Using HP ArcSight API for data visualization Eugene Afonin, Senior Sales Engineer #HPProtect
Some SIEMs have Google maps integrations could we do better? Do you have an app for that? Visualize data on your portal Plugging in open source tools for analytics
Some SIEMs have Google maps integrations could we do better? Do you have an app for that? Visualize data on your portal Plugging in open source tools for analytics
Features - layout Google Map Events radar Events details 5
Features - Google map Shows events distribution by priority on marker click Tooltip tells exact numbers Populated by events details from the clicked marker 6
Features - radar Each bar represent one minute in the event flow Hover mouse to show tooltip Red high priority events, yellow medium and blue are low Click here to populate table with corresponding events 7
Features - table To group events just drag here any column header Multiple grouping is supported Events count is calculated automatically for each group level 8
Features - table (cont.) Click any column header to sort (asc/desc) Click to open/close search filter Type here or click any cell to filter on cells values 9
Features - clusters Markers combine or split up according to the map zoom level Zoom level 2 Zoom level 4 10
How it works 4 Logger search API call Logger Google API, Geo images Jscript code, Jscript & chart libraries 3 Search result in JSON * ArcSight ESM / Express High priority events 1 2 5 Visualization web app ** Incoming events 11
APIs used HP ArcSight 12
Could be enhanced Add filter input field so the Logger search query could be customized, not hardcoded Add status window show applied filter, app events etc. Allow user to set data refresh interval Make regular background JSON calls to silently upload data from logger no need to page reload, hide search time lag from user Access rights Draw markers according to network model and show regional team details (email, phone, shift timetable etc.) Ability to cluster events by customized map regions Calculate statistics by region Show different regions on different map zoom levels according to BUs or SOC team 13 structure Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Some SIEMs have Google maps integrations could we do better? Do you have an app for that? Visualize data on your portal Plugging in open source tools for analytics
15
16
17
18
Some SIEMs have Google maps integrations could we do better? Do you have an app for that? Visualize data on your portal Plugging in open source tools for analytics
Gephi open graph viz platform Interactive visualization and exploration platform for all kinds of networks and complex systems, dynamic and hierarchical graphs. Runs on Windows, Linux and Mac OS X. Gephi is open-source and free. 20
HP ArcSight Interactive Discovery 21
HP ArcSight ESM / Express Bad: AV can t handle Good: one shot one kill 22
Gephi virus outbreak Bad: AV can t handle Bad: Region creep Good: one shot one kill 23
VIDEO STUB 24
For more information Attend these sessions TB3273, Practical Examples of Big Data, Security Analytics and Visualization TT3139, An introduction to HP ArcSight ESM web services APIs PN3578, Security analytics panel: Hunting bad guys After the event Download sources at: https://protect724.hp.com/ docs/doc-11406 Your feedback is important to us. Please take a few minutes to complete the session survey. 25
Please give me your feedback Session TT3161 Speaker Eugene Afonin Please fill out a survey. Hand it to the door monitor on your way out. Thank you for providing your feedback, which helps us enhance content for future events. 26
Thank you