| Question |
| What is os platform available for archsight ? |
| Answer |
| |
| For ARCSIGHT ESM V6.5SP1 Red Hat Enterprise Linux (RHEL) 6.4 Workstation 64-bit Red Hat Enterprise Linux (RHEL) 6.5 Workstation 64-bit Microsoft Windows Server 2008 R2 (SP1) 64-bit7 Microsoft Windows 8/8.1 64-bit Microsoft Windows 7 SP18 64-bit |
| |
| Question |
| What all components it has and what are their role? |
| Answer |
| ESM – The ArcSight Manager is the heart of the solution. It is a Java-based server that drives analysis, workflow, and services. It also correlates output from a wide variety of security systems. Smart Connector – SmartConnectors gather and process event data from end devices and pass it to the Manager. ArcSight Console – The ArcSight Console is a workstation-based interface intended for analyst and admins. It is the authoring tool for building filters,rules, reports, Pattern Discovery, dashboards and data monitors. It is also the interface for administering users and workflow. |
| |
| Question |
| How the Arcsight architecture works? |
| Answer |
| Individual SmartConnectors and/or a Connector Appliance gather and process event data from network devices and pass it to the Manager. The Manager processes and stores event data in the CORR-Engine. Users monitor events in ArcSight Web, and manage user groups and the CORR-Engine storage using the ArcSight Command Center, and develop content and perform advanced investigation on the ArcSight Console. A comprehensive series of optional products provide forensic-quality log management, network management and instant remediation, regulatory compliance, and advanced event analysis. |
| |
| Question |
| What are connectors? |
| Answer |
| SmartConnectors, hosted individually, or as part of an ArcSight Connector Appliance, are the interface to the objects on your network that generate correlation-relevant data on your network. After collecting event data from network nodes, they normalize the data in two ways: normalizing values (such as severity, priority, and time zone) into a common format, and normalizing the data structure into a common schema. SmartConnectors can then filter and aggregate events to reduce the volume of events sent to the Manager, which increases ESM’s efficiency and accuracy, and reduces event processing time. SmartConnectors also support commands that can execute commands on the local host, such as instructing a scanner to run a scan. SmartConnectors also add information to the data they gather, such as looking up IP and/or host names in order to resolve IP/host name lookup at the Manager. |
| |
| Question |
| How the Licensing is done in Archsight? is it based on no. of devices or the EPS or any other data? |
| Answer |
| All market leading SIEMs license based on EPS. ArcSight also take deveices count. |
| |
| Question |
| What is special feature in archsight which makes it top siem product . |
| Answer |
| MSSP Support, Custom device integration, filtering in agent level, more number of device type support. No other product have agent level filter. |
| |
| Question |
| Wow Archsight is comparable with others SIEM tools available in market viz. RSA envision, McAfee ESM etc. ? |
| Answer |
| All other SIEMs does not have separate full-fledged console for admin and analysis purpose. Also other SIEMs doesn’t have SmartConnectors which will do the following functionalities. Collect all the data you need from a source device, so you do not have to go back to the device during an investigation or audit. Save network bandwidth and storage space by filtering out data you know will not be needed for analysis. Parse individual events and normalize them into a common schema (format) for use by ESM. Aggregate events to reduce the quantity of events sent to the Manager. |
| |
| Question |
| How is the dataflow in the arc sight? |
| |
| Answer |
| |
| End devices forwards events to smart connectors(for some devices smart connector pull events from end devices) -> smart connectors does aggregation, normalization, filtering and forward events to Manager -> Manager do correlation using rules and generate incidents. |
| |
| Question |
| Can you please share the Arcsight Dashboard and the functions? |
| Answer |
| Dashboards display indicators that communicate the state of your enterprise as reported by SmartConnectors from data sources on your network. Dashboards are made up of individual data monitors and/or query viewers in a variety of graphical and tabular formats that summarize the event flow and communicate the effect of event traffic on specific systems on the network, or display the status of ESM components. The Security Activity Statistics dashboard is just one of the standard dashboards that displays a variety of system status data monitors, which communicate the overall state of your network security Also you can create customized dashboards as per the envioronment. |
| |
| Question |
| |
| Where is the data stored primarily in ArcSight : ESM or Logger? |
| Answer |
| If there is no Logger in your environment ESM will store all datas. If Logger available storing data in Logger is advisable. |
| |
| Question |
| What are devices we can monitor using Arcsight? |
| Answer |
| We can monitor any devices which all are generating logs. If ArcSight connectors support the logs we can directly use smart connectors. For other non-supported devices we have to develop custom connectors. |
| |
| Question |
| Do we have any best practices available for ArcSight deployment or implementation? |
| |
| Answer |
| |
| Currently Logger best practices only available and you can get it from the following site. https://protect724.hp.com/ |
| |
| Question |
| How ArcSight will considered an IP address is from particular country?? |
| Answer |
| It also consider locations from asset module. Also it uses MaxMind data which will update thru AUP updates. |
| |
| Question |
| What is Arcsight Corr engine? |
| Answer |
| The Correlation Optimized Retention and Retrieval (CORR) Engine is a proprietary data storage and retrieval framework that receives and processes events at high rates, and performs high-speed searches. Events are stored in the CORR-Engine’s event retention period, where correlation operations take place, then copied daily into archives for long-term storage. In all other SIEMs corr engine is correlation engine including ArcSight previous versions(before 6.0) |
| |
| Question |
| |
| Why only syslog will pushes loges to manager automatically and why not other? |
| Answer |
| Major network, security devices and UNIX platforms supports syslog. Windows uses WMI. Also syslog will provide real-time push with very less delay. Other methods are file push, snmp and etc.. File push method is no real-time. |
