ArcSight SIEM Interview Questions

ArcSight Interview Questions

Question
What is ArcSight ?
Answer
Arcsight is one of the SIEM Tool use to Monitor the Network.
 
Question
What is SIEM ?
Answer
 
Security information and event management (SIEM) is an approach to security management that seeks to provide a holistic view of an organization’s information technology (IT) security.
 
Question
What are the general monitoring parameters for middleware applications like sharepoint?
Answer
Application logs, access logs can be monitor. In backend if the application is using database then database audit logs can be monitor
 
Question
What all parameters can be monitored using the tool ?
 
Answer
This is based on the device logs… For example if its a firewall then all the traffic and configuration logs can be monitor.
 
Question
List out the features of SIEM?
 
Answer
Log management, Log monitoring, Dashboard, pattern discovery, Asset modeling and many more features
 
Question
Using ArcSight how can we secure our application environment?
Answer
Since Arcsight is an SIEM tool where we can monitor the logs for any vulnerabilities. So by using this Arcsight we can alert to the application owner for suspicious activity…..
 
Question
 
What is the diff bw SIEM,SIM and SEM
 
Answer
Security information and event management (SIEM) is an approach to security management that seeks to provide a holistic view of an organization’s information technology (IT) security. SIEM combines SIM (security information management) and SEM (security event management) functions into one security management system.
 
Question
Why to use Arcsight, when other tools like RSA and Q-Radar available in market ?
 
Answer
Arcsight is a agent based SIEM Tool. Compare to RSA, Arcsight is user friendly tool. Based on the requirement we can select the tool.
 
Question
Difference between arcsight express & ESM
Answer
Arcsight Express is a Appliance based and ESM is an ApplicationSoftware based
 
Question
Why we need to use ArcSight ?
Answer
For log management and Live log monitoring wch helps us to identify the suspicious traffic
 
Question
 
From architecture standpoint, what all components do we have we have in archsight ?
 
Answer
 
For ESM: We should have Manager and database server, Console which is used to monitor the logs, Web browser, Arcsight web server, and agent
 
Question
Is there any provision in Arcsight which can check the connectivity between server to monitoring asset.
 
Answer
We need to enable device monitoring option at connector level. Also buy seeing the connector status we can identify the connection.
 
Question
What is the difference between Arcsight logger and Smart Connector?
 
Answer
 
Arcsight logger is an appliance or Application which is used to store the logs for longer days. Smart connector is connector/agent used to collect the logs.
 
Question
What is the major difference b/w Arcsight and RSA Envision tool
 
Answer
arcsight is agent based Tool and RSA is a agent less based Tool
 
Question
Which is the arcsight smart connecor for sharepoint?
Answer
Arcsight have some 300+ default smart connector. For SharePoint we don’t have smart connector hence we need to develop Flex connector
 
Question
 
What is the difference b/w correlation,aggregation,normalization.
Answer
Correlation: Logically linking events based on multiple conditions. A rule can have one or more conditions. If there is one condition, the rule acts as a filtering tool. If there is more than one condition, the rule acts as a correlation tool. A rule can be created for any incoming event from one or more event generators, with various conditions, logic statements, and thresholds. Aggregation: Aggregation is a composition technique for building a new event from one or more existing events that support some or all of the new event’s conditions. Normalization: This will convert Raw events to CEF Common event format
 
Question
 
What are the components of arcsight from architecture standpoint ?
Answer
its already answered
 
Question
 
what is difference between logger and arcsight
Answer
its already answered
 
Question
Is this arcsight application available on net for practice ??
Answer
no…
 
Question
What is Basic knowledge required to monitor these tools ,as in technical knowledge ??
Answer
 
Basic security and network knowledge….
 
Question
Is SIEM is software based or hardware based?
Answer
 
both are available…. Its completely based on the type tool/vendor….
 
Question
 
It is resticted to network and security device monitring ?
Answer
no… we can monitor security , network, application and own house application also…
 
Question
Heard about connectors, logger and all. Can you please brief about that?
Answer
connector: its is used to collect the logs and push towards the arcsight database server. Logger is used to collect the logs from the collector and also it can store the logs
 
Question
Whether from arc sight we can detect Zero day attacks? if yes How?
 
Answer
yes … but we need to analyzing logs… also with the help of Patter discovery….
 
Question
How is smart connector different from RSA collector appliance ?
Answer
RSA collector appliance is a windows based servers… and Arcsight collectorconnector is a application where we can install on any OS flavors….
 
Question
Is Storage device can be support by ArcSight
 
Answer
yes…
 
Question
What are the minimum requirment for implementing the tool in a new enviroment ?
Answer
Prerequisites will vary based on the end devices….
 
Question
What is latest version of arcsight and on what is the base OS for the same.
Answer
6.5C it will Linux 6.2 Red hat….
 
Question
In Arcsight Have on box or off box collectors?
 
Answer
 
Both….
 
Question
 
Can u pls tel me how the dataflow in Arcsight tool..
Answer
end device to-collector–to- Arcsight Manager -to–Arcsight database
 
Question
What is Connector, Logger?? Is it related to ESM?
 
Answer
connector and logger is explained already ….Yes both are related to ESM…But based on the Setup….
 
Question
 
What are the ports to be opened for logger and SmartConnectors?
 
Answer
In between Logger and smart connector — Https 443
 
Question
whether this tool will only identify the suspicious traffic or it will block/rectify traffic ?
Answer
Its monitoring tool.We can’t block the traffic through the Arcsight…
 
Question
Can we integrate Arcsight with WIPS?
Answer
Yes,we have Arcsight smart connector.
 
Question
What is the difference between flex connector and smart connector ?
Answer
smart connector is a Arcsight Default connector and Flex connector is Customized connector.
 
Question
Can you suggest some good books/links to learn about ArcSight.
Answer
ESM 101 document..https://protect724.arcsight.com
 
Question
How we can take the configuration backup..
 
Answer
Through packages and also through database.
 
Question
What is ArcSight Manager?How does it works?
Answer
The Manager is the heart of the ESM solution. It is a Java-based server that drives analysis, workflow, and services. The Manager is portable across a variety of operating systems and hardware platforms. It also correlates output from a wide variety of security systems. The Manager writes events to the Database as they stream into the system. It simultaneously processes them through the correlation engine, which evaluates each event with network model and vulnerability information to develop real-time threat summaries.
 
Question
In arcsight which tools are comes under SEM and SIM
Answer
ESM and Express BoX is under SIM. Logger is SEM
 
Question
What is the difference between active list & session list ? Need some clarity.
Answer
Active lists are configurable tables that collect specified fields of event data to enable cross-referencing during correlation. Active lists serve as a community bulletin board for tracking specific event data over long periods (days or weeks) so it can be available on demand for correlation. Session: Its used to monitor Login and Logout information
 
Question
whether auto-ticketing capability is available in arcsight.
 
Answer
Yes