I've imported Zone information for my environment. It is located under the resource "Site Zones".
Unfortunately zone information is still being tagged by the details under the "ArcSight System" resource. See attachment.
How do I get it to refer to my zones under Site Zones, rather than ArcSight System?
I've followed those steps. I'll test soon.
From my screenshot above, will it matter that the "ArcSight System" folder is above the "Site Zones" folder?
I read you mention something about Zone being assigned by a top-down approach, will it look in that folder firat because it's "higher" in the tree?
That was an error on my part, Networks are applied from top down, not Zones, Zones must not overlap
Ok, should I delete the default zones?
They make all my zone overlap, they cover almost all IPs in my zones.
Ok, so I am a little confused. The RFC1918 entry of 10.0.0.0-10.255.255.255 is being tagged on all my events.
Basically all my zones fall in this range, but all my events are picking up the RFC1918 first.
I've done all the other steps.
Sorry, they just can't overlap within a network. So you add your zones to your network and leave the RFC 1918 (default) intact as a catch all below your Network when attaching to the connector which helps identify unmodelled zones
Ok, the catch all's are in the network "Global"
My zones are in the network for my organization.
Should I move the catch alls out of global?
My device zones are working now.
Maybe took some time to filter through. Ill keep an eye on it.
No problem, best practice is just to leave all the default zones and networks alone and add your ones higher in the list when adding to the connector