Arcsight Admin/Analyst Interview questions
There are so many well experienced peoples are there in this community. They know each and every aspects of Arcsight SIEM tool and they might be taking many interviews.
As a beginner in Arcsight , I and many beginners in this group want your help in this.
Kindly start a discussion on Arc sight interview questions.
Thanks for your reply. You are right but it is a general answer. I am expecting a detailed discussion on the possible interview questions we can expect while we are are going to attend an interview for SOC analyst/Admin position.
You can expect many different questions related to your person, technical insight, experience and so on
There is no right or wrong answer here.
Just be yourself and stay honest, personally I would rather hire a junior that is eager to learn, can work in a team and shows interest to do a great job willing work as a team player instead of a more experienced person that acts like a lone wolf and wants to show of how good they are all the time , with a - I'm the rock star - attitude.
Try to find out as much as you can about the company and the tools you will work with.
Good luck with your interviews
I appreciate your honest post, however the person interviewing you for ArcSight would have seen this thread and might not ask those questions that are posted here as reply!.
I suggest you go through 101 and admin documents which sre more than enough and if you afford to have some vm's build yourself and test all functionalities keep an eye on the questions/thread here and try to see if you can find an answer to those problems..
This will indirectly prepare you not only for the interview but post interview as well!.
If you want to prepare for an interview where you are expected to know ArcSight, my best advice is to learn ArcSight. If people just post questions and answers here and someone memorizes them without having any idea what they are doing they are not being fair to the company that is looking to fill the ArcSight position. Then the company will hire an unqualified person (or someone who has misrepresented their skills) and they will be unsuccessful. That will give ArcSight a bad reputation as being difficult and a poor product (because the fraudulent hire will certainly not be honest as to his or her lack of skills).
So if you care about ArcSight as a community and you want it to remain a valuable solution on the marketplace, I kindly ask that no one post any interview questions and answers here.
Some great suggestions here and I strongly recommend you follow them.
However, one point I will always push is to consider what an 'indicator' is. Its too easy to fall into a trap to consider an SIEM (any for that matter - not just ArcSight) is just like an expensive IDS / IPS. Its not. An SIEM is there to fill in the gaps and to add intelligence to what you are seeing - its all about the indicator.
Indicators are built up by triggering one or more rules and contribute with other indicators to help you prioritize. Sounds complicated, but it makes sense when you see it in action. For example, you lock your account out by forgetting your password - 3 times and a locked account. Logs go into the SIEM. You will have a bunch of rules that will trigger, but is it an attack? Actually probably not. But if you were tripped up trying to access some dodgy malware site last week, have tried multiple accounts on different servers - well thats a different matter!! Suddenly, we have a bigger view and picture of what is going on and yeah, now you are bad guy and we want to monitor.
Its quite complicated when you apply this to a real scenario, but understanding this approach is key to understanding an SIEM and how it can actually deliver value - and thats any SIEM, not just ArcSight. Getting the value out of ArcSight is then about using the power of the technology available. Such as active lists, session lists, variables, multi-faceted rules, trends and dashboards. Add these things together and suddenly you have a powerful platform to build out!
I talk about the 'lightbulb moment' when people are learning ArcSight. Some get it from day one, but most take a month or two. But its like in a cartoon - suddenly you see the lightbulb turning on and suddenly they get it. They understand how to think, approach use cases and how to solve complex monitoring problems. This is what ArcSight is about and why its so powerful. And when you get that, the 'how' and 'where' becomes irrelevant.
I guess these questions will ask but cant point specifically for only ArcSight
Explain what is the role of information security analyst?
Mention what is data leakage? What are the factors that can cause data leakage?
List out the steps to successful data loss prevention controls?
Mention what are personal traits you should consider protecting data?
Explain what is the 80/20 rule of networking?
Have you ever created SIEM content?
Have you ever conducted a forensic investigation?
Do you have experience configuring OS specific host policies to identify, monitor, and provide an alert of any changes to data, files, and systems?