• Purpose: Set the main domain on which the monitoring will be based

• Check the List: Verify that your Main domain is listed.

• Approve or Update: Confirm or add more domains if there are.

• Why Important: Most of the alerts are based on this information.

Quick Guide:

• Review the Main Domain information.

• Add Main domain.

• Confirm that your Main Domain is configured correctly.

Detailed Guide:

Overview

The main domain is a primary domain that serves as the central repository for user accounts, groups, computers, and other resources. It's the core domain within an organization's network infrastructure.

Some of the rules will be based on the “main domain” definition to trigger the alert.

Actions

Configure Main Domain

ESM

Follow the path to configure your main domain information.

/All Active Lists/Mobula/Enrichment & Inventory/Customers Informations/Customer Main Domain

To Access the list:

• Right click on the list

• Click “Show” Entries

The list will Appear in the “Viewer” tab.

You must add the full domain name in upper case as it shown in AD domain properties - for example “CONTOSO.COM”

You can also check for the entities main domain in the lists of ADE(ActiveDirectoryEnrichment) if correctly installed by following the path in ESM:

/All Active Lists/Mobula/Enrichment & Inventory/Hosts/Active Directory/Domain Controllers V2

To Set the Customer Main domain, navigate to the list:
/All Active Lists/Mobula/Enrichment & Inventory/Customers Informations/Customer Main Domain

Press ot the “+” 

In the “Inspect/Edit” window add the information

• Customer

• Full Domain (UpperCase)

• Click Add/Modify

App

To configure your, follow the steps:

1. Go to the Options menu

2. Configuration

3. Domains

4. “+”

5. Add your main domain name as it appears in AD in upper case.

6. Old name domain (If was, if not leave this option empty).

7. Select if its your main domain or not (child domain).

To Update the task:

1. Go to the Options menu

2. Check List

3. Choose “Main Domain”

4. Task Update

5. Choose the status and click save.

Recommendations

• Inform your SOC team / Platform manager about any change or addition of child domain in your environment.

Risks

1. Incomplete Log Collection:

   • Risk: Failure to collect logs from all relevant sources can create blind spots in monitoring.

2. False Positives and Negatives:

   • Risk: Excessive false positives can lead to alert fatigue, while false negatives can result in undetected incidents.

3. Insufficient Incident Response:

   • Risk: Ineffective incident response processes can delay mitigation and recovery efforts.

4. Compliance Failures:

   • Risk: Reports based on “Main Domain” information will not be accurate.

• Purpose: Configure the origin country 

• Check the List: Verify your origin country is added

• Why Important: Will exclude alerts related to the origin country 

Quick Guide:

• Configure Origin country

Detailed Guide:

Overview

The origin country must be configured in order to avoid FP alerts like VPN connections from unauthorized country and more.

If not configured or not configured correctly it may cause lots of FP alerts.

Actions

List

ESM

Follow the path to check/configure the information in the list of your Entities that are configured in your environment.

/All Active Lists/Mobula/Enrichment & Inventory/Customers Informations/Customer Origin Country

To Access the list:

• Right click on the list

• Click “Show” Entries

The list will Appear in the “Viewer” tab.

In this list you must add the “Country code” of the origin country where the main office is located.

Example: (IL - write the Country code, not the Country Name.)

To Set the Customer Origin Country, navigate to the list:
/All Active Lists/Mobula/Enrichment & Inventory/Customers Informations/Customer Origin Country

Press ot the “+” 

In the “Inspect/Edit” window add the information

• Customer

• Country  (UpperCase)

• Click Add/Modify

App

Check the information of Origin Country using the Mobula Application and inform your SOC Team / Platform Manager if some information is missing.

If the information listed in the application is correct, please press Update Task to the “Complete” stage.

To access the information, follow the steps:

1. Go to the Options menu

2. Configuration

3. Company information - check if there is an origin country set, if not proceed to the next step.

4. At the bottom right corner click on edit icon

5. Select your country and click save.

To Update the task:

1. Go to the Options menu

2. Check List

3. Origin country

4. Task Update

5. Choose the status and click save.

Risks

• FP from certain alerts

• Purpose: Ensure all Domain Controllers (DCs) are correctly configured.

• Check the List: Verify if all your DCs are included.

• Approve or Update: Confirm or correct the DC list.

• Why Important: Covers all DCs and Networks; Related Rules

Quick Guide:

• Review the list of DCs provided

• Confirm if all your DCs are included

Detailed Guide:

Overview

Domain Controllers (DCs) are critical components in any organization's IT infrastructure, responsible for managing user authentication, security policies, and access control within a Windows domain.

This use case outlines the steps, monitoring best practices using SIEM (Security Information and Event Management) solutions like ArcSight, potential risks, and global recommendations for defining and maintaining DCs in your environment.

Defining DCs is crucial for the benefit of your organization's monitoring, your environment monitoring and certain alerts are affected by this.

Please follow the Actions section to get started or continue reading if you want to get a bigger picture about Defining DC’s

Actions

Define DC’s Report

ESM

Follow the path to generate a report for your Entities of DCs that are configured in your environment.

/All Reports/Mobula/Enrichment & Inventory/Hosts/Domain Controller Inventory

Please review your entity's report and send it to him so that he can check whether all the DCs in the report are correct.

Note: The report takes the information from the list below:

/All Active Lists/Mobula/Enrichment & Inventory/Hosts/Active Directory/Domain Controllers V2

You must verify that ADE is successfully installed on the entity's connectors server.

If you find some DC not configured, proceed to the Assets configuration guide.

Mobula App

Generate a report of “Define DCs” using the Mobula Application and inform your SOC Team / Platform Manager if all of your DCs are listed in the report.

If the information listed in the Report is correct, please press Update Task to “Complete” stage.

If you find missing details please contact your SOC Team / Platform Manager as soon as possible.

To access the report, follow the steps:

1. Go to the Options menu

2. Check List

3. Domain Controller Inventory

4. Related Report

5. Generate a report (the report will be sent to your email)

To Update the task:

1. Go to the Options menu

2. Check List

3. Dc’s Verification

4. Task Update

5. Choose the status and click save.

Objectives

• Ensure high availability and reliability of DCs.

• Enhance security and compliance with regulatory requirements.

• Optimize performance and manageability of the domain infrastructure.

Recommendations

1. Domain Controller Deployment

   • Redundancy: Deploy multiple DCs to ensure redundancy and high availability.

   • Geographic Distribution: Place DCs in different physical locations to enhance resilience against site-specific failures.

2. Security Measures

   • Secure Configuration: Follow best practices for securing DCs, including disabling unnecessary services and enforcing strong password policies.

   • Patch Management: Regularly update DCs with the latest security patches and updates.

   • Access Controls: Implement strict access controls and role-based access to manage who can administer and access DCs.

3. Backup and Recovery

   • Regular Backups: Schedule regular backups of DCs, including system state and critical data.

   • Disaster Recovery Plan: Develop and periodically test a disaster recovery plan to ensure quick restoration of DCs in case of failure.

4. Performance Optimization

   • Resource Allocation: Ensure DCs have sufficient CPU, memory, and storage resources to handle peak loads.

   • Network Configuration: Optimize network settings for low latency and high throughput, particularly between DCs and clients.

Risks

1. Single Point of Failure

   • Risk: Having only one DC can lead to domain-wide outages if it fails.

   • Mitigation: Deploy at least two DCs for redundancy.

2. Unauthorized Access

   • Risk: Compromise of a DC can lead to unauthorized access and control over the domain.

   • Mitigation: Implement strong access controls, monitor for suspicious activities, and regularly audit DC configurations.

3. Data Corruption

   • Risk: Data corruption or loss on a DC can disrupt domain services.

   • Mitigation: Regularly back up DC data and test recovery procedures.

4. DDoS Attacks

   • Risk: DCs can be targeted by distributed denial-of-service attacks, disrupting authentication services.

   • Mitigation: Use network security measures such as firewalls and DDoS protection services.

Monitoring Best Practices with SIEM (ArcSight)

1. Event Log Monitoring

   • Security Logs: Monitor security event logs on DCs for signs of unauthorized access, failed login attempts, and policy changes.

   • System Logs: Track system logs for hardware and software issues that could impact DC performance.

2. Real-Time Alerts

   • Configure ArcSight to generate real-time alerts for critical events such as multiple failed login attempts, changes to privileged groups, and unexpected DC reboots.

3. Correlation Rules

   • Develop and implement correlation rules in ArcSight to identify patterns indicative of potential security threats, such as coordinated login attempts from multiple IP addresses.

4. Anomaly Detection

   • Use ArcSight's anomaly detection capabilities to identify deviations from normal behavior, such as unusual login times or access patterns.

5. Regular Audits and Reviews

   • Schedule regular audits and reviews of ArcSight logs and alerts to ensure compliance with security policies and regulatory requirements.

Global Recommendations

1. Standardization

   • Develop and enforce standard configurations for all DCs to ensure consistency and ease of management.

2. Documentation

   • Maintain comprehensive documentation of DC configurations, policies, and procedures to facilitate troubleshooting and compliance audits.

3. Training and Awareness

   • Provide regular training for IT staff on best practices for managing and securing DCs, as well as how to respond to incidents identified by SIEM tools.

4. Continuous Improvement

   • Regularly review and update DC configurations, security policies, and monitoring practices to address emerging threats and evolving organizational needs.

Conclusion

Defining Domain Controllers in your environment involves careful planning, implementation of security measures, and ongoing monitoring to ensure reliability, performance, and security. By following the recommendations, mitigating risks, and adhering to monitoring best practices with SIEM solutions like ArcSight, you can maintain a robust and secure domain infrastructure that supports your organizational needs effectively.

• Purpose: Ensure the DNS configuration is accurate and complete.

• Check the List: Verify all necessary DNS servers are included.

• Approve or Update: Confirm correctness or make necessary updates.

• Why Important: Covers all DNS and Networks. Related rules.

Quick Guide:

• Review the list of DNS’s provided

• Confirm if all your DNS servers are included

Use Case: 

A well-configured Domain Name System (DNS) is essential for ensuring reliable and efficient network communication within any organization. This use case describes the steps, recommendations, risks, and monitoring best practices for setting up and maintaining DNS in your environment.

Objectives

• Ensure high availability and reliability of DNS services.

• Enhance security by mitigating DNS-related threats.

• Optimize performance and manageability of DNS infrastructure.

Actions

Define DNS Report

ESM

Waiting for a report

Verify that the DC’s are configured as DNS in the Categories tab.

In Arcsight:

1. Navigate to the Navigator window

2. Under the Resources tab select “Assets”

3. Navigate to the entity folder under Mobula MSSP 

4. Double click on the entities DC’s

5. In the Inspect/Edit window navigate to the “Categories” tab

6. Verify that you have Domain Name Server configured for this DC.

7. If not configured, click on +Add

8. Navigate to “Site Asset Categories > Application > Type > Domain Name Server (Check the box)

9. Click ok and apply

App

Generate a report of “Define DNS” using the Mobula Application and inform your SOC Team / Platform Manager if all of your DNS servers are listed in the report.

If the information listed in the Report is correct, please press Update Task to “Complete” stage.

To access the report follow the steps:

1. Go to Options menu

2. Check List

3. Define DNS

4. Related Report

5. Generate a report (the report will be sent to your email)

To Update the task:

1. Go to Options menu

2. Check List

3. Define DNS

4. Task Update

5. Chose the status and click save.

Risks

1. Single Point of Failure

   • Risk: Relying on a single DNS server can lead to downtime if the server fails.

   • Mitigation: Deploy multiple redundant DNS servers and configure failover mechanisms.

2. DNS Spoofing and Cache Poisoning

   • Risk: Attackers can redirect traffic to malicious sites.

   • Mitigation: Implement DNSSEC and use trusted recursive resolvers.

3. DDoS Attacks

   • Risk: DNS servers can be overwhelmed by distributed denial-of-service attacks.

   • Mitigation: Use rate limiting, Anycast routing, and DDoS protection services.

4. Configuration Errors

   • Risk: Misconfigurations can lead to service disruptions.

   • Mitigation: Regularly review configurations, employ version control, and perform thorough testing before deployment.

Recommendations

1. Choose a DNS Architecture

   • Internal DNS Servers: For resolving internal domain names.

   • External DNS Servers: For public-facing services.

   • Hybrid Approach: Combining both internal and external DNS servers for different purposes.

2. DNS Server Selection

   • Primary DNS Servers: Use robust, secure DNS server software (e.g., BIND, Microsoft DNS).

   • Secondary DNS Servers: Implement redundancy with secondary servers to handle failovers.

3. Security Measures

   • DNSSEC: Implement DNS Security Extensions to protect against spoofing and man-in-the-middle attacks.

   • Access Controls: Restrict who can query and update DNS records.

   • Regular Audits: Conduct periodic security audits and vulnerability assessments.

4. Performance Optimization

   • Caching: Utilize DNS caching to reduce latency and offload queries from authoritative servers.

   • Load Balancing: Distribute DNS queries across multiple servers to balance load and improve performance.

   • Geo-Location DNS: Direct queries to the nearest server based on geographical location.

5. Management and Automation

   • Dynamic DNS (DDNS): Automate the updating of DNS records for dynamic IP addresses.

   • Centralized Management: Use DNS management tools (e.g., Infoblox, BlueCat) for centralized control.

   • Monitoring Tools: Implement DNS monitoring solutions to track performance and availability (e.g., Nagios, SolarWinds).

Monitoring Best Practices

1. Real-Time Monitoring

   • Use tools like Nagios, Zabbix, or SolarWinds to monitor DNS server performance and availability in real-time.

2. Log Analysis

   • Collect and analyze DNS logs using SIEM (Security Information and Event Management) tools like Arcsight or ELK Stack to detect anomalies and security incidents.

3. Alerting and Notifications

   • Set up alerts for critical events (e.g., DNS server downtime, high query latency) to ensure rapid response to issues.

4. Performance Metrics

   • Monitor key performance indicators (KPIs) such as query response time, server CPU and memory usage, and query volume.

5. Periodic Audits and Reviews

   • Conduct regular reviews and audits of DNS configurations, policies, and security settings to ensure compliance with best practices and standards.

6. Failover Testing

   • Regularly test failover and recovery processes to ensure DNS resilience and reliability during actual incidents.

Conclusion

Defining DNS in your environment requires careful planning, implementation of best practices, and continuous monitoring to ensure reliability, performance, and security. By following the recommendations, mitigating risks, and adhering to monitoring best practices outlined above, you can maintain a robust DNS infrastructure that supports your organizational needs effectively.

• Purpose: Get information about the amount of your recent alerts.

• Check the List: Verify that you are familiar with this alerts.

• Why Important: Gives wide view of your alerts.

Quick Guide:

• Review the report

Detailed Guide:

Overview

Events Report Summary is a very helpful tool to get a wide view of entities recent alerts.

This report can be generated once in a while or as a Scheduled report.

Based on the time range you choose (The default is 24 Hours) this report will show you all the alerts in any stage that were triggered on the entity you choose to view.

Actions

Report

ESM

Follow the path to generate a report for your Entities that are configured in your environment.

/All Reports/Mobula/Correlations/Events Report Summary

1. Right click on the report from “Navigator” tab.

2. Run -> Report

3. Select a customer and click ok.

4. If you wish to download the report, you will need to change the format to “PDF” and “Email Format” to “Attach Report”.

5. For “Focused Report” (Scheduled report) read this guide - Focused Report

Please review your entity's report and send it to him so that he can be acknowledged with the information provided.

App

Generate a report of “Events Report Summary” using the Mobula Application.

After first acknowledgement, please press Update Task to “Complete” stage.

To access the report, follow the steps:

1. Go to the Options menu

2. Check List

3. Events Report Summary

4. Related Report

5. Generate a report (the report will be sent to your email)

Later you can generate this report once in 24 Hours by navigating to:

1. Options menu

2. Reports

3. Events Report Summary

4. Generate Report (the report will be sent to your email)

To Update the task:

1. Go to the Options menu

2. Check List

3. Events Report Summary

4. Task Update

5. Choose the status and click save.

Objectives

• Get a wide view of your alerts from any stage.

• See which alert is spamming and tune it / ask your SOC Team to tune it.

Recommendations - Best Practices

• Use this report for the first time to get a better view of all “Active” stage alerts to know if you can configure an action to send all active alerts to the entity's email.

• At the onboarding stage we are using this report to help us minimize the noize of the “active” alerts as possible by tuning and excluding spamming FP alerts.

Monitoring outside of working hours 

Email Addresses Verification (Mailbox)