In the previous article, we examined Additional Data fields and how to use them. But what if events do not have needed/required/necessary information even in Additional Data fields? You may always face the situation when events in ArcSight don’t contain all needed information for Analysts. E.g., user ID instead of username, host ID instead of […]
While working with SIEM, eventually you come across a situation where your tool requires to be updated to the latest version, moved to a different data center or migrated to a more productive installation. An integral part of this is the creation of backups and the subsequent transfer of data, configurations or customized content to […]
Simple integration helps search for malicious processes Greetings Everyone! Let’s continue to turn Splunk into a multipurpose tool that can quickly detect any threat. My last article described how to create correlation events using Alerts. Now Iāll tell you how to make a simple integration with Virus Total base. Many of us use Sysmon in […]
While configuring a SIEM tool (including IBM QRadar), administrators often make the wrong decision: “Let’s send all logs to SIEM, and then we’ll figure out what to do with them.” Such actions most often lead to enormous license utilization, huge workload on a SIEM tool, appearance of a cache queue, and sometimes to event loss. […]
While implementing and using IBM QRadar, users often ask the following questions: what are Assets? What are they needed for? What can we do with them? How to automate the filling of the Assets model? ‘Assets’ is a model that describes infrastructure and allows IBM QRadar system to react differently to the events that are […]
Many SIEM users ask a question: How do Splunk and HPE ArcSight SIEM tools differ? ArcSight users are confident that correlation events in ArcSight are a weighty argument in favor in using this SIEM because Splunk does not have the same events. Let’s destroy this myth. Splunk has many options to correlate events. So in […]
Everyone who had ever installed a single ArcSight SmartConnector knows about ‘Device Event Mapping to ArcSight Fields’ chapter in the installation guide where you can find information on mapping of Device-Specific fields to ArcSight Event Scheme. It’s an essential chapter for Analysts, right? Certainly, you noticed that for some SmartConnectors there are ‘Additional Data’ fields. […]
Network hierarchy is a description of the internal model of organization’s network. The network model allows you to describe all internal segments of the network including server segment, DMZ, user segment, Wi-Fi and so on. This data is necessary to enrich the data of registered Offenses; you can use the network model data in rules, […]
ArcSight beginners and experienced users very often face a situation when they need to automatically clear Active List in a use case. It could be the following scenario: count today’s logins for every user in real-time or reset some counters that are in Active List at the specified time.
What if I deployed or designed new Use Case and I want to know if my company was exposed to the threat in the past? While working with ArcSight a lot of people are wondering whether there is a way to realize historical correlation. They even have several real life scenarios for this. The first […]