ArcSight ESM in 4 Hours
20190408 Received requests privatly if I had an update to this document.
Rather than wait till 100% perfect, here is the draft for V7 MicroFocus Branded Version
Original Post: HP ArcSight ESM in 4 Hours is now available
It is the companion to is now available. That document had over 3,600 views in its two posts combined.
I created this document years ago when I was challenged by a CIO to prove how "Easy" ESM really was.
Our competitors constantly tried to say that ArcSight was hard to use, and that simply was not the case. My own personal experience in the government exposed me to several competitors and quickly found that when you want to get past the "Easy" correlations, there was simply no match to power ArcSight ESM. ArcSight ESM remains the workhorse of leading SOCs around the world. Simply put, it was, is and will remain the best real-time correlation engine in the world.
I created the first draft of this document for that CIO and he walked thru it in "4 hours" with me. Hence the title of the document. (They became a customer)
I offer this up to you for your own use.
It has been used at HP to provide an introduction to new employees as well as numerous other companies that have requested this document from me.
Let me be CLEAR, this is not intended to replace your professional training.. I did take off, fly and land a Cesna aircraft without hundreds of hours of training. But I can assure you that I would probably crash an F15 before it even got off the ground. ANYTHING with power capabilities need to be fully understood, but that does not make it HARD.
ArcSight ESM is "Enterprise Software" complete with all the activities that surround that class of software.
INVEST in training. Invest in professional services to get you started.
But please feel free to use this as a quick introduction to solving an actual use case from start to finish.
This is by no means a complete document. I add more to it, when time comes free.
As always I welcome your feedback.
Thank you for sharing your work. When I first started using ArcSight ESM and Logger, I waited for your updated Logger document, which once released was very helpful as an Analyst using Logger for the first time. I've posted this and the new ESM document on our internal document store so all our folks can hopefully read and learn from your efforts.
People often post and ask: Where can I find video's, and document for new users?' This should help them out quite a bit.
-= Bruce D. Meyer
This is a very good document to show you how ESM is working. But ESM is just a part of the solution and when people are saying that Arcsight is hard to use it is because they are talking about the entire solution and not just ESM.
Viewing the data in ESM and doing corelation etc is the easy part, getting the data in ESM correctly is the hard part. Also one of the strengh of Arcsight is categorization but since all the files related to it are encrypted then categorization is not working properly mainly bacause it is not updated as it should be. Ex: Fortigate 5.4 and above not been updated for over a year and not working.
Another part that is very important is your network model and most of the time people dont do it and in the same process lose a lot of advantage from ESM.
Just my opinion.
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
Thank you for your comments.
The document was designed to only address the creation of a use case from start to finish.
You are certainly correct that I do not cover ALL the capabilites of ESM, however I will certainly consider adding a few pages on the network model, asset model and user model. I wish I had the skill set to be a writer, and had the time to create a better document.
I would ike to piviot to your comment about Fortigate.
I did a search in our JIRA system and found numerous JIRA's regarding Fortigate Categorization. Each ticket I viewed showed that it was waiting on customer samples. The most recent contribution from the UK was corrupted and the customer has been asked to provide another sample. Perhaps you could assist support by filing a ticket (if you have not already done so) and provide the samples that development is looking for. We certainly want to get to a successful resolution for Fortigate.
I hear your message about Fortigate cleary, but let's remove support issues from this thread.