| Question |
| What is ArcSight ? |
| Answer |
| Arcsight is one of the SIEM Tool use to Monitor the Network. |
| |
| Question |
| What is SIEM ? |
| Answer |
| |
| Security information and event management (SIEM) is an approach to security management that seeks to provide a holistic view of an organization’s information technology (IT) security. |
| |
| Question |
| What are the general monitoring parameters for middleware applications like sharepoint? |
| Answer |
| Application logs, access logs can be monitor. In backend if the application is using database then database audit logs can be monitor |
| |
| Question |
| What all parameters can be monitored using the tool ? |
| |
| Answer |
| This is based on the device logs… For example if its a firewall then all the traffic and configuration logs can be monitor. |
| |
| Question |
| List out the features of SIEM? |
| |
| Answer |
| Log management, Log monitoring, Dashboard, pattern discovery, Asset modeling and many more features |
| |
| Question |
| Using ArcSight how can we secure our application environment? |
| Answer |
| Since Arcsight is an SIEM tool where we can monitor the logs for any vulnerabilities. So by using this Arcsight we can alert to the application owner for suspicious activity….. |
| |
| Question |
| |
| What is the diff bw SIEM,SIM and SEM |
| |
| Answer |
| Security information and event management (SIEM) is an approach to security management that seeks to provide a holistic view of an organization’s information technology (IT) security. SIEM combines SIM (security information management) and SEM (security event management) functions into one security management system. |
| |
| Question |
| Why to use Arcsight, when other tools like RSA and Q-Radar available in market ? |
| |
| Answer |
| Arcsight is a agent based SIEM Tool. Compare to RSA, Arcsight is user friendly tool. Based on the requirement we can select the tool. |
| |
| Question |
| Difference between arcsight express & ESM |
| Answer |
| Arcsight Express is a Appliance based and ESM is an ApplicationSoftware based |
| |
| Question |
| Why we need to use ArcSight ? |
| Answer |
| For log management and Live log monitoring wch helps us to identify the suspicious traffic |
| |
| Question |
| |
| From architecture standpoint, what all components do we have we have in archsight ? |
| |
| Answer |
| |
| For ESM: We should have Manager and database server, Console which is used to monitor the logs, Web browser, Arcsight web server, and agent |
| |
| Question |
| Is there any provision in Arcsight which can check the connectivity between server to monitoring asset. |
| |
| Answer |
| We need to enable device monitoring option at connector level. Also buy seeing the connector status we can identify the connection. |
| |
| Question |
| What is the difference between Arcsight logger and Smart Connector? |
| |
| Answer |
| |
| Arcsight logger is an appliance or Application which is used to store the logs for longer days. Smart connector is connector/agent used to collect the logs. |
| |
| Question |
| What is the major difference b/w Arcsight and RSA Envision tool |
| |
| Answer |
| arcsight is agent based Tool and RSA is a agent less based Tool |
| |
| Question |
| Which is the arcsight smart connecor for sharepoint? |
| Answer |
| Arcsight have some 300+ default smart connector. For SharePoint we don’t have smart connector hence we need to develop Flex connector |
| |
| Question |
| |
| What is the difference b/w correlation,aggregation,normalization. |
| Answer |
| Correlation: Logically linking events based on multiple conditions. A rule can have one or more conditions. If there is one condition, the rule acts as a filtering tool. If there is more than one condition, the rule acts as a correlation tool. A rule can be created for any incoming event from one or more event generators, with various conditions, logic statements, and thresholds. Aggregation: Aggregation is a composition technique for building a new event from one or more existing events that support some or all of the new event’s conditions. Normalization: This will convert Raw events to CEF Common event format |
| |
| Question |
| |
| What are the components of arcsight from architecture standpoint ? |
| Answer |
| its already answered |
| |
| Question |
| |
| what is difference between logger and arcsight |
| Answer |
| its already answered |
| |
| Question |
| Is this arcsight application available on net for practice ?? |
| Answer |
| no… |
| |
| Question |
| What is Basic knowledge required to monitor these tools ,as in technical knowledge ?? |
| Answer |
| |
| Basic security and network knowledge…. |
| |
| Question |
| Is SIEM is software based or hardware based? |
| Answer |
| |
| both are available…. Its completely based on the type tool/vendor…. |
| |
| Question |
| |
| It is resticted to network and security device monitring ? |
| Answer |
| no… we can monitor security , network, application and own house application also… |
| |
| Question |
| Heard about connectors, logger and all. Can you please brief about that? |
| Answer |
| connector: its is used to collect the logs and push towards the arcsight database server. Logger is used to collect the logs from the collector and also it can store the logs |
| |
| Question |
| Whether from arc sight we can detect Zero day attacks? if yes How? |
| |
| Answer |
| yes … but we need to analyzing logs… also with the help of Patter discovery…. |
| |
| Question |
| How is smart connector different from RSA collector appliance ? |
| Answer |
| RSA collector appliance is a windows based servers… and Arcsight collectorconnector is a application where we can install on any OS flavors…. |
| |
| Question |
| Is Storage device can be support by ArcSight |
| |
| Answer |
| yes… |
| |
| Question |
| What are the minimum requirment for implementing the tool in a new enviroment ? |
| Answer |
| Prerequisites will vary based on the end devices…. |
| |
| Question |
| What is latest version of arcsight and on what is the base OS for the same. |
| Answer |
| 6.5C it will Linux 6.2 Red hat…. |
| |
| Question |
| In Arcsight Have on box or off box collectors? |
| |
| Answer |
| |
| Both…. |
| |
| Question |
| |
| Can u pls tel me how the dataflow in Arcsight tool.. |
| Answer |
| end device to-collector–to- Arcsight Manager -to–Arcsight database |
| |
| Question |
| What is Connector, Logger?? Is it related to ESM? |
| |
| Answer |
| connector and logger is explained already ….Yes both are related to ESM…But based on the Setup…. |
| |
| Question |
| |
| What are the ports to be opened for logger and SmartConnectors? |
| |
| Answer |
| In between Logger and smart connector — Https 443 |
| |
| Question |
| whether this tool will only identify the suspicious traffic or it will block/rectify traffic ? |
| Answer |
| Its monitoring tool.We can’t block the traffic through the Arcsight… |
| |
| Question |
| Can we integrate Arcsight with WIPS? |
| Answer |
| Yes,we have Arcsight smart connector. |
| |
| Question |
| What is the difference between flex connector and smart connector ? |
| Answer |
| smart connector is a Arcsight Default connector and Flex connector is Customized connector. |
| |
| Question |
| Can you suggest some good books/links to learn about ArcSight. |
| Answer |
| ESM 101 document..https://protect724.arcsight.com |
| |
| Question |
| How we can take the configuration backup.. |
| |
| Answer |
| Through packages and also through database. |
| |
| Question |
| What is ArcSight Manager?How does it works? |
| Answer |
| The Manager is the heart of the ESM solution. It is a Java-based server that drives analysis, workflow, and services. The Manager is portable across a variety of operating systems and hardware platforms. It also correlates output from a wide variety of security systems. The Manager writes events to the Database as they stream into the system. It simultaneously processes them through the correlation engine, which evaluates each event with network model and vulnerability information to develop real-time threat summaries. |
| |
| Question |
| In arcsight which tools are comes under SEM and SIM |
| Answer |
| ESM and Express BoX is under SIM. Logger is SEM |
| |
| Question |
| What is the difference between active list & session list ? Need some clarity. |
| Answer |
| Active lists are configurable tables that collect specified fields of event data to enable cross-referencing during correlation. Active lists serve as a community bulletin board for tracking specific event data over long periods (days or weeks) so it can be available on demand for correlation. Session: Its used to monitor Login and Logout information |
| |
| Question |
| whether auto-ticketing capability is available in arcsight. |
| |
| Answer |
| Yes |
