My account

Month: August 2017

Assets and describing critical infrastructure objects


While implementing and using IBM QRadar, users often ask the following questions: what are Assets? What are they needed for? What can we do with them? How to automate the filling of the Assets model? ‘Assets’ is a model that describes infrastructure and allows IBM QRadar system to react differently to the events that are […]

Creating Correlation Events in Splunk using Alerts


Many SIEM users ask a question: How do Splunk and HPE ArcSight SIEM tools differ? ArcSight users are confident that correlation events in ArcSight are a weighty argument in favor in using this SIEM because Splunk does not have the same events. Let’s destroy this myth. Splunk has many options to correlate events. So in […]

Additional Data in ArcSight ESM


Everyone who had ever installed a single ArcSight SmartConnector knows about ‘Device Event Mapping to ArcSight Fields’ chapter in the installation guide where you can find information on mapping of Device-Specific fields to ArcSight Event Scheme. It’s an essential chapter for Analysts, right? Certainly, you noticed that for some SmartConnectors there are ‘Additional Data’ fields. […]

What is network hierarchy and how to use it in IBM QRadar


Network hierarchy is a description of the internal model of organization’s network. The network model allows you to describe all internal segments of the network including server segment, DMZ, user segment, Wi-Fi and so on. This data is necessary to enrich the data of registered Offenses; you can use the network model data in rules, […]

Active Lists in ArcSight, automatic clearing. Part 1


ArcSight beginners and experienced users very often face a situation when they need to automatically clear Active List in a use case. It could be the following scenario: count today’s logins for every user in real-time or reset some counters that are in Active List at the specified time.