Course Overview
In this introductory training, you learn how to use the ArcSight console & ArcSight Command Center to monitor security events, configure ESM, manage users, & manage ESM network intelligence resources. You will also be introduced to triaging & resolving cases with SOAR.
Prerequisites
To be successful in this training, you should have the following prerequisites or knowledge:
• Working knowledge of enterprise security, event, & log management
Audience Profile
This training is intended for ESM System Administrators & Analysts
Learning Objectives
On completion of this training, professionals should be able to:
- Make ArcSight ESM operational upon initial installation
- Describe how ESM works in the context of your network
- Create user accounts
- Implement built-in content
- Populate ESM with your network & assets to identify endpoints involved in an event
- Create site-specific business-oriented views
- Investigate, identify, analyze, & remediate exposed security issues
- Use workflow management to provide real-time incident response & escalation tracking
- Modify & run standard reports to provide situational awareness & network status
- Establish ESM peering across multiple ESM instances
- Perform distributed event search & content management
Content Outline
ESM Overview
• Discuss what ArcSight ESM is & how it fits into a SOC
• List the problems ESM can solve
• Discuss basic processes to make an ESM installation successful
• Describe the basic ArcSight components (10’ - 100,000’ view)
• Identify basic user roles within an ArcSight Installation Command Center
• Discuss an overview of the Command Center
• Describe how to use the Site Map
• Describe how to monitor usage
• Discuss how to configure Dashboards & the different Dashlets you can add
• Describe how to use the Security Operations Center Dashboards
• Explain how to configure & view MITRE Dashboards
• Discuss how to monitor events with Active Channels
• Discuss how to view & use Field Sets
• Discuss how to view, export, & filter Active Listss
ESM Console
• Install the ArcSight ESM Console
• Start the ArcSight ESM Console
• Use the Console Panels & Features
• Customize the ESM console
Installing and Configuring Smart Connectors
• Describe a connector
• Describe normalization
• Describe a network model
• Describe SmartConnectors
• Deploy & configure SmartConnectors
ArcSight Marketplace
• Describe what the Marketplace is
• Define Marketplace packages/use cases.
Schema, Fieldsets, & Active Channels
• Describe the ArcSight Event Schema
• Describe an Active Channel
• Describe what a fieldset is
• Describe the Event Life Cycle Filters
• Describe Filters & Filter Types
• Create & Modify Filters
• Debug Filters Dashboards & Data
Monitors
• Identify Data Monitor types & functions
• Access & Use Dashboards
• Modify Dashboard Data Monitor Layouts
Rules & Lists
• Describe rules & rule types
• Describe rule triggers & actions
• Describe Active Lists & Session Lists
• Create & validate rule behavior
• Create & validate Brute Force Login Attempt & Successful rules
• Create & validate Active & Session List integration rules
User
Administration
• From the ArcSight Console
• Create, edit, rename, and delete user groups
• Create, edit, move, and delete users
• Manage resource permissions
• From within your ESM installation, access & modify global user password properties
Notifications
• Describe the operation of ArcSight notifications
• Configure ArcSight notifications
Incident Response and Automation with SOAR
• Understand SOAR
• Triage cases with SOAR
• Respond to Cases with Playbooks
• Close a case
Queries & Query Viewers
• Explain Queries
• Define Query Viewers
• Explain the advantages of using Query Viewers
• Create the following functions with Query Viewers: Drilldowns, Baselines, Reports, Dashboard views
Reports
• Define a report
• Run, view, & save a report
• Manage archived reports
Content Management & Peering
• Peer ESMs
• Perform a search on a peer
• Create a package & sync to a peer
• Manually push a package
• Verify the successful distribution of a package
Event Search
• Describe how keyword, field-based & pipeline searches are
performed
• Describe how search results are displayed
• Use the unified Search page to initiate any type of search
• Use Search Helper & Search Builder feature to save time constructing search expressions
• Load, modify, & save search filters & saved searches
• Enable peer ESM & Logger instances for searching
FAQs
A: To attend the training session, you should have operational Desktops or Laptops with the required specification, along with a good internet connection to access the labs.
A: We would always recommend you attend the live session to practice & clarify the doubts instantly & get more value from your investment. However, if, due to some contingency, you have to skip the class, Radiant Techlearning will help you with the recorded session of that particular day. However, those recorded sessions are not meant only for personal consumption & NOT for distribution or any commercial use.
A: Radiant Techlearning has a data center containing a Virtual Training environment for the purpose of professional hand-on-practice.
Professionals can easily access these labs over Cloud with the help of a remote desktop connection.
Radiant virtual labs provide you the flexibility to learn from anywhere in the world & in any time zone.
A: The professionals will be enthralled as we engage them the real-world & industry Oriented projects during the training program. These projects will improve your skills & knowledge & you will gain a better experience. These real-time projects will help you a lot in your future tasks & assignments.