CyberRes

ESM Default Content

371559

OpenText OpenText Community

App Support Tiers

OpenText SUPPORTED

Support via OpenText Software Support, with a ticket filed against the associated product.

PARTNER

OpenText offers a content partnership program for select partners. Support for Partner Content offerings is provided by the partner and not by OpenText of the OpenText community.

OpenText COMMUNITY

OpenText Community Content is provided by OpenText for the benefit of customers, support for it is not available via OpenText Software Support but through specific community content forums.

COMMUNITY

Community Contributed Content is provided by OpenText customers and supported by them.

EARLY ACCESS

Show less ...Show more

The downloads referenced under the "Cybersecurity Early Access" category are made available to subscribers to mitigate time-critical issues but have not undergone formal quality and performance testing associated with official OpenText/Cybersecurity product releases. OpenText has a multi-stage Quality Assurance process. During Stage 1 we conduct a resource analysis, field mapping, ensure content level 1 functionality and analysis in our sandbox environment. Stage 2 is a complete validation including production validation. This package has cleared Stage 1 validation and therefore should be deployed with the appropriate pre-production validation. OpenText strongly recommends that any downloaded content is first checked and tested thoroughly in a non-production environment before committing to production. We welcome feedback and, should any content be shown to be faulty, detrimental or carry an incorrect claim of authorship, we shall endeavor to remove or correct such content as promptly as reasonably possible once notified and validated.

OpenText | OpenText Community

ESM Default Content includes Security Threat Monitoring and Threat Intelligence Platform package. It includes resources for tracking more than 300 techniques and sub-techniques from the MITRE ATT&CK framework.
5 reviews
7,908 downloads

See previous releases
Share
 

Product compatibility

OpenText Enterprise Security Manager ArcSight

CATEGORY

ArcSight
  • Have questions about this item?

  • Contact us

Description

The release 4.6 adds eleven new Security Threat Monitoring package rules to the Host Monitoring, Application Monitoring, and Network Monitoring use cases and one new rule in Threat Intelligence Platform package. These new rules support MITRE ATT&CK Framework v15.0. More details about these new rules in the release notes - https://www.microfocus.com/documentation/arcsight/security-content/ESM_4.6_RNs/

The release 4.5 adds five new active lists that have a new, optional customer and customer URI fields optimized for MSSP users to support entries tailored to specific customers. These active lists are located in the ArSight Foundation/Common folder. More details in the release notes - https://www.microfocus.com/documentation/arcsight/security-content/ESM_4.5_RNs/

The release 4.4 adds six new rules and one dashboard to the Security Threat Monitoring package to help you monitor potential distributed denial of service, network denial of service, log enumeration, suspicious use of “powercfg” command to manipulate power settings, possible abuse of cloud management services and suspicious use of cloud administration commands. More details in the release notes - https://www.microfocus.com/documentation/arcsight/security-content/ESM_4.4_RNs/

The release 4.3 adds 4 new rules to the Security Threat Monitoring package to help you monitor your Windows and Linux environments. Checkout our new video series titled "Mastering ArcSight Series" on You Tube - https://www.youtube.com/playlist?list=PLN3aXmWqzjnGrnbr95kCs_J_SfxlPREuk.

The release 4.2 rebrands Galaxy Threat Acceleration Program to ArcSight Threat Acceleration Program (GTAP to ATAP) and exchanges all CyberRes references for ArcSight. Additionally, 4.2 adds new content to the Security Threat Monitoring and Threat Intelligence Platform packages to help you monitor command obfuscation, exfiltration to text storage sites, suspicious API activity, and communication to malvertising publishing domains/IPs.

The release 4.1 contains 12 new rules in the Security Threat Monitoring package to detect more cyber security attacks for the Windows Operating System, and added 3 new rules in the Threat Intelligence Platform package with very high confidence, and an active channel to display the very high confidence alerts. It also updated 8 rules.

"ArcSight ESM Default Content 4.0" release is a milestone release for the entire ArcSight portfolio.
In this release, the primary focus has been to support "CyberRes Galaxy Threat Acceleration Program (GTAP)" version 2.0. This is done through the "Threat Intelligence Platform" sub-package of the ESM Default Content package.

As you may read more from GTAP 2.0 Release Notes, ArcSight's Threat Intelligence support that is built-into ESM and the Default Content has been significantly improved. The most signifant change has been the introduction of many additional fields to have a richer feed with more SOC-ready context.

As such, Active Lists hosting the realtime IoC information, that are received from the realtime threat intel feed, as well as the rules/filters and other resources that utilize these active lists have been considerably updated.

As this was a significant change in the way the ESM resources worked, "deployment of ESM Default Content 4.0" now requires a couple extra steps that are specific to this release.

Please read this document in full, and preferably watch the following video, to get yourself acquantied with the process.

System Requirements:

=========================

Micro Focus ArcSight ESM 7.2 or above.

=========================

Package Installation:

=========================

The zip file contains three files: package arb file, a signature of the arb file, and release note.

Open Text provides a digital public key to enable you to verify that the signed software you received is indeed from Open Text and has not been manipulated in any way by a third party. Visit the following site for information and instructions: https://support.microfocus.com/kb/doc.php?id=7025140

Perform the following steps in the ArcSight Console:

  1. Go to the ArcSight Console.
  2. Click on Packages
  3. Click Import
  4. Select package arb file from the zip file
  5. Follow the prompts to import and install this package

NOTE: If you customized standard resources in the resource's original location, back up the resources to an .arb file (exclude related resources) before you upgrade. If you copied the resources to a custom group and then customized them, the upgrade does not impact the custom group.

To upgrade this package from version 3.x:

  1. Delete /ArcSight Foundation/Threat Intelligence Platform. Make sure all resources, especially active lists, have been removed from /ArcSight Foundation/Threat Intelligence Platform.
  2. Restart the ESM manager (/opt/arcsight/services/init.d/arcsight_services stop manager, then start manager). Note: If you do not restart the manager, you will receive an error: Install Failed: "Invalid field name: creatorOrg"
  3. Go to the ArcSight Console.
  4. Click Packages.
  5. Click Import.
  6. Select the package .arb from the .zip file.
  7. Follow the prompts to import and install this package.
  8. After the initial install finishes, right-click Threat Intelligence Platform and click Install Package.

To upgrade this package from 4.0:

  1. It is not required to delete the existing package.
  2. Go to the ArcSight Console.
  3. Click Packages.
  4. Click Import.
  5. Select the package .arb from the .zip file.
  6. Follow the prompts to import and install this package.

To uninstall:

Right-click package from ArcSight Console, then selects "Uninstall Package".

Details of the recent releases:

In the release version 4.6, following MITRE IDs associated rules were added:

  • T1484.002 - Domain Trust Modification Detected (New)
  • T1564 - Hide Artifacts to Evade Detection (New)
  • T1216.002 - Possible Abnormal Execution via SyncAppvPublishingServer.vbs (New)
  • T1218.015 - Possible Abnormal Use of Electron Applications (New)
  • T1123 - Possible Audio Capture via PowerShell (New)
  • T1105 - Possible Suspicious Redirect of cURL Command (New)
  • T1614.001 - Possible System Language Discovery by Registry Key (New)
  • T1505.005 - RDP Shadow Session Configuration Enabled (New)
  • T1134.005 - SID-History Injection Detected (New)
  • T1059.010 - Scripting Interpreters AutoHotKey or AutoIT Detected (New)
  • T1588.007 - Suspicious OpenAI Activity (New)
  • T1040 - Suspicious Network Sniffing (Updated)
  • Suspicious File Hash Activity in Host Sysmon Based (New)

In the release version 4.5, following active lists now include customer and customer URI fields.

  • Default User Accounts
  • Privileged User Accounts
  • Privileged User Groups
  • Risky Countries
  • Uncommon Ports

In the release version 4.4, following MITRE IDs associated rules, and dashboard were added:

  • T1653-Power Settings (New)
  • T1654-Log Enumeration (New)
  • T1021-Remote Services (New)
  • T1651-Cloud Administration Command (New)
  • T1498-Network Denial of Service (Updated)

Following resources were added:

  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Suspicious Powercfg Execution To Change Lock Screen Timeout
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Network Monitoring/Potential Distributed DoS
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Cloud Monitoring/Cloud Administration Commands Executed
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Cloud Monitoring/Google Cloud Services Accessed Remotely
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Logs Enumerated in Windows
  • New Dashboard - /All Dashboards/Security Threat Monitoring/Network Monitoring/DoS Activity

In the release version 4.3, following MITRE IDs were added or rules were added to existing MITRE IDs:

  • T1036.008-Masquerade File Type
  • T1016.002-Wi-Fi Discovery
  • T1652-Device Driver Discovery
  • T1556.008-Network Provider DLL

Following resources were added:

  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Device Driver Discovery
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Network Provider DLL Modified Using Registry
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Application Monitoring/Process Executed with non-Executable Extension
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Network Monitoring/Possible WIFI Discovery

Following resources were updated:

  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Browser Information Discovery
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Possible Exfiltration to Text Storage Sites

In the release version 4.2 following MITRE IDs were added or rules were added to existing MITRE IDs

  • T1027.010 - Command Obfuscation
  • T1567.003-Exfiltration to Text Storage Sites
  • T1059.009-Cloud API
  • T1583.008-Malvertising

Following resources were added:

  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Command Obfuscation Using PowerShell
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Possible Exfiltration to Text Storage Sites
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Cloud Monitoring/Suspicious AWS Cloud API Activity Detected
  • /All Rules/ArcSight Foundation/Threat Intelligence Platform/Dangerous Browsing/Outbound Communication to Malvertising Publishing Address
  • /All Rules/ArcSight Foundation/Threat Intelligence Platform/Dangerous Browsing/Outbound Communication to a Malvertising Publishing Domain

Following resources were updated:

  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Linux Auditd Kernel Module Loaded in Critical Server
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Network Monitoring/System Network Connections Discovery
  • /All Rules/ArcSight Foundation/Threat Intelligence Platform/High Confidence Alerts/ATAP Plus Very High Confidence Alerts with Suspicious File Hash
  • /All Rules/ArcSight Foundation/Threat Intelligence Platform/High Confidence Alerts/ATAP Plus Very High Confidence Alerts to Suspicious Source
  • /All Rules/ArcSight Foundation/Threat Intelligence Platform/ATAP Connector Health/No Update from ATAP Connector
  • /All Rules/ArcSight Foundation/Threat Intelligence Platform/High Confidence Alerts/ATAP Plus High Confidence Alerts to Suspicious Source
  • /All Rules/ArcSight Foundation/Threat Intelligence Platform/ATAP Connector Health/Track ATAP Connector Type
  • /All Rules/ArcSight Foundation/Threat Intelligence Platform/High Confidence Alerts/ATAP Plus High Confidence Alerts with Suspicious File Hash
  • /All Rules/ArcSight Foundation/Threat Intelligence Platform/ATAP Connector Health/Error in ATAP Connector Service Message
  • /All Rules/ArcSight Foundation/Threat Intelligence Platform/ATAP Connector Health/Track ATAP Connector Service Message
  • /All Rules/ArcSight Foundation/Threat Intelligence Platform/ATAP Connector Health/Track ATAP Connector Update Count
  • /All Active Lists/ArcSight Foundation/Threat Intelligence Platform/Internal Domain Found in Suspicious Domains List
  • /All Active Lists/ArcSight Foundation/Threat Intelligence Platform/Suspicious Addresses List
  • /All Active Lists/ArcSight Foundation/Threat Intelligence Platform/Suspicious Domain List
  • /All Active Lists/ArcSight Foundation/Threat Intelligence Platform/Suspicious Email List
  • /All Active Lists/ArcSight Foundation/Threat Intelligence Platform/Suspicious Hash List
  • /All Active Lists/ArcSight Foundation/Threat Intelligence Platform/Suspicious URL List
  • /All Active Lists/ArcSight Foundation/Threat Intelligence Platform/User Defined Reputation Data/Additional Suspicious Addresses
  • /All Active Lists/ArcSight Foundation/Threat Intelligence Platform/User Defined Reputation Data/Additional Suspicious Domain
  • /All Active Lists/ArcSight Foundation/Threat Intelligence Platform/User Defined Reputation Data/Additional Suspicious Email
  • /All Active Lists/ArcSight Foundation/Threat Intelligence Platform/User Defined Reputation Data/Additional Suspicious Hash
  • /All Active Lists/ArcSight Foundation/Threat Intelligence Platform/User Defined Reputation Data/Additional Suspicious URL

In the release version 4.1, following MITRE IDs were added or rules were added to existing MITRE IDs

  • T1003.002-Security Account Manager
  • T1053.005-Scheduled Task
  • T1070.001-Clear Windows Event Logs
  • T1070.009-Clear Persistence
  • T1486-Data Encrypted for Impact
  • T1489-Service Stop
  • T1490-Inhibit System Recovery
  • T1546.016-Installer Packages
  • T1552.001-Credentials In Files
  • T1555-Credentials from Password Stores

Following resources were added:

  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Credentials Gathered using Mimikatz Tool
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/SystemRestore Task Disabled Using Schtasks
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/File Encrypted Using Encryptor Tool
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Credentials In Files
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Specific Processes Killed Using PowerShell Command
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Spearphishing via Whatsapp
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Disable Windows Recovery Using BCDedit Tool
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Deletion of Active USN Change Journal Using Fsutil
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Delete Backups Using WBadmin
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Credential Dumping Using LaZagne
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Event Log Deleted Using Wevtutil Tool
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Program Install
  • /All Rules/ArcSight Foundation/Threat Intelligence Platform/High Confidence Alerts/GTAP Plus Very High Confidence Alerts with Suspicious File Hash
  • /All Rules/ArcSight Foundation/Threat Intelligence Platform/High Confidence Alerts/GTAP Plus Very High Confidence Alerts to Suspicious Source
  • /All Rules/ArcSight Foundation/Threat Intelligence Platform/Suspicious Email/Email Sent To Suspicious Address
  • /All Rules/ArcSight Foundation/Threat Intelligence Platform/High Confidence Alerts/GTAP Plus High Confidence Alerts to Suspicious Source
  • /All Rules/ArcSight Foundation/Threat Intelligence Platform/GTAP Connector Health/Track GTAP Connector Type
  • /All Active Channels/ArcSight Foundation/Threat Intelligence Platform/Very High Confidence Alerts

Following rules were updated:

  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Chained Rule - Inhibit System Recovery
  • /All Rules/ArcSight Foundation/Threat Intelligence Platform/Suspicious Email/Email Sent To Suspicious Address
  • /All Rules/ArcSight Foundation/Threat Intelligence Platform/High Confidence Alerts/GTAP Plus High Confidence Alerts to Suspicious Source
  • /All Rules/ArcSight Foundation/Threat Intelligence Platform/GTAP Connector Health/Track GTAP Connector Type
  • /All Rules/ArcSight Foundation/Threat Intelligence Platform/High Confidence Alerts/GTAP Plus High Confidence Alerts with Suspicious File Hash
  • /All Rules/ArcSight Foundation/Threat Intelligence Platform/Dangerous Browsing/Dangerous Browsing to a Suspicious URL

In the release version 4.0, following MITRE IDs were added or rules were added to existing MITRE IDs

Following new rules are added:

  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Credentials in Group Policy Preferences
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Mark-of-the-Web Bypass Using PowerShell
  • /All Rules/ArcSight Foundation/Threat Intelligence Platform/GTAP Connector Health/Track GTAP Connector Update Count

Following rules were updated:

  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Malware Monitoring/Possible Ransomware Detected
  • /All Rules/ArcSight Foundation/Security Threat Monitoring/Host Monitoring/Large amount of file modifications in users directories

Fields were expended from 15 to 37 in the following active lists:

  • /All Active Lists/ArcSight Foundation/Threat Intelligence Platform/Suspicious Addresses List
  • /All Active Lists/ArcSight Foundation/Threat Intelligence Platform/Suspicious Domain List
  • /All Active Lists/ArcSight Foundation/Threat Intelligence Platform/Suspicious Email List
  • /All Active Lists/ArcSight Foundation/Threat Intelligence Platform/Suspicious Hash List
  • /All Active Lists/ArcSight Foundation/Threat Intelligence Platform/Suspicious URL List

Following dashboards were added:

  • /All Dashboards/ArcSight Foundation/Threat Intelligence Platform/Data Feed Overview
  • /All Dashboards/ArcSight Foundation/Threat Intelligence Platform/TI Confidence Comparison - Open Source vs Galaxy-curated
  • /All Dashboards/ArcSight Foundation/Threat Intelligence Platform/Top Malware and CVE

Following dashboards were updated:

  • /All Dashboards/ArcSight Foundation/Threat Intelligence Platform/GTAP Health Status
  • /All Dashboards/ArcSight Foundation/Threat Intelligence Platform/Threat Intelligence Security Incidents Overview
  • /All Dashboards/ArcSight Foundation/Threat Intelligence Platform/TI Confidence Details
  • /All Dashboards/ArcSight Foundation/Threat Intelligence Platform/Top Malware Types

Sample replay events

This zip file contains four files: two replay events, one arb package, and readme. In order to trigger/test rules in the default content, you need to:

  1. Make sure to install 4.x package before installing the package in this zip file for testing rules in the Threat Intelligence Platform package
  2. Enable rules which you want to test


Minimum Requirements

ESM 7.2 and above

Threat Intelligence Platform package requires ThreatHub Connector

Suggested apps

Suggested for you are based on app category, product compatibility, popularity, rating and newness. Some apps may not show based on entitlements. Learn more about entitlements.

prev
next

Releases

Release
Size
Date
Security Threat Monitoring 4.6.0.0
680.4 KB
  |  
Jan 8, 2025
More info Less info
Threat Intelligence Platform 4.6.0.0
521.6 KB
  |  
Jan 8, 2025
More info Less info
Sample Replay Events 4.6.0.0
178.3 KB
  |  
Jan 6, 2025
More info Less info
Sample Replay Events 4.5.0.0
189.5 KB
  |  
Jul 12, 2024
More info Less info
Threat Intelligence Platform 4.5.0.0
318.1 KB
  |  
Jul 12, 2024
More info Less info
Security Threat Monitoring 4.5.0.0
657.3 KB
  |  
Jul 11, 2024
More info Less info
Threat Intelligence Platform 4.4.0.0
313.5 KB
  |  
Apr 2, 2024
More info Less info
Sample Replay Events 4.4.0.0
189.5 KB
  |  
Apr 2, 2024
More info Less info
Security Threat Monitoring 4.4.0.0
466.6 KB
  |  
Apr 2, 2024
More info Less info
Sample Replay Events 4.3.0.0
185.1 KB
  |  
Jan 29, 2024
More info Less info
Threat Intelligence Platform 4.3.0.0
464.5 KB
  |  
Jan 11, 2024
More info Less info
Security Threat Monitoring 4.3.0.0
608.7 KB
  |  
Jan 11, 2024
More info Less info

Resources

Model Import Connector for ThreatHub
ESM admin guide
ArcSight Realtime Detection Content Matrix
Verbose Logging - Effectively Use ESM Default Content

Reviews

5
Write a review

Write a review


ESM Default Content

OpenText | OpenText Community




Optional


Optional - 120 characters remaining


Cancel

Nov 14, 2021

Hyeji Yoon

I have collected logs with sysmon, is it possible to detect by applying the miter attack rule? I don't know how the Security Threat Monitoring rules detect and classify. If you know how, please contact dbsgpwl1206@gmail.com :)
Show less

Aug 19, 2021

José Armando Millas Larios

Poor documentation
The documentation is really poor and does not describe the function of each of the resources included, so it is very complicated to fine tune and adapt them to the different environments. If this point was fixed, it would be a nice package, since it seems pretty complete and elaborated.
Show less

Apr 27, 2021

ALESSANDRO LECCESE

3
Lack of documentation...the only way to understand what a rules needs to trigger out is to perform a strenuous reverse engineering...
Show less

Feb 3, 2020

Emrah Alpa

You could also get more "content" related information, from the "Standard Content Guide" below. https://community.microfocus.com/t5/ESM-and-ESM-Express/ESM-7-2-ArcSight-Administration-and-ArcSight-System-Standard/ta-p/1661017
Show less

Dec 9, 2019

Premjith Raman

1
Documentation Required
Hi Please provide a detailed documentation for this package.
Show less
Yun Peng
Dec 20, 2019
It is part of ESM 7.2 admin guide at https://community.microfocus.com/t5/ESM-and-ESM-Express/ESM-7-2-Administrator-s-Guide/ta-p/1661005#

Unsubscribe from notifications

You are receiving release updates for this item because you have subscribed to the following products:
If you unsubscribe, you will no longer receive any notifications for these products.
Tip: to update your subscription preferences, go to Manage Subscriptions from your Dashboard, uncheck the products you no longer want to receive notifications for, and click 'Save'.
Unsubscribe Cancel

Marketplace Terms of Service

In order to continue, you must accept the updated Marketplace Terms of Service
Since you are downloading an app from the OpenText Marketplace, you need to accept the updated Marketplace Terms of Service before you can continue. Use the link to review the Marketplace Terms of Service. Once complete check the, "I accept the Marketplace Terms of Service" box below and click accept to continue your download.


Accept Cancel
Your download has begun...

Your download has begun

Related content and resources

Your browser is not supported!

Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox

release-rel-2025-3-1-6335 | Mon Mar 3 23:15:51 PST 2025