Course Overview
This course provides you with the knowledge required to use advanced ArcSight ESM content to find and correlate event information, perform actions such as notifying stakeholders, graphically analyze event data, and report on security incidents. You will familiarize and/or reinforce your understanding of the advanced correlation capabilities within ArcSight ESM that provide a significant edge in detecting active attacks. This course covers ArcSight security problem solving methodology using advanced ESM content to find, track, and re-mediate security incidents. During the training, you will use variables and correlation activities, customize report templates for dynamic content, and customize Dashboards to monitor incidents. The last day of class offers a hands-on exam. Passing the exam awards you with Certified Expert badge.
Moyens d'évaluation :
- Quiz pré-formation de vérification des connaissances (si applicable)
- Évaluations formatives pendant la formation, à travers les travaux pratiques réalisés sur les labs à l’issue de chaque module, QCM, mises en situation…
- Complétion par chaque participant d’un questionnaire et/ou questionnaire de positionnement en amont et à l’issue de la formation pour validation de l’acquisition des compétences
Who should attend
This course is intended for analysts responsible for:
- Defining their organization’s security objectives
- Building or using advanced content to correlate, view and respond to those security objectives.
Prerequisites
To be successful in this course, you should have the following prerequisites or knowledge:
- Common security devices such as IDS and firewalls
- Common network device functions, such as routers, switches, and hubs
- TCP/IP functions such as CIDR blocks, subnets, addressing, and communications
- Basic Windows operating system tasks and functions
- Possible attack activities, such as scans, man in the middle, sniffing, DoS, and possible abnormal activities, such as worms, Trojans, and viruses
- SIEM terminology, such as threat, vulnerability, risk, asset, exposure, and safeguards
- Completed the ArcSight ESM Administrator and Analyst course or 6 months experience administering ArcSight ESM
Course Objectives
Upon successful completion of this course, you should be able to:
- Navigate ArcSight ESM console and command center to correlate, investigate, analyze and remediate both exposed and obscure threats
- Construct ArcSight variables to provide advanced analysis of the event stream
- Develop ArcSight lists and rules to allow advanced correlation activities
- Optimize event-based data monitors to provide real-time viewing of event traffic and anomalies
- Design new report templates and create functional reports
- Find events through the search tools.
Course Content
Module 1: ESM Overview
- Identify ESM Architecture
- Describe the content of the ArcSight Event Schema
- List the phases of the ArcSight Event Lifecycle
- Describe the event processing and schema population performed during each phase of the event lifecycle
- List the resources and tools applicable to specific phases of the event lifecycle
Module 2: Command Center
- Access the ArcSight ESM Command Center
- Monitor Usage Metrics
- View System Metrics
- Use the SOC/MITRE Dashboards
- Access and use Active Lists
- Utilize Field Sets
Module 3: ArcSight Console
- Launch the ArcSight Console
- Identify toolbar components and their functions
- List the different views available in the Viewer panel
- Identify three methods to access Console Help
- Describe the Reference Resources and their characteristics
- Identify ESM Console preference options
- Customize your ESM Console
Module 4: Active Channels
- Create a new Active Channel
- View the details of an event
- Identify Dynamic and Static Active Channels
Module 5:Filters
- Describe Filter types and usage
- Add, edit and save Filters to an Active Channel
- Define the Common Conditions Editor
Module 6: Variable Customization
- Describe functions available in Variables
- Create both Local and Global Variables
- Promote Local to Global Variables
- Share Global Variables among multiple resources
Module 7:Data Monitors and Dashboards
- Identify Data Monitor types and functions
- Create a Data Monitor
- Access and Use Dashboards
- Modify Dashboard Data Monitor Layouts
Module 8:ESM Lists
- Describe the differences between Active and Session Lists
- Create and validate Active and Session List integration Rules
Module 9: ESM Rules
- Create and validate the following:
- Rule behavior
- Brute Force Login Attempt and Successful rules
- Light Weight rules and Pre-Persistent rules
Module 10:Query Viewers Authoring
- Define Queries
- Describe Query Viewers
- Explain the advantages of using Query Viewers
- Create the following functions with Query Viewers
- Drilldowns
- Baselines
- Reports
- Dashboard views
Module 11:ESM Reports
- List the components in the Report Workflow
- List the different types of Reports
- Run a Report from the Navigator panel
- View an Archive Report from the Navigator panel
- Set up a scheduled Report job
- Build a custom Report
- Build a custom Trend Report
Module 12:Unified Event Search Tools
- Describe how keyword, field-based and pipeline searches are performed
- Describe how search results are displayed
- Use the unified Search page to initiate any type of search
- Use Search Helper and Search Builder features to save time constructing search expressions
- Load, modify, and save search filters and saved searches
- Enable peer ESM and Logger instances for searching
Moyens Pédagogiques :