Trying to understand ArcSight categorization
I am trying to understand how does ArcSight do the categorization. Let me explain myself.
In our environment I can see many "category technique -> Scan" in our firewall events or "Category significance -> Recon". How is it possible for ArcSight to categorize one firewall event as a Scan or a recon? to do that I guess the system would need more events, not only one.
I have read the whitepaper and does not put any light on it.
Thanks in advance,
ArcSight categorization works pretty straightforward: it maps signature name to set of categories, that's it. Don't expect to see any deep packet inspection analysis
You can learn it in more details reading Flex Connector documentation, it explains it in details.