Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
nbadgujar
New Member.
550 views

What Next after arcsight installation

I want to know that once we installed arcsight after that  what next we should configure like connector , zone , assets,rules etc..

is there any document for this ?

Labels (3)
0 Likes
8 Replies
Aleccese Absent Member.
Absent Member.

Re: What Next after arcsight installation

For sure you should have some incoming events to your SIEM (I suppose that with "arcsight" you are talking about the ESM), so you have to install some connectors and get some events. After that (but also before all) I can suggest to read the "ESM 101" manual.

Bye

Alex

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: What Next after arcsight installation

Yes ESM 101.

One of the most important part that a lot of people dont configure is the Network Model and Asset Model.

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
0 Likes
Aleccese Absent Member.
Absent Member.

Re: What Next after arcsight installation

Sure, and their SIEM produces thousands of false positive correlated events.

0 Likes
nbadgujar
New Member.

Re: What Next after arcsight installation

Thanks Eric & Aleccess for reply .

actually we are going to implement new arcsight setup for our new client.

this is the first time I am going to implement it.

So once i installed arcsight and smart connector what next i should do .

Should i define network model and asset model first ... what should be my next step ...

0 Likes
Aleccese Absent Member.
Absent Member.

Re: What Next after arcsight installation

Naresh, I believe you have to read the documentation and study what you are doing, because it's a bit difficult to provide such information in a forum. You are asking us to explain you how to implement the whole project, but user in this forum should help on a specific and finite problem. For example, consider that also installing the smartconnector it's not related only on copying the binary data on a server. You should configure them...

Thanks for understanding

Alex

0 Likes
g38 Respected Contributor.
Respected Contributor.

Re: What Next after arcsight installation

1 - u need to send same events from end systems and services to ESM (connectors)

2 - need to configure your network model (zones, organizations and etc)

3 – create model access to work with esm

4 – Writes content (rules)

5 – Create: reports, notifications and etc..

6 – create model works with cases and i u need write policy (how and what need investigation same events)

0 Likes
ateeshbhat Trusted Contributor.
Trusted Contributor.

Re: What Next after arcsight installation

Hi Naresh,

To begin with - Do the log baseline for the devices you wish to integrate, initially.

Start with Windows and Unix/Linux and monitor the logs for a day or 2 followed by standard rules for the Both.

There is a lot more but take baby steps and customize the infra.

Regards,
Ateesh

0 Likes
Highlighted
Trusted Contributor.. thebeno1 Trusted Contributor..
Trusted Contributor..

Re: What Next after arcsight installation

I agree with Alex and here are my top 10

1 - u need to send same events from end systems and services to ESM (connectors)

     + I advice to connect at beginning only 1 connector (syslog or scom) and test if everything is working as you expect

2 - need to configure your network model (zones, locations,  organizations and etc)

     +  test if asset creations is working for you V6.8 had big problems with native automatic creation, V6.9 is OK

           +  do you have assets with hostname_0? fix that

     + try to use categories

3 - upgrade content and context

4 - use connector for vulnerability scan (nessus ...)

5 - try to look at default content (dashboards in arcsight administration  ... )

6 - try free content from protect724.com (https://saas.hpe.com/marketplace/arcsight/category/Resource%20Center)

     + Brute Force Login

     +Anomalous Traffic Detection

     + ...

7 – create model access to work with esm

8 - look at TOP10

     at first lot of false positives because wrong configuration on servers - try to fix the biggest problems

9 - analytic part

     + find anomalies

     + write filter

     + queries , reports , dashoards

     +  try some attacks (penetration tests) and look if you can find it in ESM

10 - protection part

     + rules, reports, notification ...

11 -  process with case management

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.