Training Overview
This training gives you the knowledge required to use advanced ArcSight ESM content to find & correlate event information, perform actions like notifying stakeholders, graphically analyze event data, & Report on security incidents. You will familiarize and/or reinforce your understanding of the advanced correlation capabilities within ArcSight ESM that provide a significant edge in detecting active attacks. This training covers ArcSight security problem-solving methodology using advanced ESM content to find, track, & re-mediate security incidents. During the training, you will use variables & correlation activities, customize report templates for dynamic content, & customize Dashboards to monitor incidents. The last day of class offers a hands-on exam. Passing the exam awards you a Certified Expert badge.
Prerequisites
To be successful in this training, you should have the following prerequisites or knowledge:
- Common security devices such as IDS & firewalls
- Common network device functions, such as routers, switches, & hubs
- TCP/IP functions such as CIDR blocks, subnets, addressing, & communications
- Basic Windows operating system tasks & functions
- Possible attack activities, such as scans, a man in the middle, sniffing, DoS, & possible abnormal activities, such as worms, Trojans, & viruses
- SIEM terminology, such as threat, vulnerability, risk, asset, exposure, & safeguards
- Completed the ArcSight ESM Administrator & Analyst training or six months of experience administering ArcSight ESM
Audience Profile
This training is intended for analysts responsible for:
• Defining their organization’s security objectives
• Building or using advanced content to correlate, view & respond to those security objectives.
Learning Objectives
Upon successful completion of this training, you should be able to:
- Navigate ArcSight ESM console & command center to correlate, investigate, analyze
- & remediate both exposed & obscure threats
- Construct ArcSight variables to provide advanced analysis of the event stream
- Develop ArcSight lists & rules to allow advanced correlation activities
- Optimize event-based data monitors to provide real-time viewing of event traffic and
- anomalies
- Design new report templates & create functional reports
- Find events through the search tools.
Content Outline
• Identify ESM Architecture
• Describe the content of the ArcSight Event Schema
• List the phases of the ArcSight Event Lifecycle
• Describe the event processing & schema population performed
during each phase of the event lifecycle
• List the resources & tools applicable to specific phases of the
event lifecycle
• Access the ArcSight ESM Command Center
• Monitor Usage Metrics
• View System Metrics
• Use the SOC/MITRE Dashboards
• Access & use Active Lists
• Utilize Field Sets
• Launch the ArcSight Console
• Identify toolbar components & their functions
• List the different views available in the Viewer panel
• Identify three methods to access Console Help
• Describe the Reference Resources & their characteristics
• Identify ESM Console preference options
• Customize your ESM Console
• Create a new Active Channel
• View the details of an event
• Identify Dynamic & Static Active Channels
• Describe Filter types & usage
• Add, edit & save Filters to an Active Channel
• Define the Common Conditions Editor
• Describe functions available in Variables
• Create both Local & Global Variables
• Promote Local to Global Variables
• Share Global Variables among multiple resources
- Identify Data Monitor types & functions
- • Create a Data Monitor
- • Access & Use Dashboards
- • Modify Dashboard Data Monitor Layouts
• Describe the differences between Active & Session Lists
• Create & validate Active & Session List integration Rules
- • Create & validate the following:
- o Rule behavior
- o Brute Force Login Attempt & Successful rules
- o Light Weight rules & Pre-Persistent rules
- • Define Queries
- • Describe Query Viewers
- • Explain the advantages of using Query Viewers
- • Create the following functions with Query Viewers
- o Drilldowns
- o Baselines
- o Reports
- o Dashboard views
• List the components in the Report Workflow
• List the different types of Reports
• Run a Report from the Navigator panel
• View an Archive Report from the Navigator panel
• Set up a scheduled Report job
• Build a Custom Report
• Build a custom Trend Report
• Describe how keyword, field-based & pipeline searches are
performed
• Describe how search results are displayed
• Use the unified Search page to initiate any type of search
• Use Search Helper & Search Builder feature to save time
constructing search expressions
• Load, modify, & save search filters & saved searches
• Enable peer ESM & Logger instances for searching
FAQs
A: To attend the training session, you should have operational Desktops or Laptops with the required specification, along with a good internet connection to access the labs.
A: We would always recommend you attend the live session to practice & clarify the doubts instantly & get more value from your investment. However, if, due to some contingency, you have to skip the class, Radiant Techlearning will help you with the recorded session of that particular day. However, those recorded sessions are not meant only for personal consumption & NOT for distribution or any commercial use.
A: Radiant Techlearning has a data center containing a Virtual Training environment for the purpose of professional hand-on-practice.
Professionals can easily access these labs over Cloud with the help of a remote desktop connection.
Radiant virtual labs provide you the flexibility to learn from anywhere in the world & in any time zone.
A: The professionals will be enthralled as we engage them the real-world & industry Oriented projects during the training program. These projects will improve your skills & knowledge & you will gain a better experience. These real-time projects will help you a lot in your future tasks & assignments.