Arcsight Deployment Question

Hello Gurus,  i am a newbie to Acsight.

I have a small dilema regarding Arcsight Zones. In my company's Arcsight enterprise environment, we have some departments that have similar IP address ranges which is a problem for SOC analyst  folks, in that they sometimes can't  distingush event sources.

My question is,if you define  for example, your engineering department in your company as in Arcsight, but in that engineering department you have,sub-departments,( like QA dept  for eg) that have its own separate Vlan and IP address ranges, what's the best practices for identifying  those small separate departments within the Engineering zone in Arcsight ?

Anybody run into similar problems before?

Thank you.


  • You can use networks and zones to solve your problem.  In your networks, you put high level entities like engineering dpt, sales dpt, ... .  These entities can have overlapping IP ranges.  Then you create zones within these networks where you define your IP ranges.

    In some situation it might cause some issues depending on your setup.  For instance, if you collect logs from two different parts of your network using overlapping ranges on the same connector, the connector will use the first network defined in its list to make the zoning.  To avoid that, use separate connectors for overlapping ranges ( you can also work with mapping files but it's quite hard to maintain so I don't recommend it).  That being said, except if your network is a complete mess, it shouldn't happen very often. 


  • Dear Frank,

    I really hate give a RTFM answers, but after you read corresponding parts in ArcSight 101, User and Administrator guides - you will surely understand that there is no such "problem" in ESM.

    However, if you're on tight schedule or really not into reading manuals you may find these two presentations helpful: