Course Description

In this course, we cover how to create content in ArcSight ESM and Logger, providing students with all the skills needed to maximize the value of their data.

In this highly interactive course, students will get hands-on experience building their own content while learning all the best practices, as well as some advanced techniques.

Students who successfully complete the course will have gained an understanding of the best practices for defining, determining, analysing, building, and refining ESM content and its related resources.

Modules

1. Use Case Best Practices

   • Creating relevant use cases

   • Using your use case to guide content creation

2. Network Modeling with ArcSight ESM

   • Network characteristics and endpoint mapping

   • Asset modeling

3. Applying Filters in ArcSight ESM

   • When to use filtering

   • Effective allocation of filters to reduce load

4. Active Channels

   • Different types of active channels and when to use them

   • Testing filters and rules with active channels

5. Customizing the Dashboard with Data Monitors

   • Producing clear, useful graphics with data monitors

6. Creating Rules

   • Utilising Rule Aggregation

   • Defining Rule Actions

   • Partial Matching

7. Active & Session Lists

   • When to use active vs. session lists

   • How to effectively use both for event correlation

8. Generating Reports

   • How to export your content in meaningful, clear, and concise reports

9. Searching with Logger

   • The Logger syntax

   • Creating effective searches

Intended Audience

This course is designed for Security Professionals and SOC Administrators, who are responsible for deploying and administrating the ArcSight product suite within their environment.

Recommended Skills

• Familiarity working with command line tools

• Experience deploying applications in Windows and Linux environments

• Computer desktop, browser, and file system navigation skills

• Completion of TITAN-ARC-001: An introduction to Protective Monitoring