Attack
Reputation
Domain
Exploit Types
exploit types.
Filter ArcSight
Reputation
Inbound
Communicatio
n
from a malicious host or IP
address.
Filter ArcSight
Security Monitor
1.0/Overview/
Dangerous
Browsing
Target
Reputation
Domain
Exploit Types
Filter ArcSight
Security Monitor
Daily Count of
Access from
Dangerous
Sources
During the
Last 7 Days
of access from dangerous sources
most recent data.
Query ArcSight
Security Monitoring
Sources/
Access to
Dangerous
Destinations
by Types
During the
Last 7 Days
This query returns the total count
of access to dangerous
destinations (domain, host name
or IP address) during the last 7
Query ArcSight
Security Monitoring
1.0/Overview/
Zero Day
Attacks and
Access from
Dangerous
Sources -
Trend Base
Query ArcSight
Security Monitoring
Dangerous
Browsing and
Interactions
with
Dangerous
Destinations -
Trend Base
hours.
Query ArcSight
Security Monitoring
Destinations/
Zero Day
Attacks and
Access from
Dangerous
Sources
sources.
Trend ArcSight
Security Monitor
Sources/

RepSM Package Health Status
Table D-8 Resources that Support the RepSM Package Health Status Use Case
Dangerous
Browsing and
Interactions to
Dangerous
Destinations
Trend ArcSight
Security Monitor
Destinations/
Monitor Resources
Inbound
Events
inbound.
Active
Channel
ArcSight
Outbound
Events
outbound.
Active
Channel
ArcSight
RepSM Rules
Health
overview of rules in the RepSM
package, including their status
and logs.
Dashboard ArcSight
RepSM Trend
Health
This dashboard displays the Last
10 Trend Query Failures, Last 10
Trend Queries Returning No
Results, and Trend Query
Duration data monitors.
Dashboard ArcSight
Events
Analyzed by
RepSM Use
Cases
overview of the traffic monitored
for reputation data.
Dashboard ArcSight
RepSM
Resource
Health
overview of the rule and trend
functionality, as well as important
connector events. For the RepSM
solution to function properly it is
important that all trends and
rules are enabled and that the
Model Import Connector regularly
updates the malicious entries
lists. You can drill down from this
dashboard to more specific rule
and trend dashboards.
Dashboard ArcSight

Access to
Dangerous
Destinations:
Outbound
Requests to
Malicious
Domains
exploit types.
Rule ArcSight
Security Monitor
Destinations/
Zero Day
Attacks:
Successful
Inbound
Communicatio
ns from
Malicious
Domain - First
Occurrence
Rule ArcSight
Day Attacks/
Zero Day
Attacks:
Successful
Inbound
Communicatio
ns from
Malicious
Address
Rule ArcSight
Day Attacks/
Dangerous
Browsing:
Outbound
Requests to
Malicious
Domains
Rule ArcSight
Security Monitor
Internal
Domain Found
in Reputation
Data
This rule detects when an internal
domain appears in the reputation
domain database.
Rule ArcSight
Security Monitor
in Reputation Data/
Infected
Internal
Assets:
Outbound
Requests to
Malicious
Domains
reputation domain names.
Rule ArcSight
Security Monitor
Assets/
Dangerous
Browsing:
Outbound
Communicatio
ns to Malicious
Domains
Rule ArcSight
Security Monitor
Internal IP
Address Found
in Reputation
Data
This rule detects when an internal
address appears in the reputation
IP database.
Rule ArcSight
Security Monitor
in Reputation Data/

Infected
Internal
Assets:
Outbound
Communicatio
ns to Malicious
Domains
assets to any reputation domain
names.
Rule ArcSight
Security Monitor
Assets/
Access to
Dangerous
Destinations:
Outbound
Communicatio
ns to Malicious
Domains
Rule ArcSight
Security Monitor
Destinations/
Access from
Dangerous
Sources:
Successful
Inbound
Communicatio
ns from
Malicious
Domain
target.
Rule ArcSight
Security Monitor
Sources/
Access to
Dangerous
Destinations:
Outbound
Communicatio
ns to Malicious
IPs
exploit types.
Rule ArcSight
Security Monitor
Destinations/
Infected
Internal
Assets:
Outbound
Communicatio
ns to Malicious
IPs
Rule ArcSight
Security Monitor
Assets/
Zero Day
Attacks:
Successful
Inbound
Communicatio
ns from
Malicious
Address - First
Occurrence
Rule ArcSight
Day Attacks/
Zero Day
Attacks:
Successful
Inbound
Communicatio
ns from
Malicious
Domain
attacks.
Rule ArcSight
Day Attacks/

Access from
Dangerous
Sources:
Successful
Inbound
Communicatio
ns from
Malicious
Address
Rule ArcSight
Security Monitor
Sources/
Dangerous
Browsing:
Outbound
Communicatio
ns to Malicious
IPs
Rule ArcSight
Security Monitor
Library Resources
Malicious IP
Addresses
Zero Day
Attack Exploit
Types
Day Attacks/
Critical Exploit
Types
Security Monitor
Assets/
Zero Day
Attacks and
Access from
Dangerous
Sources
active list.
Security Monitor
Sources/
Dangerous
Browsing
Exploit Types
Security Monitor
Destinations/

Infected
Internal
Assets
This list contains all internal
assets that were found to be
communicating with malicious
hosts (whose exploit types are
defined in the Critical Exploit
Types list). These assets are
considered to be infected and
thus should be investigated
carefully. By default, each asset
in this list will be reported under
a case opened. Once the case is
closed, the asset will be
automatically removed from this
list.
Security Monitor
Assets/
Malicious Host
Names
Involved in
Internal
Infections
host names involved in internal
infection incidents. It is used
internally to show all base
one day span.
Security Monitor
Assets/
Malicious
Domains
Malicious Host
Names in
Dangerous
Destination
Interactions
and
Dangerous
Browsing
Security Monitor
Destinations/
Interactions
with
Dangerous
Destinations
and
Dangerous
Sites
Security Monitor
Destinations/
Malicious Host
Names in
Dangerous
Sources
Access and
Zero Day
Attacks
7 days.
Security Monitor
Sources/
Category
Site Asset

Category
ArcSight
Security Monitor
Internal Non
Public-Facing
Category
ArcSight
Security Monitor
Top Firing
Rules
This data monitor shows the
reputation-traffic monitoring rule
with most firings.
Data
Monitor
ArcSight
Package Health Status/Rule
Health/
RepSM Trend
Query Runs
Status
This Last State data monitor
shows the status of the last
RepSM trend queries. When a
trend query starts, the trend
state will be set to Running. If
the trend query is successful the
trend state will be changed to
Successful. If an error occurs and
the trend query fails, the trend
state will be set to Failed.
Data
Monitor
ArcSight
Package Health
Status/Trend Health/
Events
Analyzed by
Zero Day
Attack
count of all inbound
communications in the last hour
from all assets categorized as
internal and non public-facing in
the last hour. These are events
monitored by the Zero Day
Attacks use case.
Data
Monitor
ArcSight
Package Health
Status/Event Statistics/
RepSM Trend
Query
Duration
This Last N Events Data Monitor
shows the duration of the last 20
successful Trend queries. This
Data Monitor is used in the
Trends Status Dashboard.
Data
Monitor
ArcSight
Package Health
Events
Analyzed by
Internal
Infected
Assets
count of all URL requests and
outbound communications
monitored by the Internal
Data
Monitor
ArcSight
Package Health
Messages from
Model Import
Connector for
RepSM
This data monitor shows
important messages from the
model import connector for
RepSM. These messages ensure
the connector is working properly
or help troubleshoot any issues.
Data
Monitor
ArcSight
Package Health
Events
Analyzed by
Access from
Dangerous
Sources
count of all inbound
communications in the last hour
from all assets. These are events
monitored by the Access from
Data
Monitor
ArcSight
Package Health

RepSM Rule
States
This Last State data monitor
shows the states (enabled,
disabled or deleted) of the RepSM
rules.
Data
Monitor
ArcSight
Health/
Last 10 RepSM
Trend Query
Failures
This Last N Events data monitor
shows the last 10 trend query
failures.
Data
Monitor
ArcSight
Package Health
Events
Analyzed by
Access to
Dangerous
Destinations
and
Dangerous
Browsing
count of all URL requests and
outbound communications in the
last hour from assets not
categorized as Public-Facing.
Data
Monitor
ArcSight
Package Health
Last 10 RepSM
Trend Queries
Returning No
Results
This Last N Events data monitor
shows the last 10 trend queries
returning no results.
Data
Monitor
ArcSight
Package Health
Recently
Triggered
Rules
This data monitor shows the ten
recent RepSM rules that fired.
Data
Monitor
ArcSight
Health/
RepSM Rule
Error Logs
internal audit events related to
RepSM rules. These events are
generated when the rules are
enabled/disabled or removed.
Data
Monitor
ArcSight
Health/
solnGetTarget
DomainLevel4
format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetTarget
ReputationIPLi
stEntry
database.
Global
Variable
ArcSight
Final Variables/
solnGetReques
tURLDomainLe
vel1
URL.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
Internal
Infected
Assets
Reputation
Domain Score
Threshold
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/

solnGenericHi
ghScoreThresh
old
reputation scores.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetBaseRe
questURLDom
ainEntry
Global
Variable
ArcSight
solnGetReques
tURLDomainLe
vel4ListEntry
domain level 4.
Global
Variable
ArcSight
solnGetReques
tURLDomainLe
vel2
requested URL.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetLowerA
ttackerHostNa
me
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetReques
tURLDomainEx
ploitType
Global
Variable
ArcSight
Final Variables/
Zero Day
Attacks
Reputation IP
Score
Threshold
Attacks use case.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetAttack
erReputationD
omainEntry
correlation.
Global
Variable
ArcSight
Final Variables/
solnGetAttack
erDomainLevel
4
format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetTarget
DomainLevel1
the dotted format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetReques
tURLReputatio
nDomainEntry
correlation.
Global
Variable
ArcSight
Final Variables/
solnGetAttack
erReputationD
omainLevel2Li
stEntry
domain level 2.
Global
Variable
ArcSight

Dangerous
Browsing
Reputation IP
Score
Threshold
Browsing use case.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetReques
tURLDomain
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetAttack
erReputationD
omainLevel3Li
stEntry
domain level 3.
Global
Variable
ArcSight
solnGetTarget
ReputationDo
mainLevel3List
Entry
domain level 3.
Global
Variable
ArcSight
solnGetReques
tURLDomainLe
vel3
requested URL.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetAttack
erReputationIP
ListEntry
database.
Global
Variable
ArcSight
Final Variables/
solnGetAttack
erReputationD
omainLevel1Li
stEntry
domain level 1.
Global
Variable
ArcSight
solnGetAttack
erDomainExpl
oitType
Global
Variable
ArcSight
Final Variables/
Access to
Dangerous
Destinations
Reputation
Domain Score
Threshold
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetAttack
erDomainLevel
3
the dotted format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetReques
tURLDomainLe
vel3ListEntry
domain level 3.
Global
Variable
ArcSight
solnGetTarget
ReputationDo
mainLevel4List
Entry
domain level 4.
Global
Variable
ArcSight

Zero Day
Attacks
Reputation
Domain Score
Threshold
Attacks use case.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetReques
tURLDomainLe
vel1ListEntry
domain level 1.
Global
Variable
ArcSight
Access to
Dangerous
Destinations
Reputation IP
Score
Threshold
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetTarget
DomainLevel2
the dotted format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetTarget
DomainLevel3
the dotted format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetTarget
ReputationDo
mainEntry
Global
Variable
ArcSight
Final Variables/
solnGetTarget
DomainExploit
Type
correlation.
Global
Variable
ArcSight
Final Variables/
Access from
Dangerous
Sources
Reputation
Domain Score
Threshold
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetLowerT
argetHostNam
e
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetTarget
ReputationHos
tNameListEntr
y
Global
Variable
ArcSight
solnGetAttack
erDomainLevel
2
the dotted format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetAttack
erDomainLevel
1
format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/

solnGetAttack
erReputationH
ostNameListEn
try
Global
Variable
ArcSight
Dangerous
Browsing
Reputation
Domain Score
Threshold
Browsing use case.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetTarget
ReputationDo
mainLevel2List
Entry
domain level 2.
Global
Variable
ArcSight
Access from
Dangerous
Sources
Reputation IP
Score
Threshold
case.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
Internal
Infected
Assets
Reputation IP
Score
Threshold
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetAttack
erReputationD
omainLevel4Li
stEntry
domain level 4.
Global
Variable
ArcSight
solnGetReques
tURLDomainLe
vel2ListEntry
domain level 2.
Global
Variable
ArcSight
solnGetTarget
ReputationDo
mainLevel1List
Entry
domain level 1.
Global
Variable
ArcSight
solnGetReques
tURLDomainLe
vel4
requested URL.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
Outbound
Communicatio
n to
Reputation
Domains
Filter ArcSight
Security Monitor
Communications/
Non
Public-Facing
Internal
Targets
Filter ArcSight
Security Monitor
1.0/General/

Events
Monitored by
Zero Day
Attack Use
Case
monitored by Zero Day Attacks
use case. These are events
reflecting inbound
public-facing.
Filter ArcSight
Dangerous
Browsing
Activities -
Rule Firings
Filter ArcSight
Security Monitor
Infected
Assets:
Outbound
Communicatio
n to Malicious
IPs
Filter ArcSight
Security Monitor
Assets/
Infected
Assets:
Outbound URL
Requests to
Malicious
Domains
reputation domain.
Filter ArcSight
Security Monitor
Assets/
Events
Monitored by
Access from
Dangerous
Sources Use
Case
monitored by Access from
These are events reflecting
inbound communications to all
assets.
Filter ArcSight
Request to
Reputation
Domains
Filter ArcSight
Security Monitor
Communications/
RepSM Trend
Query Failure
This Filter is looking for failed
RepSM trend query runs events.
Filter ArcSight
Dangerous
Destinations
and
Dangerous
Browsing:
Outbound
Communicatio
n to Malicious
IPs
Filter ArcSight
Security Monitor
Destinations/
Outbound
Events
public network.
Filter ArcSight
Security Monitor
1.0/General/

Zero Day
Attack
Reputation IP
Exploit Types
Filter ArcSight
Critical
Request
Domain
Exploit Types
types.
Filter ArcSight
Security Monitor
Assets/Support/
Inbound
Communicatio
n from
Malicious
Domains
Filter ArcSight
Security Monitor
Communications/
Dangerous
Destinations
and
Dangerous
Browsing:
Outbound URL
Requests to
Malicious
Domains
score.
Filter ArcSight
Security Monitor
Destinations/
Dangerous
Destinations
and
Dangerous
Browsing:
Outbound
Communicatio
n to Malicious
Domains
scores.
Filter ArcSight
Security Monitor
Destinations/
Public-Facing
Attackers
Filter ArcSight
Security Monitor
1.0/General/
Access from
Dangerous
Sources - Rule
Firings
detect access from dangerous
sources.
Filter ArcSight
Security Monitor
Sources/
Dangerous
Browsing
Request
Domain
Exploit Types
Filter ArcSight
Security Monitor
Events
Monitored by
Internal
Infected
Assets Use
Case
monitored by Internal Infected
Assets use case. These are
events containing request URLs,
or reflecting outbound
communications.
Filter ArcSight

Internal
Attackers
Filter ArcSight
Security Monitor
1.0/General/
Internal
Targets
Filter ArcSight
Security Monitor
1.0/General/
RepSM Rule
Firing Events
This filter identifies all RepSM
rule firings.
Filter ArcSight
Critical Target
Reputation
Domain
Exploit Types
exploit types.
Filter ArcSight
Security Monitor
Assets/Support/
Events
Monitored by
Access to
Dangerous
Destinations
and
Dangerous
Browsing Use
Cases
monitored by Access to
Dangerous Destinations and
Dangerous Browsing use cases.
These are events containing
request URLs, or reflecting
outbound communications from
assets not categorized as
Public-Facing.
Filter ArcSight
Critical Target
Reputation IP
Exploit Types
Filter ArcSight
Security Monitor
Assets/Support/
RepSM Trend
Query
Duration
This Filter is looking for
successful RepSM trend query
runs events.
Filter ArcSight
Interactions
with
Dangerous
Destinations -
Rule Firings
Filter ArcSight
Security Monitor
Destinations/
solution.
Filter ArcSight
Security Monitor
1.0/General/

RepSM Trend
Query
Returning No
Results
This Filter is looking for
successful RepSM trend query
runs events where the number of
rows inserted in the trend is 0.
Filter ArcSight
Target Host
Name Present
Filter ArcSight
Security Monitor
1.0/General/
Inbound
Communicatio
n from
Malicious IP
Addresses
time correlation.
Filter ArcSight
Security Monitor
Communications/
Inbound
Events
Filter ArcSight
Security Monitor
1.0/General/
Zero Day
Attacks - Rule
Firings
detect zero day attacks.
Filter ArcSight
Day Attacks/
RepSM Rules
Engine Events
This filter identifies all internal
audit events related to RepSM
rules.
Filter ArcSight
Dangerous
Browsing
Target
Reputation IP
Exploit Types
Filter ArcSight
Security Monitor
Infected
Assets:
Outbound
Communicatio
n to Malicious
Domains
assets to any reputation domain.
Filter ArcSight
Security Monitor
Assets/
RepSM Trend
Runs Status
This Filter is looking for trend
query runs events.
Filter ArcSight
Outbound
Communicatio
n to
Reputation IP
Addresses
Filter ArcSight
Security Monitor
Communications/
Zero Day
Attack
Reputation
Domain
Exploit Types
exploit types.
Filter ArcSight

Reputation Data Analysis
Table D-9 Resources that Support the Reputation Data Analysis Use Case
Events from
Model Import
Connector for
RepSM
This filter identifies important
events generated by the RepSM
Model Import Connector.
Filter ArcSight
Dangerous
Browsing
Target
Reputation
Domain
Exploit Types
Filter ArcSight
Security Monitor
Monitor Resources
Reputation
Domain
Database
Overview
overview of the reputation
domain database (stored in an
active list) in the system.
Dashboard ArcSight
Security Monitor
1.0/Reputation Data
Analysis/
Reputation IP
Database
Overview
overview of the reputation IP
database (stored in an active list)
in the system.
Dashboard ArcSight
Security Monitor
1.0/Reputation Data
Analysis/
Reputation
Data Overview
This dashboard provides a single
view of the information in the
malicious IP addresses and
domain lists. You can double click
the Number of Entries line in the
middle component to drill down
to a more detailed view of the
specific list.
Dashboard ArcSight
Security Monitor
1.0/Reputation Data
Analysis/
Reputation
Domain
Exploit Type
Distribution
reputation domain count per
exploit type.
Query
Viewer
ArcSight
Security Monitor
1.0/Reputation Data
Analysis/
Reputation IP
Exploit Type
Distribution
reputation address count per
exploit type.
Query
Viewer
ArcSight
Security Monitor
1.0/Reputation Data
Analysis/

Reputation IP
Entries
1,000,000 IP entries in the
Query
Viewer
ArcSight
Security Monitor
1.0/Reputation Data
Analysis/
Reputation IP
Entry Count
current number of reputation
addresses.
Query
Viewer
ArcSight
Security Monitor
1.0/Reputation Data
Analysis/
Reputation
Domain Type
Distribution
distribution of entries in the
Query
Viewer
ArcSight
Security Monitor
1.0/Reputation Data
Analysis/
Reputation
Domain Score
Histogram
histogram of the reputation
domain score.
Query
Viewer
ArcSight
Security Monitor
1.0/Reputation Data
Analysis/
Reputation
Domain
Entries
1,000,000 domain entries in the
Query
Viewer
ArcSight
Security Monitor
1.0/Reputation Data
Analysis/
Reputation IP
Score
Histogram
histogram of the reputation IP
score.
Query
Viewer
ArcSight
Security Monitor
1.0/Reputation Data
Analysis/
Reputation
Database
Changes
During the
Last 1 Year -
Exploit Type
Specific
Report ArcSight
Security Monitor
1.0/Reputation Data
Analysis/
Reputation
Database
Changes
During the
Last 1 Week -
Exploit Type
Specific
Report ArcSight
Security Monitor
1.0/Reputation Data
Analysis/
Reputation
Database
Changes
During the
Last 1 Year
Report ArcSight
Security Monitor
1.0/Reputation Data
Analysis/
Reputation
Database
Changes
During the
Last 1 Week
Report ArcSight
Security Monitor
1.0/Reputation Data
Analysis/

Library Resources
Malicious IP
Addresses
Malicious
Domains
Reputation IP
List Update
Count - 8
Hours
count of all updates, additions or
deletions to the reputation IP
address active list within the last
8 hours.
Data
Monitor
ArcSight
Security Monitor
1.0/Reputation Data
Analysis/
Reputation
Domain List
Update Count
- 8 Hours
count of all updates, additions or
deletions to the reputation
domain active list within the last
8 hours.
Data
Monitor
ArcSight
Security Monitor
1.0/Reputation Data
Analysis/
Last Update to
Reputation IP
List
time an entry was added,
modified or removed from the
Malicious IP Addresses active list.
It can be used to ensure that the
Model Import Connector is
operating properly and
periodically updates the list.
Data
Monitor
ArcSight
Security Monitor
1.0/Reputation Data
Analysis/
Last Update to
Reputation
Domain List
time an entry was added,
modified or removed from the
Malicious Domains active list. It
can be used to ensure that the
Model Import Connector is
operating properly and
periodically updates the list.
Data
Monitor
ArcSight
Security Monitor
1.0/Reputation Data
Analysis/
Reputation IP
Changes
This filter identifies events when
a change is made to the
reputation IP address active list.
Filter ArcSight
Security Monitor
1.0/Reputation Database
Analysis/
Reputation
Domain
Changes
This filter identifies events when
a change is made to the
Filter ArcSight
Security Monitor
Analysis/
Reputation IP
Changes -
Trend Base
reputation addresses, grouped by
the exploit type.
Query ArcSight
Security Monitoring
Analysis/

Reputation
Domain
Changes
During the
Last 1 Week -
Exploit Type
Specific
This query returns the count of a
specific reputation domain exploit
type during the last one week
period.
Query ArcSight
Security Monitoring
Analysis/
Reputation IP
Count by Type
During the
Last 1 Week
reputation IP exploit types during
the last one week.
Query ArcSight
Security Monitoring
Analysis/
Reputation
Domain
Changes
During the
Last 1 Week
reputation domain entries during
the last one week.
Query ArcSight
Security Monitoring
Analysis/
Reputation IP
by Exploit
Type
reputation addresses per exploit
type.
Query ArcSight
Security Monitoring
Analysis/
Reputation
Domain by
Exploit Type
This query returns the reputation
domain count per exploit type.
Query ArcSight
Security Monitoring
Analysis/
Reputation
Domain Entry
Count by Type
This query returns the current
count of reputation domains and
host names.
Query ArcSight
Security Monitoring
Analysis/
Reputation IP
Changes
During the
Last 1 Week
reputation addresses during the
last one week.
Query ArcSight
Security Monitoring
Analysis/
Reputation IP
Score
Histogram
This query builds the histogram
of the reputation IP score.
Query ArcSight
Security Monitoring
Analysis/
Reputation
Domain Score
Histogram
This query builds the histogram
of the reputation domain score.
Query ArcSight
Security Monitoring
Analysis/
Reputation IP
Count by Type
During the
Last 1 Year
average count of reputation IP
exploit types over the last one
year.
Query ArcSight
Security Monitoring
Analysis/

Reputation
Domain
Changes
During the
Last 1 Year
average count of reputation
domain entries during the last
one year.
Query ArcSight
Security Monitoring
Analysis/
Reputation
Domain
Changes by
Type During
the Last 1
Week
reputation domain exploit types
during the last one week period.
Query ArcSight
Security Monitoring
Analysis/
Reputation IP
Count During
the Last 1
Week - Exploit
Type Specific
the last one week.
Query ArcSight
Security Monitoring
Analysis/
Reputation IP
Entries
1000000 IP entries in the
Query ArcSight
Security Monitoring
Analysis/
Reputation IP
Count During
the Last 1 Year
- Exploit Type
Specific
the last one year.
Query ArcSight
Security Monitoring
Analysis/
Reputation
Domain Count
- Trend Base
reputation domains, grouped by
the exploit type and domain type.
Query ArcSight
Security Monitoring
Analysis/
Reputation
Domain
Entries
1000000 domain entries in the
Query ArcSight
Security Monitoring
Analysis/
Reputation
Domain
Changes
During the
Last 1 Year -
Exploit Type
Specific
This query returns the count of a
specific reputation domain exploit
type during the last one year
period.
Query ArcSight
Security Monitoring
Analysis/
Reputation IP
Entry Count
This query returns the current
number of reputation addresses.
Query ArcSight
Security Monitoring
Analysis/
Reputation IP
changes
This trend stores the daily count
of reputation IP entries, grouped
by the exploit type.
Trend ArcSight
Security Monitor
1.0/Reputation Data
Analysis/

Zero Day Attacks
Table D-10 Resources that Support the Zero Day Attacks Use Case
Reputation
Domain
Changes
This trend stores the daily count
of reputation domain names,
grouped by the exploit type.
Trend ArcSight
Security Monitor
1.0/Reputation Data
Analysis/
Monitor Resources
Overview of
Zero Day
Attacks
overview of all zero day attacks.
You can drilldown to more
sources and targets and the base
events.
Dashboard ArcSight
Day Attacks/
Zero Day
Attackers
sources of zero day attacks,
ordered by the highest score, the
type of the attacker, the number
of internal assets it attacked, and
the last communication time
Query
Viewer
ArcSight
Day Attacks/
Internal
Assets
Targeted by
Zero Day
Attacks
targeted by zero day attacks,
including the number of attacking
sources, the highest reputation
score of these attackers, the total
number of events detected and
the time of the latest attack.
Query
Viewer
ArcSight
Day Attacks/
Zero Day
Attack Cases
This query viewer shows all open
cases on zero day attacks,
Query
Viewer
ArcSight
Day Attacks/
Trend of Zero
Day Attacks
count of zero day attacks during
the last seven days. It is based
most recent data.
Query
Viewer
ArcSight
Day Attacks/
Zero Day
Attacks - One
Year Trend
assets during the last year. Do
not change the default value for
the custom parameter
AttackType.
Report ArcSight
Day Attacks/

Zero Day
Attacks During
the Last 7
Days
about zero day attacks on
internal assets during the last
seven days. Do not change the
default value for the custom
parameter AttackType.
Report ArcSight
Day Attacks/
Zero Day
Attacks - 30
Day Trend
about zero day attacks by
malicious entities on internal
assets during the last 30 days.
Do not change the default value
for the custom parameter
AttackType.
Report ArcSight
Day Attacks/
Zero Day
Attacks During
the Last 24
Hours
Report ArcSight
Day Attacks/
Zero Day
Attacks:
Successful
Inbound
Communicatio
ns from
Malicious
Domain - First
Occurrence
Rule ArcSight
Day Attacks/
Access from
Dangerous
Sources:
Successful
Inbound
Communicatio
ns from
Malicious
Domain
target.
Rule ArcSight
Security Monitor
Sources/
Zero Day
Attacks:
Successful
Inbound
Communicatio
ns from
Malicious
Address - First
Occurrence
Rule ArcSight
Day Attacks/
Zero Day
Attacks:
Successful
Inbound
Communicatio
ns from
Malicious
Address
Rule ArcSight
Day Attacks/

Zero Day
Attacks:
Successful
Inbound
Communicatio
ns from
Malicious
Domain
attacks.
Rule ArcSight
Day Attacks/
Access from
Dangerous
Sources:
Successful
Inbound
Communicatio
ns from
Malicious
Address
Rule ArcSight
Security Monitor
Sources/
Library Resources
Malicious IP
Addresses
Zero Day
Attack Exploit
Types
Day Attacks/
Zero Day
Attacks and
Access from
Dangerous
Sources
active list.
Security Monitor
Sources/
Malicious
Domains
Malicious Host
Names in
Dangerous
Sources
Access and
Zero Day
Attacks
7 days.
Security Monitor
Sources/
Category
Site Asset
Internal Non
Public-Facing
Category
ArcSight
Security Monitor
Most Recent
Zero Day
Attacks
20 zero day attacks to non
Data
Monitor
ArcSight
Day Attacks/

solnGetAttack
erReputationD
omainLevel1Li
stEntry
domain level 1.
Global
Variable
ArcSight
solnGetAttack
erDomainExpl
oitType
Global
Variable
ArcSight
Final Variables/
solnGetAttack
erDomainLevel
3
the dotted format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
Source
Domain
Reputation
Score
data.
Global
Variable
ArcSight
Data/
solnGenericHi
ghScoreThresh
old
reputation scores.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetReques
tURLDomainLe
vel4ListEntry
domain level 4.
Global
Variable
ArcSight
Zero Day
Attacks
Reputation
Domain Score
Threshold
Attacks use case.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetLowerA
ttackerHostNa
me
Global
Variable
ArcSight
Security Monitor
1.0/Support/
Zero Day
Attacks
Reputation IP
Score
Threshold
Attacks use case.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
Access from
Dangerous
Sources
Reputation
Domain Score
Threshold
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetAttack
erReputationD
omainEntry
correlation.
Global
Variable
ArcSight
Final Variables/
solnGetAttack
erDomainLevel
4
format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/

solnGetAttack
erDomainLevel
2
the dotted format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
Source
Address
Reputation
Exploit Type
reputation IP data.
Global
Variable
ArcSight
Data/
solnGetAttack
erDomainLevel
1
format.
Global
Variable
ArcSight
Security Monitor
1.0/Support/
Source
Domain
Reputation
Exploit Type
Global
Variable
ArcSight
Data/
solnGetAttack
erReputationH
ostNameListEn
try
Global
Variable
ArcSight
Source
Address
Reputation
Score
Global
Variable
ArcSight
Data/
Access from
Dangerous
Sources
Reputation IP
Score
Threshold
case.
Global
Variable
ArcSight
Security Monitor
1.0/Configuration/
solnGetAttack
erReputationD
omainLevel2Li
stEntry
domain level 2.
Global
Variable
ArcSight
solnGetAttack
erReputationD
omainLevel4Li
stEntry
domain level 4.
Global
Variable
ArcSight
solnGetAttack
erReputationD
omainLevel3Li
stEntry
domain level 3.
Global
Variable
ArcSight
solnGetReques
tURLDomain
Global
Variable
ArcSight
Security Monitor
1.0/Support/
solnGetReques
tURLDomainLe
vel4
requested URL.
Global
Variable
ArcSight
Security Monitor
1.0/Support/

solnGetAttack
erReputationIP
ListEntry
database.
Global
Variable
ArcSight
Final Variables/
solution.
Filter ArcSight
Security Monitor
1.0/General/
Zero Day
Attack
Reputation IP
Exploit Types
Filter ArcSight
Inbound
Communicatio
n from
Malicious IP
Addresses
time correlation.
Filter ArcSight
Security Monitor
Communications/
Non
Public-Facing
Internal
Targets
Filter ArcSight
Security Monitor
1.0/General/
Inbound
Communicatio
n from
Malicious
Domains
Filter ArcSight
Security Monitor
Communications/
Internal
Attackers
Filter ArcSight
Security Monitor
1.0/General/
Inbound
Events
Filter ArcSight
Security Monitor
1.0/General/
Zero Day
Attacks
This filter identifies all potential
zero day attacks. By default, any
successful inbound
communication from a malicious
domain or host name, or IP
address with a zero-day attack
exploit type is flagged as such.
Filter ArcSight
Day Attacks/
Zero Day
Attacks - Rule
Firings
detect zero day attacks.
Filter ArcSight
Day Attacks/

Internal
Targets
Filter ArcSight
Security Monitor
1.0/General/
Zero Day
Attack
Reputation
Domain
Exploit Types
exploit types.
Filter ArcSight
Zero Day
Attacks per
Reputation
Type During
the Last 30
Days
most recent data.
Query ArcSight
Security Monitoring
Top 10 Zero
Day Attackers
During the
Last 7 Days
This query returns the top zero
day attackers (based on event
count) during the last 7 days.
recent data.
Query ArcSight
Security Monitoring
Top 10 Zero
Day Attackers
Attacked Most
Internal Hosts
During the
Last 7 Days
This query returns the zero day
attackers that attacked the
highest number of internal hosts
during the last 7 days. This query
Query ArcSight
Security Monitoring
Monthly Count
of Zero Day
Attacks During
the Last One
Year
zero day attacks per month
within the last 1 year. This query
Query ArcSight
Security Monitoring
Status
Distribution of
Open Case on
Zero Day
Attacks
This query returns all open cases
on zero day attacks, grouped by
case status.
Query ArcSight
Security Monitoring
Zero Day
Attacks per
Reputation
Type During
the Last 7
Days
most recent data.
Query ArcSight
Security Monitoring
Monthly Count
of Zero Day
Attacks per
Type During
the Last One
Year
most recent data.
Query ArcSight
Security Monitoring

Top Assets
Most Attacked
During the
Last 7 Days
assets received most zero day
attacks during the last 7 days.
recent data.
Query ArcSight
Security Monitoring
Weekly Count
of Zero Day
Attacks per
Type During
the Last 30
Days
most recent data.
Query ArcSight
Security Monitoring
Summary of
Internal
Assets
Targeted by
Zero Day
Attacks
of internal assets targeted by
zero day attacks, including the
number of attacking sources, the
highest reputation score of these
attackers, the total number of
events detected and the time of
the latest attack.
Query ArcSight
Security Monitoring
Summary of
Zero Day
Attackers
This query returns the sources of
zero day attacks, ordered by the
highest score, the type of the
attacker, the number of internal
assets it attacked, and the last
communication time
Query ArcSight
Security Monitoring
Zero Day
Attacks per
Reputation
Type During
the Last 24
Hours
hours.
Query ArcSight
Security Monitoring
Zero Day
Attacks in the
Last 24 Hours
This query returns all zero day
attacks in the last 24 hours.
Query ArcSight
Security Monitoring
Weekly Count
of Zero Day
Attacks During
the Last 30
Days
zero day attacks per week within
Query ArcSight
Security Monitoring
Monthly Count
of Zero Day
Attacks per
Target Zone
During the
Last One Year
source zone within the last 1
most recent data.
Query ArcSight
Security Monitoring
Zero Day
Attacks and
Access from
Dangerous
Sources -
Trend Base
Query ArcSight
Security Monitoring

Top Attacked
Assets During
the Last 24
Hours
assets being attacked the most
Query ArcSight
Security Monitoring
Zero Day
Attack Details
During the
Last 7 Days
This query returns the details of
zero day attacks within the last 7
most recent data.
Query ArcSight
Security Monitoring
Daily Count of
Zero Day
Attacks During
the Last 7
Days
of zero day attacks during the
last 7 days. It is based on a trend
so it might not show most recent
data.
Query ArcSight
Security Monitoring
Weekly Count
of Zero Day
Attacks per
Target Zone
During the
Last 30 Days
target zone within the last 30
most recent data.
Query ArcSight
Security Monitoring
Zero Day
Attacks per
Reputation
Type During
the Last One
Year
most recent data.
Query ArcSight
Security Monitoring
Zero Day
Attacks and
Access from
Dangerous
Sources
sources.
Trend ArcSight
Security Monitor
Sources/

A
Access from Dangerous Sources - 30 Day Trend report
54, 78
Access from Dangerous Sources - One Year Trend report
54, 78
Access from Dangerous Sources - Rule Firings filter 83,
148
Access from Dangerous Sources During the Last 24
Hours report 54, 78
Access from Dangerous Sources During the Last 7 Days
report 54, 78
Access from Dangerous Sources filter 83
Access from Dangerous Sources in the Last 24 Hours
query 85
Access from Dangerous Sources per Reputation Type
During the Last 24 Hours query 85
Access from Dangerous Sources Reputation Domain
Score Threshold global variable 54, 81, 130, 145,
159
Access from Dangerous Sources Reputation IP Score
Threshold global variable 55, 82, 131, 146, 160
Access from Dangerous Sources use case 41
Access from Dangerous Sources: Successful Inbound
Communications from Malicious Address rule 79,
125, 139, 158
Access from Dangerous Sources: Successful Inbound
Communications from Malicious Domain rule 79, 124,
138, 157
Access to Dangerous Destinations - 30 Day Trend report
58, 87
Access to Dangerous Destinations - One Year Trend
report 58, 87
Access to Dangerous Destinations by Exploit Types query
viewer 123
Access to Dangerous Destinations by Types During the
Last 7 Days query 135
Access to Dangerous Destinations During the Last 24
Hours - Long Form report 58, 87
Hours - Short Form report 58, 87
Access to Dangerous Destinations During the Last 7 Days
report 59, 87
Access to Dangerous Destinations filter 93
Access to Dangerous Destinations Reputation Domain
Score Threshold global variable 59, 90, 100, 129,
144
Access to Dangerous Destinations Reputation IP Score
Access to Dangerous Destinations use case 37, 56
Access to Dangerous Destinations: Outbound
Communications to Malicious Domains rule 88, 99,
124, 138
Communications to Malicious IPs rule 88, 99, 124,
138
Access to Dangerous Destinations: Outbound Requests
to Malicious Domains rule 88, 98, 123, 137
Access to Malicious Entities data monitor 127
active channels
All Events To or From Infected Assets During the
Last 2 Hours 34, 115
All Interactions with Malicious Entities Detected
During the Last 2 Hours 34, 115
Inbound Events 61, 136
Outbound Events 61, 136
active lists
configure 19
Critical Exploit Types 35, 88, 99, 117, 125, 139
Dangerous Browsing Exploit Types 44, 88, 99,
125, 139
increasing maximum capacity 14
Infected Internal Assets 117, 140
Interactions with Dangerous Destinations and
Dangerous Sites 89, 100, 126, 140
Internal Assets for Reputation Monitoring 47, 114
Internal Domains for Reputation Monitoring 47,
114
Internal Domains Found in Reputation Data 114
Internal IP Addresses Found in Reputation Data
114
Internal Network Addresses for Reputation
Monitoring 48, 114
Malicious Domains 80, 89, 99, 108, 114, 117, 126,
140, 153, 158
Malicious Host Names in Dangerous Destination
Interactions and Dangerous Browsing
89, 100, 126, 140
Malicious Host Names in Dangerous Sources Access
and Zero Day Attacks 80, 126, 140, 158
Malicious Host Names Involved in Internal
Infections 117, 140
Malicious IP Addresses 79, 88, 99, 108, 113, 117,
125, 139, 153, 158
Zero Day Attack Exploit Types 39, 79, 125, 139,
158
Zero Day Attacks and Access from Dangerous
Sources 80, 125, 139, 158
All Events To or From Infected Assets During the Last 2
Hours active channel 34, 115
All Interactions with Malicious Entities Detected During
the Last 2 Hours active channel 34, 115
All Interactions with Malicious Entities Detected During
Index

Index
the Last 24 Hours query 122
All Internal Domains and Hosts Found query viewer 113
All Internal Domains Found query 115
All Internal IP Addresses Found query 114
All Internal IP Addresses Found query viewer 113
ARB file 15
ArcSight ESM
supported version 14
asset categories
assign one-by-one 21
assign using the asset import connector 21
batch 21
import 21
Internal Non Public-Facing 40, 80, 126, 141, 158
populate using Network Model Wizard 21
Protected 80, 89, 100, 118, 126, 140, 158
Public-Facing 35, 89, 100, 118, 126, 141
asset import connector 21
Assets Infected for More Than A Week query 122
Assets Infected for More Than A Week report 35, 116
assign
solution asset categories by batch 21
solution asset categories one-by-one 21
assigning user permissions 19
Attacks from Malicious Entities data monitor 127
C
codes, RepSM 75
configure
active lists 19
rules 21
solution 18
connectors
asset import 21
Critical Exploit Types active list 35, 88, 99, 117, 125,
139
Critical Request Domain Exploit Types filter 93, 104,
121, 133, 148
Critical Target Reputation Domain Exploit Types filter 92,
103, 121, 134, 149
Critical Target Reputation IP Exploit Types filter 93, 104,
121, 134, 149
Currently Infected Assets and Recorded Interactions
with Malicious Entities query 123
Currently Infected Assets and Recorded Interactions
with Malicious Entities report 35, 116
D
Daily Communications with Dangerous Destinations
During the Last 7 Days query 96
Daily Count of Access from Dangerous Sources During
the Last 7 Days query 83, 135
Daily Count of Zero Day Attacks During the Last 7 Days
query 164
Daily Dangerous Browsing Activities During the Last 7
Days query 106
Daily Internal Infected Asset Snapshots trend 123
Dangerous Browsing Activities - 30 Day Trend report 43,
98
Dangerous Browsing Activities - One Year Trend report
43, 98
Dangerous Browsing Activities - Rule Firings filter 103,
147
Dangerous Browsing Activities During the Last 24 Hours
- Long Form report 43, 98
Dangerous Browsing Activities During the Last 24 Hours
- Short Form report 43, 98
Dangerous Browsing Activities During the Last 7 Days
query 96, 107
Dangerous Browsing Activities During the Last 7 Days
report 43, 98
Dangerous Browsing Activities in the Last 24 Hours query
105
Dangerous Browsing Activities per Reputation Type
During the Last 30 Days query 94, 106
During the Last One Year query 96, 106
Dangerous Browsing and Interactions to Dangerous
Destinations trend 97, 108, 136
Dangerous Browsing and Interactions with Dangerous
Destinations - Trend Base query 97, 107, 135
Dangerous Browsing Exploit Types active list 44, 88, 99,
125, 139
Dangerous Browsing filter 104, 134
Dangerous Browsing Reputation Domain Score
global variable 44, 91, 102, 128, 144
Dangerous Browsing Request Domain Exploit Types filter
92, 103, 133, 148
Dangerous Browsing Target Reputation Domain Exploit
Types filter 94, 105, 135, 151
Dangerous Browsing Target Reputation IP Exploit Types
filter 93, 104, 134, 150
Dangerous Browsing use case 41
Dangerous Browsing: Outbound Communications to
Malicious Domains rule 88, 99, 125, 137
Dangerous Browsing: Outbound Communications to
Malicious IPs rule 88, 99, 125, 139
Dangerous Browsing: Outbound Requests to Malicious
Domains rule 88, 99, 125, 137
Dangerous Destinations Accessed by Internal Assets
query 95
Dangerous Destinations Accessed by Internal Assets
query viewer 86
Dangerous Destinations and Dangerous Browsing:
Outbound Communication to Malicious Domains filter
94, 105, 133, 148
Outbound Communication to Malicious IPs filter 93,
104, 133, 147
Outbound URL Requests to Malicious Domains filter
94, 105, 133, 148
Dangerous Sites Accessed by Internal Asset query viewer
98
Dangerous Sources query viewer 78
dashboards
Events Analyzed by RepSM Use Cases 62, 136
Geographical View of Malicious Communications
123
Internal Assets and Domains Found in Reputation
Data 47, 113
Overview of Access from Dangerous Sources 54, 77

Index
Overview of Access to Dangerous Destinations 58,
86
Overview of Dangerous Browsing 43, 97
Overview of Internal Infections 35, 115
Overview of Zero Day Attacks 39, 156
RepSM Overview 123
RepSM Resource Health 62, 136
RepSM Rules Health 61, 136
RepSM Trend Health 61, 136
Reputation Data Overview 64, 151
Reputation Domain Database Overview 64, 151
Reputation IP Database Overview 64, 151
data monitors
Access to Malicious Entities 127
Attacks from Malicious Entities 127
Events Analyzed by Access from Dangerous
Sources 141
Events Analyzed by Access to Dangerous
Destinations and Dangerous Browsing
142
Events Analyzed by Internal Infected Assets 141
Events Analyzed by Zero Day Attack 141
Internal Infected Assets 126
Last 10 RepSM Trend Queries Returning No Results
142
Last 10 RepSM Trend Query Failures 142
Last Update to Reputation Domain List 153
Last Update to Reputation IP List 153
Messages from Model Import Connector for RepSM
141
Most Recent Access from Dangerous Sources 80
Most Recent Access to Dangerous Destination 89
Most Recent Dangerous Browsing Activities 100
Most Recent Zero Day Attacks 158
Recent Dangerous Browsing Destinations 126
Recently Triggered Rules 142
RepSM Rule Error Logs 142
RepSM Rule States 142
RepSM Trend Query Duration 141
RepSM Trend Query Runs Status 141
Reputation Domain List Update Count - 8 Hours 153
Reputation IP List Update Count - 8 Hours 153
Top Firing Rules 141
Zero Day Attacks 127
Destination Address Reputation Exploit Type global
variable 50, 90, 101, 110, 129
Destination Address Reputation Score global variable 50,
109, 128
Destination Domain Reputation Exploit Type global
variable 50, 91, 102, 112, 131
Destination Domain Reputation Score global variable 49,
111, 130
Destination Reputation Domain global variable 51, 110
E
Event Enrichment with Reputation Data use case 49
Event Limit filter 82, 93, 104, 121, 134, 149, 161
Events Analyzed by Access from Dangerous Sources data
monitor 141
Events Analyzed by Access to Dangerous Destinations
and Dangerous Browsing data monitor 142
Events Analyzed by Internal Infected Assets data
monitor 141
Events Analyzed by RepSM Use Cases dashboard 62,
136
Events Analyzed by Zero Day Attack data monitor 141
Events from Malicious Sources filter 51, 113
Events from Model Import Connector for RepSM filter
151
Events Monitored by Access from Dangerous Sources
Use Case filter 147
Events Monitored by Access to Dangerous Destinations
and Dangerous Browsing Use Cases filter 149
Events Monitored by Internal Infected Assets Use Case
filter 148
Events Monitored by Zero Day Attack Use Case filter 147
Events to Malicious Targets filter 51, 113
Events with Requests to Malicious Hosts filter 51, 112
Events with Source Reputation Information field set 132
Events with Target Reputation Information field set 132
exploit types
explanation of 8
invalid numerical 69
F
field sets
Events with Source Reputation Information 132
Events with Target Reputation Information 132
Internal Infections 120
Reputation Domain Enrichment 51, 112
Reputation IP Enrichment 51, 112
Request URL Enrichment 51, 112
Standard 120
filters
Access from Dangerous Sources 83
Access from Dangerous Sources - Rule Firings 83,
148
Access to Dangerous Destinations 93
Critical Request Domain Exploit Types 93, 104,
121, 133, 148
Critical Target Reputation Domain Exploit Types 92,
103, 121, 134, 149
Critical Target Reputation IP Exploit Types 93, 104,
121, 134, 149
Dangerous Browsing 104, 134
Dangerous Browsing Activities - Rule Firings 103,
147
Dangerous Browsing Request Domain Exploit Types
92, 103, 133, 148
Dangerous Browsing Target Reputation Domain
Exploit Types 94, 105, 135, 151
Dangerous Browsing Target Reputation IP Exploit
Types 93, 104, 134, 150
Outbound Communication to Malicious
Domains 94, 105, 133, 148
Outbound Communication to Malicious
IPs 93, 104, 133, 147
Outbound URL Requests to Malicious
Domains 94, 105, 133, 148
Event Limit 82, 93, 104, 121, 134, 149, 161
Events from Malicious Sources 51, 113
Events from Model Import Connector for RepSM
151
Events Monitored by Access from Dangerous
Sources Use Case 147

Index
Events Monitored by Access to Dangerous
Destinations and Dangerous Browsing
Use Cases 149
Events Monitored by Internal Infected Assets Use
Case 148
Events Monitored by Zero Day Attack Use Case 147
Events to Malicious Targets 51, 113
Events with Requests to Malicious Hosts 51, 112
Inbound Communication from Malicious Domains
83, 133, 148, 161
Inbound Communication from Malicious IP
Addresses 83, 134, 150, 161
Inbound Events 83, 134, 150, 161
Infected Assets: Outbound Communication to
Malicious Domains 121, 150
Infected Assets: Outbound Communication to
Malicious IPs 120, 147
Infected Assets: Outbound URL Requests to
Interactions with Dangerous Destinations - Rule
Firings 93, 104, 149
Internal Attackers 83, 92, 103, 120, 134, 149, 161
Internal Infected Asset Case Creation or Removal
132
Internal Targets 83, 92, 103, 120, 134, 149, 162
Non Public-Facing Internal Targets 83, 132, 146,
161
Outbound Communication to Reputation Domains
92, 103, 120, 132, 146
Outbound Communication to Reputation IP
Addresses 94, 105, 121, 135, 150
Outbound Events 93, 104, 121, 132, 147
Public-Facing Attackers 94, 105, 122, 133, 148
RepSM Relevant Events 51, 113
RepSM Rule Firing Events 149
RepSM Rules Engine Events 150
RepSM Trend Query Duration 149
RepSM Trend Query Failure 147
RepSM Trend Query Returning No Results 150
RepSM Trend Runs Status 150
Reputation Domain Changes 153
Reputation Inbound Communication 135
Reputation IP Changes 153
Reputation Outbound Communication 132
Request to Reputation Domains 92, 103, 121, 132,
147
Target Host Name Present 93, 104, 121, 134, 150
Zero Day Attack List Manipulation 133
Zero Day Attack Reputation Domain Exploit Types
83, 135, 150, 162
Zero Day Attack Reputation IP Exploit Types 82,
133, 148, 161
Zero Day Attacks 161
Zero Day Attacks - Rule Firings 150, 161
G
Geographical View of Malicious Communications
dashboard 123
global variables
Access from Dangerous Sources Reputation
Domain Score Threshold 54, 81, 130,
145, 159
Access from Dangerous Sources Reputation IP
Score Threshold 55, 82, 131, 146, 160
Access to Dangerous Destinations Reputation
Domain Score Threshold 59, 90, 100,
129, 144
Access to Dangerous Destinations Reputation IP
Score Threshold 59, 90, 101, 130, 145
Dangerous Browsing Reputation Domain Score
Threshold 44, 91, 102, 131, 146
44, 91, 102, 128, 144
Destination Address Reputation Exploit Type 50,
90, 101, 110, 129
Destination Address Reputation Score 50, 109, 128
Destination Domain Reputation Exploit Type 50,
91, 102, 112, 131
Destination Domain Reputation Score 49, 111, 130
Destination Reputation Domain 51, 110
Internal Infected Assets Reputation Domain Score
Threshold 36, 118, 142
Internal Infected Assets Reputation IP Score
Threshold 36, 119, 146
RepSM Product 51, 112
Request URL Domain Reputation Exploit Type 50,
91, 102, 109, 128
Request URL Domain Reputation Score 50, 110,
129
Request URL Reputation Domain 50, 109
solnGenericHighScoreThreshold 80, 90, 101, 118,
127, 143, 159
solnGetAttackerDomainExploitType 80, 129, 144,
159
solnGetAttackerDomainLevel1 81, 111, 131, 145,
160
160
159
159
solnGetAttackerReputationDomainEntry 81, 109,
128, 143, 159
solnGetAttackerReputationDomainLevel1ListEntry
80, 110, 129, 144, 159
82, 109, 128, 143, 160
82, 109, 129, 144, 160
82, 112, 131, 146, 160
solnGetAttackerReputationHostNameListEntry 81,
111, 131, 146, 160
solnGetAttackerReputationIPListEntry 82, 110,
129, 144, 161
solnGetBaseRequestURLDomainEntry 90, 101,
108, 118, 127, 143
solnGetLowerAttackerHostName 81, 109, 128,
143, 159
solnGetLowerTargetHostName 91, 102, 111, 119,
130, 145
solnGetRequestURLDomain 82, 92, 103, 110, 120,
128, 144, 160
solnGetRequestURLDomainExploitType 90, 101,
119, 127, 143
solnGetRequestURLDomainLevel1 89, 100, 108,
118, 127, 142
solnGetRequestURLDomainLevel1ListEntry 90,

Index
101, 110, 118, 130, 145
118, 127, 143
103, 112, 120, 131, 146
120, 129, 144
101, 110, 118, 129, 144
112, 120, 132, 146, 160
solnGetRequestURLDomainLevel4ListEntry 80, 90,
101, 109, 118, 127, 143, 159
solnGetRequestURLReputationDomainEntry 91,
102, 109, 119, 128, 143
solnGetTargetDomainExploitType 91, 102, 119,
130, 145
solnGetTargetDomainLevel1 91, 102, 109, 119,
128, 143
130, 145
130, 145
127, 142
solnGetTargetReputationDomainEntry 91, 102,
111, 119, 130, 145
solnGetTargetReputationDomainLevel1ListEntry
92, 103, 112, 120, 132, 146
91, 102, 111, 119, 131, 146
92, 102, 110, 119, 128, 144
90, 101, 110, 118, 129, 144
solnGetTargetReputationHostNameListEntry 91,
102, 111, 119, 130, 145
solnGetTargetReputationIPListEntry 89, 100, 108,
118, 127, 142
Source Address Reputation Exploit Type 49, 81,
111, 131, 160
Source Address Reputation Score 50, 82, 112, 131,
160
Source Domain Reputation Exploit Type 50, 81,
111, 131, 160
Source Domain Reputation Score 50, 80, 108, 127,
159
Source Reputation Domain 50, 112, 132
Zero Day Attacks Reputation Domain Score
Threshold 40, 81, 129, 145, 159
Zero Day Attacks Reputation IP Score Threshold
40, 81, 128, 143, 159
I
import
package 15
Inbound Communication from Malicious Domains filter
83, 133, 148, 161
Inbound Communication from Malicious IP Addresses
filter 83, 134, 150, 161
Inbound Events active channel 61, 136
Inbound Events filter 83, 134, 150, 161
increasing maximum capacity for active lists 14
Infected Asset Count per Month query viewer 115
Infected Asset List Snapshot - Trend Base query 122
Infected Assets: Outbound Communication to Malicious
Domains filter 121, 150
Infected Assets: Outbound Communication to Malicious
IPs filter 120, 147
Infected Assets: Outbound URL Requests to Malicious
Domains filter 120, 147
Infected Internal Assets active list 117, 140
Infected Internal Assets: Outbound Communications to
Malicious Domains rule 117, 138
Infected Internal Assets: Outbound Communications to
Malicious IPs rule 117, 138
Infected Internal Assets: Outbound Requests to
Malicious Domains rule 117, 137
Infection Types over Last Month query 122
install
package 15
troubleshoot 17
Interactions with Dangerous Destinations - Rule Firings
filter 93, 104, 149
Interactions with Dangerous Destinations and
Dangerous Sites active list 89, 100, 126, 140
Interactions with Dangerous Destinations in the Last 24
Hours query 95
Interactions with Dangerous Destinations per Reputation
Type During the Last 24 Hours query 97
Interactions with Malicious Entities During the Last 24
Hours report 35, 116
Internal Asset Reputation Detector (List Based) - Trend
Base query 48, 114
Internal Assets Accessed by Dangerous Sources query
viewer 78
Internal Assets and Domains Found in Reputation Data
dashboard 47, 113
Internal Assets Communicated with Dangerous
Destinations query 95
Destinations query viewer 86
Internal Assets for Reputation Monitoring active list 47,
114
Internal Assets Found in Reputation Data report 47, 113
Internal Assets Found in Reputation Data use case 45
Internal Assets Involved in Dangerous Browsing query
viewer 98
Internal Assets Targeted by Zero Day Attacks query
viewer 156
Internal Attackers filter 83, 92, 103, 120, 134, 149, 161
Internal Domain Found in Reputation Data rule 137
Internal Domain Reputation Detector (List Based) -
Trend Base query 48, 115
Internal Domains for Reputation Monitoring active list
47, 114
Internal Domains Found in Reputation Data active list
114
Internal Infected Asset Case Creation or Removal filter
132
Internal Infected Asset Count per Month query 122
Internal Infected Asset Count per Week query 122
Internal Infected Assets data monitor 126
Internal Infected Assets Reputation Domain Score
Threshold global variable 36, 118, 142
Internal Infected Assets Reputation IP Score Threshold
global variable 36, 119, 146
Internal Infected Assets use case 60
Internal Infections field set 120

Index
Internal IP Address Found in Reputation Data rule 137
Internal IP Addresses Found in Reputation Data active
list 114
Internal Network Addresses for Reputation Monitoring
active list 48, 114
Internal Non Public-Facing asset category 40, 80, 126,
141, 158
Internal Targets filter 83, 92, 103, 120, 134, 149, 162
L
Last 10 RepSM Trend Queries Returning No Results data
monitor 142
Last 10 RepSM Trend Query Failures data monitor 142
Last Update to Reputation Domain List data monitor 153
Last Update to Reputation IP List data monitor 153
M
Malicious Domains active list 80, 89, 99, 108, 114, 117,
126, 140, 153, 158
Malicious Host Names in Dangerous Destination
Interactions and Dangerous Browsing active list 89,
100, 126, 140
Malicious Host Names in Dangerous Sources Access and
Zero Day Attacks active list 80, 126, 140, 158
Malicious Host Names Involved in Internal Infections
active list 117, 140
Malicious IP Addresses active list 79, 88, 99, 108, 113,
117, 125, 139, 153, 158
maximum capacity, increasing active list 14
Messages from Model Import Connector for RepSM data
monitor 141
messages, RepSM 75
Model Import Connector for RepSM
installing and configuring 18
overview 7
Monthly Count of Dangerous Browsing Activities During
the Last One Year query 97, 107
Monthly Count of Dangerous Browsing Activities per
Source Zone During the Last One Year query 96, 107
Type During the Last One Year query 95, 106
Monthly Count of Zero Day Attacks During the Last One
Year query 84, 162
Monthly Count of Zero Day Attacks per Target Zone
During the Last One Year query 85, 163
Monthly Count of Zero Day Attacks per Type During the
Last One Year query 84, 162
Most Recent Access from Dangerous Sources data
monitor 80
Most Recent Access to Dangerous Destination data
monitor 89
Most Recent Dangerous Browsing Activities data monitor
100
Most Recent Zero Day Attacks data monitor 158
N
Network Model Wizard 21
Non Public-Facing Internal Targets filter 83, 132, 146,
161
O
Open Case Status Distribution query viewer 116
Outbound Communication to Reputation Domains filter
92, 103, 120, 132, 146
Outbound Communication to Reputation IP Addresses
filter 94, 105, 121, 135, 150
Outbound Events active channel 61, 136
Outbound Events filter 93, 104, 121, 132, 147
overview
Model Import Connector for RepSM 7
RepSM content 7
Overview of Access from Dangerous Sources dashboard
54, 77
Overview of Access to Dangerous Destinations
dashboard 58, 86
Overview of Dangerous Browsing dashboard 43, 97
Overview of Infected Assets During the Last 30 Days
report 35, 116
Overview of Internal Infections dashboard 35, 115
Overview of Zero Day Attacks dashboard 39, 156
P
permission to change content 19
Protected asset category 80, 89, 100, 118, 126, 140,
158
Public-Facing asset category 35, 89, 100, 118, 126, 141
Public-Facing Attackers filter 94, 105, 122, 133, 148
Q
queries
Access from Dangerous Sources in the Last 24
Hours 85
Access from Dangerous Sources per Reputation
Type During the Last 24 Hours 85
Access to Dangerous Destinations by Types During
the Last 7 Days 135
All Interactions with Malicious Entities Detected
During the Last 24 Hours 122
All Internal Domains Found 115
All Internal IP Addresses Found 114
Assets Infected for More Than A Week 122
Currently Infected Assets and Recorded
Interactions with Malicious Entities 123
Daily Communications with Dangerous Destinations
During the Last 7 Days 96
Daily Count of Access from Dangerous Sources
During the Last 7 Days 83, 135
Daily Count of Zero Day Attacks During the Last 7
Days 164
Daily Dangerous Browsing Activities During the Last
7 Days 106
Dangerous Browsing Activities During the Last 7
Days 96, 107
Dangerous Browsing Activities in the Last 24 Hours
105
During the Last One Year 96, 106

Index
Dangerous Browsing and Interactions with
Dangerous Destinations - Trend Base 97,
107, 135
Dangerous Destinations Accessed by Internal
Assets 95
Infected Asset List Snapshot - Trend Base 122
Infection Types over Last Month 122
Interactions with Dangerous Destinations in the
Last 24 Hours 95
Interactions with Dangerous Destinations per
Reputation Type During the Last 24
Hours 97
Internal Asset Reputation Detector (List Based) -
Trend Base 48, 114
Destinations 95
Internal Domain Reputation Detector (List Based) -
Trend Base 48, 115
Internal Infected Asset Count per Month 122
Internal Infected Asset Count per Week 122
Monthly Count of Dangerous Browsing Activities
Source Zone During the Last One Year
96, 107
Type During the Last One Year 95, 106
Monthly Count of Zero Day Attacks During the Last
One Year 84, 162
Monthly Count of Zero Day Attacks per Target Zone
Monthly Count of Zero Day Attacks per Type During
the Last One Year 84, 162
Reputation Domain by Exploit Type 154
Reputation Domain Changes by Type During the
Last 1 Week 155
Reputation Domain Changes During the Last 1
Week 154
Reputation Domain Changes During the Last 1
Week - Exploit Type Specific 154
Reputation Domain Changes During the Last 1 Year
155
- Exploit Type Specific 155
Reputation Domain Count - Trend Base 155
Reputation Domain Entries 155
Reputation Domain Entry Count by Type 154
Reputation Domain Score Histogram 154
Reputation IP by Exploit Type 154
Reputation IP Changes - Trend Base 153
Reputation IP Changes During the Last 1 Week 154
Reputation IP Count by Type During the Last 1
Week 154
Reputation IP Count by Type During the Last 1 Year
154
Reputation IP Count During the Last 1 Week -
Exploit Type Specific 155
Reputation IP Count During the Last 1 Year - Exploit
Type Specific 155
Reputation IP Entries 155
Reputation IP Entry Count 155
Reputation IP Score Histogram 154
Status Distribution of Open Case on Zero Day
Attacks 162
Status Distribution of Open Cases on Internal
Infected Assets 122
Summary of Contacted Malicious Hosts 122
Summary of Currently Infected Assets 122
Summary of Dangerous Sources 84
Summary of Internal Assets Accessed by
Dangerous Sources 84
Summary of Internal Assets Targeted by Zero Day
Attacks 163
Summary of Zero Day Attackers 163
Top 10 Dangerous Browsing Destinations Accessed
by Most Internal Assets During the Last 7
Days 96, 107
Top 10 Dangerous Browsing Destinations Most
Accessed During the Last 24 Hours 106
Top 10 Dangerous Browsing Destinations Most
Accessed During the Last 7 Days 95, 105
Top 10 Dangerous Destinations Accessed by Most
Internal Assets During the Last 24 Hours
96, 107
Top 10 Dangerous Destinations Most Accessed
Top 10 Zero Day Attackers Attacked Most Internal
Hosts During the Last 7 Days 84, 162
Top 10 Zero Day Attackers During the Last 7 Days
84, 162
Top Accessed Assets During the Last 24 Hours 85
Top Assets Interacted Most with Dangerous
Destinations During the Last 24 Hours 95
Top Assets Most Attacked During the Last 7 Days
85, 163
Top Assets with Most Dangerous Browsing Activities
Top Attacked Assets During the Last 24 Hours 164
Weekly Count of Dangerous Browsing Activities
Weekly Count of Dangerous Browsing Activities per
Source Zone During the Last 30 Days 96,
107
Type During the Last 30 Days 95, 106
Weekly Count of Zero Day Attacks During the Last
30 Days 85, 163
Weekly Count of Zero Day Attacks per Target Zone
Weekly Count of Zero Day Attacks per Type During
the Last 30 Days 85, 163
Zero Day Attack Details During the Last 7 Days 85,
164
Sources - Trend Base 85, 135, 163
Zero Day Attacks in the Last 24 Hours 163
Zero Day Attacks per Reputation Type During the
Last 24 Hours 163
Last 30 Days 84, 162
Last 7 Days 84, 162
Last One Year 86, 164
query viewers
Access to Dangerous Destinations by Exploit Types
123
All Internal Domains and Hosts Found 113

Index
All Internal IP Addresses Found 113
Dangerous Destinations Accessed by Internal
Assets 86
Dangerous Sites Accessed by Internal Asset 98
Dangerous Sources 78
Infected Asset Count per Month 115
Internal Assets Accessed by Dangerous Sources 78
Destinations 86
Internal Assets Involved in Dangerous Browsing 98
Internal Assets Targeted by Zero Day Attacks 156
Open Case Status Distribution 116
Reputation Domain Entries 64, 152
Reputation Domain Exploit Type Distribution 151
Reputation Domain Score Histogram 152
Reputation Domain Type Distribution 152
Reputation IP Entries 64, 152
Reputation IP Entry Count 152
Reputation IP Exploit Type Distribution 151
Reputation IP Score Histogram 152
Summary of Contacted Malicious Entities 116
Summary of Infected Assets 116
Trend of Access from Dangerous Sources 78, 123
Trend of Access to Dangerous Destinations 87
Trend of Dangerous Browsing Activities During the
Last 7 Days 98
Trend of Zero Day Attacks 156
Zero Day Attack Cases 156
Zero Day Attackers 156
R
Recent Dangerous Browsing Destinations data monitor
126
Recently Triggered Rules data monitor 142
reports
Access from Dangerous Sources - 30 Day Trend 54,
78
Access from Dangerous Sources - One Year Trend
54, 78
Hours 54, 78
Days 54, 78
Access to Dangerous Destinations - 30 Day Trend
58, 87
Access to Dangerous Destinations - One Year Trend
58, 87
Access to Dangerous Destinations During the Last
24 Hours - Long Form 58, 87
Access to Dangerous Destinations During the Last
24 Hours - Short Form 58, 87
Days 59, 87
Assets Infected for More Than A Week 35, 116
Currently Infected Assets and Recorded
Interactions with Malicious Entities 35,
116
Dangerous Browsing Activities - 30 Day Trend 43,
98
Dangerous Browsing Activities - One Year Trend
43, 98
Hours - Long Form 43, 98
Hours - Short Form 43, 98
Days 43, 98
Interactions with Malicious Entities During the Last
24 Hours 35, 116
Internal Assets Found in Reputation Data 47, 113
Overview of Infected Assets During the Last 30
Days 35, 116
Reputation Database Changes During the Last 1
Week 65, 152
Week - Exploit Type Specific 65, 152
Year 65, 152
Year - Exploit Type Specific 65, 152
Zero Day Attacks - 30 Day Trend 39, 157
Zero Day Attacks - One Year Trend 39, 156
Zero Day Attacks During the Last 24 Hours 39, 157
Zero Day Attacks During the Last 7 Days 39, 157
RepSM content
installing and configuring 15
overview 7
uninstalling 71
RepSM Overview dashboard 123
RepSM Package Health Status use case 60
RepSM Product global variable 51, 112
RepSM Relevant Events filter 51, 113
RepSM Resource Health dashboard 62, 136
RepSM Rule Error Logs data monitor 142
RepSM Rule Firing Events filter 149
RepSM Rule States data monitor 142
RepSM Rules Engine Events filter 150
RepSM Rules Health dashboard 61, 136
RepSM Trend Health dashboard 61, 136
RepSM Trend Query Duration data monitor 141
RepSM Trend Query Duration filter 149
RepSM Trend Query Failure filter 147
RepSM Trend Query Returning No Results filter 150
RepSM Trend Query Runs Status data monitor 141
RepSM Trend Runs Status filter 150
Reputation Data Analysis use case 63
Reputation Data Overview dashboard 64, 151
reputation data, explanation of 8
Reputation Database Changes During the Last 1 Week -
Exploit Type Specific report 65, 152
Reputation Database Changes During the Last 1 Week
report 65, 152
Reputation Database Changes During the Last 1 Year -
Exploit Type Specific report 65, 152
Reputation Database Changes During the Last 1 Year
report 65, 152
Reputation Domain by Exploit Type query 154
Reputation Domain Changes by Type During the Last 1
Week query 155
Reputation Domain Changes During the Last 1 Week -
Exploit Type Specific query 154
Reputation Domain Changes During the Last 1 Week
query 154
Reputation Domain Changes During the Last 1 Year -
Exploit Type Specific query 155
query 155
Reputation Domain Changes filter 153
Reputation Domain Changes trend 156

Index
Reputation Domain Count - Trend Base query 155
Reputation Domain Database Overview dashboard 64,
151
Reputation Domain Enrichment field set 51, 112
Reputation Domain Entries query 155
Reputation Domain Entries query viewer 64, 152
Reputation Domain Entry Count by Type query 154
Reputation Domain Exploit Type Distribution query
viewer 151
Reputation Domain List Update Count - 8 Hours data
monitor 153
Reputation Domain Score Histogram query 154
Reputation Domain Score Histogram query viewer 152
Reputation Domain Type Distribution query viewer 152
Reputation Inbound Communication filter 135
Reputation IP by Exploit Type query 154
Reputation IP Changes - Trend Base query 153
Reputation IP Changes During the Last 1 Week query
154
Reputation IP Changes filter 153
Reputation IP changes trend 155
Reputation IP Count by Type During the Last 1 Week
query 154
Reputation IP Count by Type During the Last 1 Year
query 154
Reputation IP Count During the Last 1 Week - Exploit
Type Specific query 155
Reputation IP Count During the Last 1 Year - Exploit
Type Specific query 155
Reputation IP Database Overview dashboard 64, 151
Reputation IP Enrichment field set 51, 112
Reputation IP Entries query 155
Reputation IP Entries query viewer 64, 152
Reputation IP Entry Count query 155
Reputation IP Entry Count query viewer 152
Reputation IP Exploit Type Distribution query viewer 151
Reputation IP List Update Count - 8 Hours data monitor
153
Reputation IP Score Histogram query 154
Reputation IP Score Histogram query viewer 152
Reputation Outbound Communication filter 132
reputation score
explanation of 8
setting thresholds for 22
Request to Reputation Domains filter 92, 103, 121, 132,
147
Request URL Domain Reputation Exploit Type global
variable 50, 91, 102, 109, 128
Request URL Domain Reputation Score global variable
50, 110, 129
Request URL Enrichment field set 51, 112
Request URL Reputation Domain global variable 50, 109
response codes, RepSM 75
rules
Access from Dangerous Sources: Successful
Inbound Communications from Malicious
Address 79, 125, 139, 158
Access from Dangerous Sources: Successful
Inbound Communications from Malicious
Domain 79, 124, 138, 157
Communications to Malicious Domains
88, 99, 124, 138
Communications to Malicious IPs 88, 99,
124, 138
Requests to Malicious Domains 88, 98,
123, 137
configure 21
Dangerous Browsing: Outbound Communications
to Malicious Domains 88, 99, 125, 137
Dangerous Browsing: Outbound Communications
to Malicious IPs 88, 99, 125, 139
Dangerous Browsing: Outbound Requests to
Malicious Domains 88, 99, 125, 137
Infected Internal Assets: Outbound
Communications to Malicious Domains
117, 138
Infected Internal Assets: Outbound
Communications to Malicious IPs 117,
138
Infected Internal Assets: Outbound Requests to
Internal Domain Found in Reputation Data 137
Internal IP Address Found in Reputation Data 137
Zero Day Attacks: Successful Inbound
Communications from Malicious Address
79, 124, 137, 157
Communications from Malicious Address
- First Occurrence 79, 124, 138, 157
Communications from Malicious Domain
79, 124, 138, 158
Communications from Malicious Domain -
First Occurrence 78, 124, 137, 157
S
setting thresholds for reputation scores 22
solnGenericHighScoreThreshold global variable 80, 90,
101, 118, 127, 143, 159
solnGetAttackerDomainExploitType global variable 80,
129, 144, 159
solnGetAttackerDomainLevel1 global variable 81, 111,
131, 145, 160
130, 145, 160
129, 144, 159
128, 143, 159
solnGetAttackerReputationDomainEntry global variable
81, 109, 128, 143, 159
solnGetAttackerReputationDomainLevel1ListEntry global
variable 80, 110, 129, 144, 159
variable 82, 109, 128, 143, 160
variable 82, 109, 129, 144, 160
variable 82, 112, 131, 146, 160
solnGetAttackerReputationHostNameListEntry global
variable 81, 111, 131, 146, 160
solnGetAttackerReputationIPListEntry global variable 82,
110, 129, 144, 161
solnGetBaseRequestURLDomainEntry global variable 90,
101, 108, 118, 127, 143

Index
solnGetLowerAttackerHostName global variable 81, 109,
128, 143, 159
solnGetLowerTargetHostName global variable 91, 102,
111, 119, 130, 145
solnGetRequestURLDomain global variable 82, 92, 103,
110, 120, 128, 144, 160
solnGetRequestURLDomainExploitType global variable
90, 101, 119, 127, 143
solnGetRequestURLDomainLevel1 global variable 89,
100, 108, 118, 127, 142
solnGetRequestURLDomainLevel1ListEntry global
variable 90, 101, 110, 118, 130, 145
101, 109, 118, 127, 143
variable 92, 103, 112, 120, 131, 146
103, 110, 120, 129, 144
variable 90, 101, 110, 118, 129, 144
92, 103, 112, 120, 132, 146, 160
variable 80, 90, 101, 109, 118, 127, 143, 159
solnGetRequestURLReputationDomainEntry global
variable 91, 102, 109, 119, 128, 143
solnGetTargetDomainExploitType global variable 91,
102, 119, 130, 145
solnGetTargetDomainLevel1 global variable 91, 102,
109, 119, 128, 143
111, 119, 130, 145
111, 119, 130, 145
108, 118, 127, 142
solnGetTargetReputationDomainEntry global variable
91, 102, 111, 119, 130, 145
solnGetTargetReputationDomainLevel1ListEntry global
variable 92, 103, 112, 120, 132, 146
variable 91, 102, 111, 119, 131, 146
variable 92, 102, 110, 119, 128, 144
variable 90, 101, 110, 118, 129, 144
solnGetTargetReputationHostNameListEntry global
variable 91, 102, 111, 119, 130, 145
solnGetTargetReputationIPListEntry global variable 89,
100, 108, 118, 127, 142
Source Address Reputation Exploit Type global variable
49, 81, 111, 131, 160
Source Address Reputation Score global variable 50, 82,
112, 131, 160
Source Domain Reputation Exploit Type global variable
50, 81, 111, 131, 160
Source Domain Reputation Score global variable 50, 80,
108, 127, 159
Source Reputation Domain global variable 50, 112, 132
Standard field set 120
status codes, RepSM 75
Status Distribution of Open Case on Zero Day Attacks
query 162
Status Distribution of Open Cases on Internal Infected
Assets query 122
Summary of Contacted Malicious Entities query viewer
116
Summary of Contacted Malicious Hosts query 122
Summary of Currently Infected Assets query 122
Summary of Dangerous Sources query 84
Summary of Infected Assets query viewer 116
Summary of Internal Assets Accessed by Dangerous
Sources query 84
Summary of Internal Assets Targeted by Zero Day
Attacks query 163
Summary of Zero Day Attackers query 163
T
Target Host Name Present filter 93, 104, 121, 134, 150
thresholds for reputation score 22
Top 10 Dangerous Browsing Destinations Accessed by
Most Internal Assets During the Last 7 Days query 96,
107
Top 10 Dangerous Browsing Destinations Most Accessed
Top 10 Dangerous Browsing Destinations Most Accessed
Top 10 Dangerous Destinations Accessed by Most
Internal Assets During the Last 24 Hours query 96,
107
Top 10 Dangerous Destinations Most Accessed During
the Last 24 Hours query 95
Top 10 Zero Day Attackers Attacked Most Internal Hosts
Top 10 Zero Day Attackers During the Last 7 Days query
84, 162
Top Accessed Assets During the Last 24 Hours query 85
Top Assets Interacted Most with Dangerous Destinations
Top Assets Most Attacked During the Last 7 Days query
85, 163
Top Attacked Assets During the Last 24 Hours query 164
Top Firing Rules data monitor 141
Trend of Access from Dangerous Sources query viewer
78, 123
Trend of Access to Dangerous Destinations query viewer
87
Trend of Dangerous Browsing Activities During the Last
7 Days query viewer 98
Trend of Zero Day Attacks query viewer 156
trends
Daily Internal Infected Asset Snapshots 123
Dangerous Browsing and Interactions to Dangerous
Destinations 97, 108, 136
Reputation Domain Changes 156
Reputation IP changes 155
Sources 86, 135, 164
troubleshooting 67
U
use cases
Access from Dangerous Sources 41
Access to Dangerous Destinations 37, 56

Index
Dangerous Browsing 41
Event Enrichment with Reputation Data 49
Internal Assets Found in Reputation Data 45
Internal Infected Assets 60
RepSM Package Health Status 60
Reputation Data Analysis 63
Zero Day Attacks 37
W
Weekly Count of Dangerous Browsing Activities During
the Last 30 Days query 94, 106
Source Zone During the Last 30 Days query 96, 107
Weekly Count of Dangerous Browsing Activities per Type
Weekly Count of Zero Day Attacks During the Last 30
Days query 85, 163
Weekly Count of Zero Day Attacks per Target Zone
Weekly Count of Zero Day Attacks per Type During the
Last 30 Days query 85, 163
Z
Zero Day Attack Cases query viewer 156
Zero Day Attack Details During the Last 7 Days query 85,
164
Zero Day Attack Exploit Types active list 39, 79, 125,
139, 158
Zero Day Attack List Manipulation filter 133
Zero Day Attack Reputation Domain Exploit Types filter
83, 135, 150, 162
Zero Day Attack Reputation IP Exploit Types filter 82,
133, 148, 161
Zero Day Attackers query viewer 156
Zero Day Attacks - 30 Day Trend report 39, 157
Zero Day Attacks - One Year Trend report 39, 156
Zero Day Attacks - Rule Firings filter 150, 161
Zero Day Attacks and Access from Dangerous Sources -
Trend Base query 85, 135, 163
Zero Day Attacks and Access from Dangerous Sources
active list 80, 125, 139, 158
Zero Day Attacks and Access from Dangerous Sources
trend 86, 135, 164
Zero Day Attacks data monitor 127
Zero Day Attacks During the Last 24 Hours report 39,
157
Zero Day Attacks During the Last 7 Days report 39, 157
Zero Day Attacks filter 161
Zero Day Attacks in the Last 24 Hours query 163
Zero Day Attacks per Reputation Type During the Last 24
Hours query 163
Days query 84, 162
Days query 84, 162
Zero Day Attacks per Reputation Type During the Last
One Year query 86, 164
Zero Day Attacks Reputation Domain Score Threshold
global variable 40, 81, 129, 145, 159
Zero Day Attacks Reputation IP Score Threshold global
variable 40, 81, 128, 143, 159
Zero Day Attacks use case 37
Zero Day Attacks: Successful Inbound Communications
from Malicious Address - First Occurrence rule 79,
124, 138, 157
from Malicious Address rule 79, 124, 137, 157
from Malicious Domain - First Occurrence rule 78,
124, 137, 157
from Malicious Domain rule 79, 124, 138, 158

Index

Reputation Security Monitor (RepSM) v1.01 Solution Guide for ArcSight Express v4.0

More Related Content

What's hot (20)

Similar to Reputation Security Monitor (RepSM) v1.01 Solution Guide for ArcSight Express v4.0 (20)

More from Protect724v2 (20)

Recently uploaded (20)

Reputation Security Monitor (RepSM) v1.01 Solution Guide for ArcSight Express v4.0