Visio Drawings – Arcsight Enterprise Security Manager Notes
November 24, 2022Visio document downloads
Arcsight Architectural Diagram.vsd
Arcsight Log Retrieval.vsd
Arcsight Netscreen Log Retrieval.vsd
Arcsight Enterprise Security Manager is a security event manager that analyzes and correlates events to provide insight into a large scale network.
The Arcsight correlation Appliances resides in the Core Engine Layer of the Arcsight deployment topology.
The appliance is logged into directly via the Arcsight Console application.
While the correlation engine combines that data feeds from the Arcsight loggers, it does not correlate all of the data.
The Arcsight Console components
The main Arcsight components are broken down into four pieces.
Functions:
Save, Stop / Play
Ping & Trace Route (Careful use)
Real-time correlated data
The event tab displays all detected fields for the Arcsight event
The details tab provides wiki-style information for the Arcsight event
The annotations tab tracks the analysis process of the Arcsight event
The payload tab will contain the PCAP data of the event.
The active channel function of the inspect / edit panel contains two core functions Attribute & Filter.
The attributes tab establishes the environment variables (such as the time span) of the active channel with the the filter tab establishes the internal working conditions and search criteria.
The inspect / edit panel also controls the criteria of reports and the query that drive the report.
The query will establish the parameters, much like the filter in an active channel; whereas the report will establish the overall output construct of the query.
The detection of suspicious events, whether from an intelligence tipper, FireEye alert, or some other means can be aggregated by Arcsight ESM into a detailed report or an actively monitored channel.
Arcsight to external intelligence actions
The user of Arcsight as a DDoS tool significantly increase the Corporate Cyber Defense, combat effectiveness.
With Arcsight Corporate cyber defense can identify the malicious IPs of attacking infected web server via both firewall and Netscaler events.
These IPs are then sent to the perimeter security group to be blocked by the firewalls. The objective of all malicious traffic is being blocked at both the ISP level and firewall level, preventing it from reaching internal corporate resources.