ArcSight ESM Administrator and Analyst

ArcSight ESM Administrator and AnalystASEAAAMFOpenTextMF-ASEAAA24.1On completion of this course, participants should be able to: <ul> <li>Make ArcSight ESM operational upon initial installation</li><li>Describe how ESM works in the context of your network</li><li>Create user accounts</li><li>Implement built-in content</li><li>Populate ESM with your network and assets to identify endpoints involved in an event</li><li>Create site-specific business-oriented views</li><li>Investigate, identify, analyze, and remediate exposed security issues</li><li>Use workflow management to provide real-time incident response and escalation tracking</li><li>Modify and run standard reports to provide situational awareness and network status</li><li>Establish ESM peering across multiple ESM instances</li><li>Perform distributed event search and content management</li></ul>NoneAnalysts, Content Engineers, Business AdministratorsModule 1: ESM Overview <ul> <li>Discuss what ArcSight ESM is and how it fits into a SOC</li><li>List the problems ESM can solve</li><li>Discuss basic processes to make an ESM installation successful</li><li>Describe the basic ArcSight components (10' - 100,000' view)</li><li>Identify basic user roles within an ArcSight Installation</li></ul>Module 2: Command Center <ul> <li>Discuss an overview of the Command Center</li><li>Describe how to use the Site Map</li><li>Describe how to monitor usage</li><li>Discuss how to configure Dashboards and the different Dashlets you can add</li><li>Describe how to use the Security Operations Center Dashboards</li><li>Explain how to configure and view MITRE Dashboards</li><li>Discuss how to monitor events with Active Channels</li><li>Discuss how to view and use Field Sets</li><li>Discuss how to view, export, and filter Active Lists</li></ul>Module 3: ESM Console <ul> <li>Install the ArcSight ESM Console</li><li>Start the ArcSight ESM Console</li><li>Use the Console Panels and Features</li><li>Customize the ESM console</li></ul>Module 4: Installing and Configuring ArcSight Connectors <ul> <li>Describe a connector</li><li>Describe normalization</li><li>Describe a network model</li><li>Describe SmartConnectors</li><li>Deploy and configure SmartConnectors</li></ul>Module 5: ArcSight Marketplace <ul> <li>Describe what is the Marketplace</li><li>Define Marketplace packages/use cases</li></ul>Module 6: Schema, Fieldsets, and Active Channels <ul> <li>Describe the ArcSight Event Schema</li><li>Describe an Active Channel</li><li>Describe what a field set is</li><li>Describe the Event Life Cycle</li></ul>Module 7: Filters <ul> <li>Describe Filters and Filter Types</li><li>Create and Modify Filters</li><li>Debug Filters</li></ul>Module 8: Dashboards & Data Monitors <ul> <li>Identify Data Monitor types and functions</li><li>Access and Use Dashboards</li><li>Modify Dashboard Data Monitor Layouts</li></ul>Module 9: Rules & Lists <ul> <li>Describe rules and rule types</li><li>Describe rule triggers and actions</li><li>Describe Active Lists and Session Lists</li><li>Create and validate rule behavior</li><li>Create and validate Brute Force Login Attempt and Successful rules</li><li>Create and validate Active and Session List integration rules</li></ul>Module 10: User Administration <ul> <li>Create, edit, rename, delete user groups</li><li>Create, edit, move, delete users</li><li>Manage resource permissions</li><li>Access and modify global user password properties</li></ul>Module 11: Notifications <ul> <li>Describe the operation of ArcSight notifications</li><li>Configure ArcSight notifications</li></ul>Module 12: Incident Response and Automation with SOAR <ul> <li>Understand SOAR</li><li>Triage cases with SOAR</li><li>Respond to Cases with Playbooks</li><li>Close a case</li></ul>Module 13: Queries and Query Viewers <ul> <li>Explain Queries</li><li>Define Query Viewers</li><li>Explain the advantages of using Query Viewers</li><li>Create the following functions with Query Viewers: Drilldowns, Baselines, Reports, Dashboard views</li></ul>Module 14: Reports <ul> <li>Define a report</li><li>Run, view, and save a report</li><li>Manage archived reports</li></ul>Module 15: Content Management and Peering <ul> <li>Peer ESMs</li><li>Perform a search on a peer</li><li>Create a package and sync to a peer</li><li>Manually push a package</li><li>Verify successful distribution of a package</li></ul>Module 16: Event Search <ul> <li>how keyword, field-based and pipeline searches are performed</li><li>Describe how search results are displayed</li><li>Use the unified Search page to initiate any type of search</li><li>Use Search Helper and Search Builder features to save time constructing search expressions</li><li>Load, modify, and save search filters and saved searches</li><li>Enable peer ESM and Logger instances for searching</li></ul>On completion of this course, participants should be able to: - Make ArcSight ESM operational upon initial installation - Describe how ESM works in the context of your network - Create user accounts - Implement built-in content - Populate ESM with your network and assets to identify endpoints involved in an event - Create site-specific business-oriented views - Investigate, identify, analyze, and remediate exposed security issues - Use workflow management to provide real-time incident response and escalation tracking - Modify and run standard reports to provide situational awareness and network status - Establish ESM peering across multiple ESM instances - Perform distributed event search and content managementNoneAnalysts, Content Engineers, Business AdministratorsModule 1: ESM Overview - Discuss what ArcSight ESM is and how it fits into a SOC - List the problems ESM can solve - Discuss basic processes to make an ESM installation successful - Describe the basic ArcSight components (10' - 100,000' view) - Identify basic user roles within an ArcSight Installation Module 2: Command Center - Discuss an overview of the Command Center - Describe how to use the Site Map - Describe how to monitor usage - Discuss how to configure Dashboards and the different Dashlets you can add - Describe how to use the Security Operations Center Dashboards - Explain how to configure and view MITRE Dashboards - Discuss how to monitor events with Active Channels - Discuss how to view and use Field Sets - Discuss how to view, export, and filter Active Lists Module 3: ESM Console - Install the ArcSight ESM Console - Start the ArcSight ESM Console - Use the Console Panels and Features - Customize the ESM console Module 4: Installing and Configuring ArcSight Connectors - Describe a connector - Describe normalization - Describe a network model - Describe SmartConnectors - Deploy and configure SmartConnectors Module 5: ArcSight Marketplace - Describe what is the Marketplace - Define Marketplace packages/use cases Module 6: Schema, Fieldsets, and Active Channels - Describe the ArcSight Event Schema - Describe an Active Channel - Describe what a field set is - Describe the Event Life Cycle Module 7: Filters - Describe Filters and Filter Types - Create and Modify Filters - Debug Filters Module 8: Dashboards & Data Monitors - Identify Data Monitor types and functions - Access and Use Dashboards - Modify Dashboard Data Monitor Layouts Module 9: Rules & Lists - Describe rules and rule types - Describe rule triggers and actions - Describe Active Lists and Session Lists - Create and validate rule behavior - Create and validate Brute Force Login Attempt and Successful rules - Create and validate Active and Session List integration rules Module 10: User Administration - Create, edit, rename, delete user groups - Create, edit, move, delete users - Manage resource permissions - Access and modify global user password properties Module 11: Notifications - Describe the operation of ArcSight notifications - Configure ArcSight notifications Module 12: Incident Response and Automation with SOAR - Understand SOAR - Triage cases with SOAR - Respond to Cases with Playbooks - Close a case Module 13: Queries and Query Viewers - Explain Queries - Define Query Viewers - Explain the advantages of using Query Viewers - Create the following functions with Query Viewers: Drilldowns, Baselines, Reports, Dashboard views Module 14: Reports - Define a report - Run, view, and save a report - Manage archived reports Module 15: Content Management and Peering - Peer ESMs - Perform a search on a peer - Create a package and sync to a peer - Manually push a package - Verify successful distribution of a package Module 16: Event Search - how keyword, field-based and pipeline searches are performed - Describe how search results are displayed - Use the unified Search page to initiate any type of search - Use Search Helper and Search Builder features to save time constructing search expressions - Load, modify, and save search filters and saved searches - Enable peer ESM and Logger instances for searching5 jours4000.00