Remerciez-le!

Remerciez @Admin pour avoir partagé cet document gratuitement, de la manière la plus simple, en partageant sur les réseaux sociaux.

Micro Focus Education ArcSight Enterprise Security Manager (ESM) Administrator

Micro Focus Education ArcSight Enterprise Security Manager (ESM) Administrator and Analyst 7.0.0 Patch 1 Student Guide ESM200-700p1 v1 181129 ArcSight ESM Administration and Analyst 7.0.0p1 Student Guide ESM200-700p1 November 29, 2018 Copyright 2018 Micro Focus. All rights reserved. Published by Micro Focus https://software.microfocus.com/en-us/software/security-operations Micro Focus. The information contained herein is subject to change without notice. The only warranties for Micro Focus products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. Trademark acknowledgments if needed. This material (“Material”) may contain branding from Hewlett-Packard Company (now HP Inc.) and Micro Focus Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Micro Focus/HPE marks is historical in nature, and the HP and Micro Focus/HPE marks are the property of their respective owners. ArcSight ESM Administrator & Analyst 7.0.0 P1 dĂ ď ů Ğ Ž Ĩ Ž Ŷ ƚ Ğ Ŷ ƚ Ɛ Micro Focus Education Student Guide 72&- Page L ESM200-700p1 Table of Contents – Student Guide Module 0 ‐ Course introduction .................................................................................................................. 1 Module 1 ‐ ESM Overview .......................................................................................................................... 7 Module 2 ‐ ESM Command Center ............................................................................................................ 35 Module 3 ‐ ESM Console ........................................................................................................................... 47 Module 4 ‐ SmartConnectors .................................................................................................................... 57 Module 5 ‐ ArcSight Marketplace .............................................................................................................. 73 Module 6 – Active Channels, Field Sets & Schema ...................................................................................... 77 Module 7 ‐ ESM Filters ............................................................................................................................ 105 Module 8 ‐ Data Monitors & Dashboards ............................................................................................... 115 Module 9 ‐ Rules and Lists ....................................................................................................................... 133 Module 10 ‐ User Administration ............................................................................................................ 153 Module 11 ‐ ESM Notifications ............................................................................................................... 161 Module 12 ‐ ESM Workflow and Cases .................................................................................................... 171 Module 13 ‐ ESM Queries & Query Viewers ........................................................................................... 179 Module 14 ‐ ESM Reports ....................................................................................................................... 185 Module 15 ‐ Content Management & Peering ....................................................................................... 193 Module 16 – ESM Event Search .................................................................................................................. 201 ArcSight ESM Administrator & Analyst 7.0.0 P1 Module 0 ‐ Course introduction Module 0 ‐ Course introduction Administrator and Analyst ESM 7.0.0 P1 ESM200‐700p1 Class Logistics Facility Emergency Procedures ‐ Alarms/sirens ‐ Evacuation routes from this room ‐ Off‐site assembly area Facility information ‐ Restroom Course Hours ‐ Course Hours ‐ Breaks ‐ Approx. every hour ‐ Lunch Rules ‐ Make sure to have fun! ‐ Ask questions ‐ Please do not talk during presentations or demonstrations ‐ No cell phones, pagers, or recordings ‐ Use Internet during breaks and lunch 2 Micro Focus Education Student Guide - Page 1 of 224 ©2018 Micro Focus ESM200-700p1 ArcSight ESM Administrator & Analyst 7.0.0 P1 Module 0 ‐ Course introduction Class Introductions Instructor Introductions ‐ Name ‐ Email Student Introductions ‐ Name ‐ Company ‐ Role ‐ ArcSight product experiences ‐ Expectations 3 Course Objectives (1 of 2) Upon completion of this course, you will be able to: ‐ Discuss where ArcSight ESM fits in a modern day SOC ‐ Describe the basic architecture of an ArcSight ESM installation ‐ Articulate how ArcSight ESM uses both context and content ‐ Use the Event Lifecycle as a framework to become familiar with how ArcSight resources interact with event data ‐ Identify, analyze, and report on event data using ArcSight ESM ‐ Install, troubleshoot, and update ArcSight context and content 4 Micro Focus Education Student Guide - Page 2 of 224 ©2018 Micro Focus ESM200-700p1 ArcSight ESM Administrator & Analyst 7.0.0 P1 Module 0 ‐ Course introduction Course objectives (2 of 2) Upon completion of this course, you will be able to: ‐ Install, troubleshoot, and update ArcSight Context and Content ‐ Use workflow management tools to provide real‐time incident response and escalation tracking ‐ Cases ‐ Annotations ‐ User Management ‐ Build and modify basic reporting within ESM to provide metrics data ‐ Establish ESM peering across multiple ESM instances to ‐ Identify events quickly ‐ Create quick status reports ‐ Provide basic content management 5 Course agenda (1 of 2) Topic Duration Day Module 1 – Overview Monday Module 2 – ArcSight Command Center Monday Module 3 – ArcSight Console Monday Module 4 – Event acquisition, normalization, and enrichment Monday Module 5 – ArcSight content Tuesday Module 6 –Event schema, fieldsets and active channels Tuesday Module 7 – Filters Tuesday Module 8 ‐ Data Monitors and dashboards Wednesday Module 9 – Rules and Lists Wednesday 6 Micro Focus Education Student Guide - Page 3 of 224 ©2018 Micro Focus ESM200-700p1 ArcSight ESM Administrator & Analyst 7.0.0 P1 Module 0 ‐ Course introduction Course agenda (2 of 2) Topic Duration Day Module 10 – User administration Thursday Module 11 – Notifications Thursday Module 12 – Workflow/Case Management Thursday Module 13 – Queries and Query Viewers Thursday Module 14 – Reports Friday Module 15 – Content Management Friday Module 16 – Event Search Friday 7 Customer feedback A great part of our success is because of YOU and your feedback! You will receive a course evaluation survey Feedback is vital to improving our course offerings Please complete the evaluation Net Promoter Score (NPS) Customer Satisfaction Scale (0 – 10) Remarks Scale (0 – 5) 10 Great Job 5 (Strongly Agree) 9 Good Job 4 (Agree) 8, 7 Satisfactory 3 (Neutral) 6, 5, 4, 3, 2 Unacceptable 2 (Disagree) 1, 0 No value 1 (Strongly Disagree) 8 Micro Focus Education Student Guide - Page 4 of 224 ©2018 Micro Focus ESM200-700p1 ArcSight ESM Administrator & Analyst 7.0.0 P1 Module 0 ‐ Course introduction Certificate of completion A great part of our success is because of YOU and your feedback! Please complete the course evaluation ‐ You will receive an email reminder from Micro Focus Education ‐ Follow the link provided and complete all questionnaires ‐ You will receive the Certificate of Completion email upon submitting the evaluation 9 Questions Course Registration Contact: ‐ ESP‐EduOps@microfocus.com ‐ Americas ‐ training‐emea_esp@microfocus.com ‐ EMEA ‐ esp‐edu‐apj@microfocus.com ‐ APJ Enterprise Security Learning Management System: ‐ Security LMS Other training delivery methods ‐ eLearning ‐ Virtual Instructor‐led Any Questions? 10 Micro Focus Education Student Guide - Page 5 of 224 ©2018 Micro Focus ESM200-700p1 ArcSight ESM Administrator & Analyst 7.0.0 P1 Module 0 ‐ Course introduction 11 Slide intentionally left blank Micro Focus Education Student Guide - Page 6 of 224 ©2018 Micro Focus ESM200-700p1 ArcSight ESM Administrator & Analyst 7.0.0 P1 Module 1 – ESM Overview Module 1 ‐ ESM Overview Administrator and Analyst ESM 7.0.0 P1 ESM200‐700p1 Objectives Discuss what ArcSight ESM is and how it fits into a SOC List the problems ESM can solve Discuss basic processes to make an ESM installation successful Describe the basic ArcSight components (10’ ‐ 100,000’ view) Identify basic user roles within an ArcSight Installation 2 Micro Focus Education Student Guide - Page 7 of 224 ©2018 Micro Focus ESM200-700p1 ArcSight ESM Administrator & Analyst 7.0.0 P1 Module 1 – ESM Overview Topics What is ArcSight ESM •Technical Definition •Problem it Solves •How it fits into a modern day SOC Process •Incident Remediation •Policy Compliance •Metrics Reporting Technology •Components that make up ESM •The event flow into ESM •How new technologies integrate with ESM People •SOC Users •ArcSight SMEs •Stakeholders 3 4 What is ArcSight ESM Micro Focus Education Student Guide - Page 8 of 224 ©2018 Micro Focus ESM200-700p1 ArcSight ESM Administrator & Analyst 7.0.0 P1 Module 1 – ESM Overview What is a SOC and what does it do? Identify and Investigate unknown threats Create solutions/SOPS that alert to known threats Effectively acknowledge, triage, and address events of interest 5 Information is needed for the SOC to do its job 6 Micro Focus Education Student Guide - Page 9 of 224 ©2018 Micro Focus ESM200-700p1 ArcSight ESM Administrator & Analyst 7.0.0 P1 Module 1 – ESM Overview 7 Powerful Correlation What Do We Need to Address These Challenges? Scan and correlate event data in real‐ time to detect threats affecting the enterprise Enriched Data Improved data collection and enrichment to increase event threat knowledge Quick Detection Data intelligence and event correlation with a rule‐based engine allow for known threat detection Data Enrichment and Powerful Real‐Time Correlation Solution 8 Micro Focus Education Student Guide - Page 10 of 224 ©2018 Micro Focus ESM200-700p1 ArcSight ESM Administrator & Analyst 7.0.0 P1 Module 1 – ESM Overview ArcSight Enterprise Security Manager (ESM) • Enriched data from multiple sources provides more than 400+ event data points • Increases event data points by more than 4x for through threat detection • Real‐time data correlation from multiple input sources (integration with ADP) • Powerful event correlation of up to 75,000 events per second • Support for large enterprises through multi‐tenancy with centralized console • Ability to enforce central roles, rights, and responsibilities permissions matrix • Simplified SOC workflow and triage management through ArcSight Command Center • Rule development and continued improvement of rule‐based threat detection engine Solution Overview HPE CONFIDENTIAL 9 So what is needed to successful? People Process uploads/s1/ esm200-700-studentguide.pdf