ArcSight participated in MITRE ATT&CK Carbanak+FIN7 emulation enterprise evaluation in October 2020. More details about the evaluation can be found on https://attackevals.mitre-engenuity.org/carbanak-fin7/.
The ATTACK_EvalsR3_Carbanak_and_FIN7.zip file contains two packages that were used during the evaluation:
Package One – ATTACK_EvalsR3_Carbanak_and_FIN7_v1_no-optimization.arb used during the first and second day.
Package Two – ATTACK_EvalsR3_Carbanak_and_FIN7_v2_optimized_and_recommended.arb used during the third day with minor config modifications to capture a lot more use cases that were originally missed in the package One. Caution, this package also generates more False Positives.
Data Sources and Configuration
ESM: Suppression List set to 1 minute during evaluation (by default 24 hours)
1. Windows logs: Enable command line process creation auditing
2. PowerShell logs: Turn on PowerShell Script Block Logging - 8003. Sysmon: Enable following event ids:
4. Firewall logs
5. Proxy logs
6. IDS/IPS logs
7. Anti-virus logs
8. Linux auditd logs: Modify /usr/lib/systemd/system/auditd.service to get these logs
9. Snoopy logs
10. Flex connector for Hollows Hunter
To install this package:
The zip file contains three files: package arb file, signature of arb file, and Readme.Micro Focus provides a digital public key to enable you to verify that the signed software you received is indeed from Micro Focus and has not been manipulated in any way by a third party. Visit the following site for information and instructions:
It is required to log in using a Microfocus/Software passport (It gives the option to create an account)
Perform the following steps in the ArcSight Console.
1. Go to the ArcSight Console.
2. Click on Packages
3. Click Import
4. Select arb file from the zip file
5. Follow prompt to import and install this package
ESM 6.11 and above.
Suggested for you are based on app category, product compatibility, popularity, rating and newness. Some apps may not show based on entitlements. Learn more about entitlements.
Related content and resources
Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox