Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Absent Member.
Absent Member.
530 views

Trying to understand ArcSight categorization

Hello all,

I am trying to understand how does ArcSight do the categorization. Let me explain myself.

In our environment I can see many "category technique -> Scan" in our firewall events or "Category significance -> Recon". How is it possible for ArcSight to categorize one firewall event as a Scan or a recon? to do that I guess the system would need more events, not only one.

I have read the whitepaper and does not put any light on it.

Thanks in advance,

0 Likes
1 Reply
Absent Member.
Absent Member.

ArcSight categorization works pretty straightforward: it maps signature name to set of categories, that's it. Don't expect to see any deep packet inspection analysis

You can learn it in more details reading Flex Connector documentation, it explains it in details.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.