Résumé du cours
This course teaches you how to configure ArcSight SOAR to receive alerts, integrate with other products, and create Playbooks.
Moyens d'évaluation :
- Quiz pré-formation de vérification des connaissances (si applicable)
- Évaluations formatives pendant la formation, à travers les travaux pratiques réalisés sur les labs à l’issue de chaque module, QCM, mises en situation…
- Complétion par chaque participant d’un questionnaire et/ou questionnaire de positionnement en amont et à l’issue de la formation pour validation de l’acquisition des compétences
A qui s'adresse cette formation
This course is designed for Security Content Developers, who may be Analysts or Administrators.
Pré-requis
This course assumes a familiarity working with ArcSight ESM but it is not required.
Objectifs
At the end of this course, you should able to :
- Understand ArcSight SOAR
- Set up SOAR to receive alerts
- Understand SOAR workflow
- Understand SOAR integrations
- Understand SOAR Users, Groups and SSO
- Manage SOAR cases
- Filter, classify, consolidate, and dispatch cases
- Automate response with workflow playbooks
- Understand SOAR System status
- Monitor using SOAR Dashboards & reports
Contenu
Module 1: Introduction to ArcSight SOAR
- Challenges faced by Organizations
- What is the ArcSight SOAR?
- ArcSight SOAR Features.
- Deployment Overview of ArcSight SOAR.
- Accessing ArcSight SOAR
Module 2: Setting up SOAR to Receive Alerts
- Install a Forwarding Connector on ESM
- Configure a Forwarding Connector User and Web User on ESM
- Configure Pre-persistent rule to Tag the Events Forwarded to SOAR
- Add an ESM Alert Source on SOAR
- Add an ESM Integration on SOAR
Module 3: Understand Soar Workflow
- Understanding the SOAR Workflow
- Processing ESM Alerts with SOAR
- Rule Name Filters
- Classification
- Consolidation
- Dispatching Cases
- Automating case Handling using Playbooks
Module 4: SOAR Integrations Overview
- SOAR Integrations Overview
- SOAR Integrations Capabilities
- Use Cases & Benefits
- Integrating SOAR with MISP
- Integrating SOAR with VirusTotal
Module 5: SOAR Users, Groups, SSO
- Creating User Groups in Fusion
- Creating Users in Fusion
- Importing Existing Users from ESM
- User Roles and Assigning Permissions
- ACLs in SOAR
Module 6: SOAR Case Management
- Understanding the SOAR Cases User Interface
- Viewing Case Details
- Managing Cases in SOAR
Module 7: Filtering, Classifying, Consolidating, and Dispatching Cases
- Filtering Alerts For Case Creation
- Classifying Cases on SOAR
- Consolidating Alerts to Create Cases
- Dispatching Cases
Module 8: Automating Responses with Workflow Playbooks
- What are Playbooks?
- Working with Playbooks
- Workflow Playbooks
- Scheduled Playbooks
- Managing Triggers
- Handling Manual Processes Through Tasks
- Out of The Box Workflows
Module 9: SOAR System Status
- Alerts
- Action and Rollback Queues
- Action History
- Enrichment History
- Process Queues
- Troubleshooting
Module 10: Monitoring Using SOAR Dashboards and Reports
- Reports in Fusion
- ArcSight SOAR Standard Content Resources
- Schedule and Export Reports
- Running SOAR Legacy Reports (Jasper Reports)
Moyens Pédagogiques :