ArcSight SIEM - A Step-by-Step BootCamp

Download the ArcSight 7.1.0.1 guide from the Micro Focus community to explore ArcSight architecture and the ESM correlation component, as this bootcamp's hands-on lessons build toward deeper understanding.

Explore ArcSight ESM's security intelligence capabilities, including correlation, anomaly detection, and network intelligence, and learn about the embedded correlation retention and retrieval core engine, user roles, and access controls.

ArcSight ESM enables situational awareness by collecting, normalizing, and filtering millions of events for monitoring, coordination, escalation, and executive-ready reporting in a security operations context.

Explore ArcSight ESM anatomy, from collection sources and smart connectors through management center to logger and manager, and how behavior analytics and Active Directory feeds enhance user threat insight.

Explore ArcSight ESM and smart connectors, which normalize severity and time zone, unify source formats into a common schema, and filter, aggregate, and categorize events.

Centralize smart connectors with the ArcSight management center, manage on-premise and remote connectors via bulk updates, and use flex and forwarding connectors for scalable data sources in ESM.

Explore how ArcSight manager drives correlation across core engine storage and real-time threat analysis, linking logs, vulnerability data, and network models to deliver alerts and dashboards.

Engage hands-on with ArcSight SIEM by installing the console, configuring software components and connectors, and exploring active channels, dashboards, and investigation tools to build end-to-end security workflows.

Learn how priority evaluation drives incident triage by network model lookup, actor modeling, and enrichment of base events, with priority calculated from confidence, relevance, security, and criticality.

Learn correlation evaluation in ArcSight SIEM, applying filters, monitors, and rules to normalized real-life events, generate correlation events, and use discovery for pattern detection and alerting.

Explore how ArcSight correlation evaluation uses a decentralized engine to track rules, thresholds, and matches, with active lists and session lists powering multi-layer correlation and coalition events.

Explore ArcSight monitors across event-based, correlation, and non-event-based types, focusing on top talkers dashboards, custom filters, and bar chart visualizations with time-bucket analytics to detect anomalies.

Explore how correlation evaluation uses moving averages to establish baselines and detect anomalies in ArcSight SIEM. See how dashboards display anomaly detection and partial matches for outbound connections.

Explore correlation evaluation using local and global variables and velocity templates in ArcSight SIEM, including building event schemas, extracting domains with substring functions, and crafting time-based, formatted notifications.

Explore how ArcSight SIEM handles event types from multiple sources, normalizes them, and enables correlation with internal audit and status monitor events.

Learn to import brute force content packs from the marketplace into ArcSight SIEM, configure dashboards, and detect real-time brute force attacks from OS and application logs.

Install the Sysmon package from Micro Focus MarketPlace and integrate it with ArcSight SIEM. Map Sysmon logs using the Windows flex connector, import six-month assessment content, and build security dashboards.

Discover how to install ArcSight ESM on Red Hat Linux and access licenses and trial software for customers or partners. Understand reserve of 10 percent and usable space for storage.

Practice a step-by-step ArcSight ESM 7 installation, including hostname resolution, licensing, distributed deployment setup, firewall configuration, storage sizing, and service startup.

Navigate the Micro Focus ArcSight ESM console interface, including the navigator, view, and inspect panels. Access resources, packages, trends, and reports to understand configuration and data display.

Explore the ArcSight console's connectors and active channels, create a sliding or static time window, and configure an active channel with filters to view and tailor logs.

Align time across log sources, ArcSight agent, and smart connectors to prevent misleading analysis from mismatched timestamps. The video shows adjusting to GMT+3 so device receipt time matches the agent.

Install ArcSight logger 6.7 from the ArcSight data platform, set up on CentOS/Red Hat with recommended partitioning, and configure a non-root logger user and host name.

Guides a step-by-step ArcSight logger installation on CentOS, updating to the latest packages, configuring user limits and a non-root ArcSight account, and running the installer with SSL and network settings.

Install and configure ArcSight logger 6.7 in a step-by-step boot camp, covering license setup, initial login, password change, and exploring dashboards, search, alerts, and the live event viewer.

Install and configure a Micro Focus Smart Connector to collect logs from Windows event logs and other sources, normalize them to CEF format, and feed ArcSight Logger for centralized dashboards.

Learn to ingest data in the ArcSight logger, turn searches into dashboards, and drill into Windows logs with context-based analysis to create saved searches and dynamic time frames.