ArcSight ESM Administrator and Analyst (ASEAAA)

Module 1: ESM Overview

Discuss what ArcSight ESM is and how it fits into a SOC

List the problems ESM can solve

Discuss basic processes to make an ESM installation successful

Describe the basic ArcSight components (10’ - 100,000’ view)

Identify basic user roles within an ArcSight Installation\nModule 2: Command Center

Discuss an overview of the Command Center

Describe how to use the Site Map

Describe how to monitor usage

Discuss how to configure Dashboards and the different Dashlets you can add

Describe how to use the Security Operations Center Dashboards

Explain how to configure and view MITRE Dashboards

Discuss how to monitor events with Active Channels

Discuss how to view and use Field Sets

Discuss how to view, export, and filter Active Lists\nModule 3: ESM Console

Install the ArcSight ESM Console

Start the ArcSight ESM Console

Use the Console Panels and Features

Customize the ESM console\nModule 4: Installing and Configuring ArcSight Connectors

Describe a connector

Describe normalization

Describe a network model

Describe SmartConnectors

Deploy and configure SmartConnectors\nModule 5: ArcSight Marketplace

Describe what is the Marketplace

Define Marketplace packages/use cases\nModule 6: Schema, Fieldsets, and Active Channels

Describe the ArcSight Event Schema

Describe an Active Channel

Describe what a field set is

Describe the Event Life Cycle\nModule 7: Filters

Describe Filters and Filter Types

Create and Modify Filters

Debug Filters\nModule 8: Dashboards & Data Monitors

Identify Data Monitor types and functions

Access and Use Dashboards

Modify Dashboard Data Monitor Layouts\nModule 9: Rules & Lists

Describe rules and rule types

Describe rule triggers and actions

Describe Active Lists and Session Lists

Create and validate rule behavior

Create and validate Brute Force Login Attempt and Successful rules

Create and validate Active and Session List integration rules\nModule 10: User Administration

Create, edit, rename, delete user groups

Create, edit, move, delete users

Manage resource permissions

Access and modify global user password properties\nModule 11: Notifications

Describe the operation of ArcSight notifications

Configure ArcSight notifications\nModule 12: Incident Response and Automation with SOAR

Understand SOAR

Triage cases with SOAR

Respond to Cases with Playbooks

Close a case\nModule 13: Queries and Query Viewers

Explain Queries

Define Query Viewers

Explain the advantages of using Query Viewers

Create the following functions with Query Viewers: Drilldowns, Baselines, Reports, Dashboard views\nModule 14: Reports

Define a report

Run, view, and save a report

Manage archived reports\nModule 15: Content Management and Peering

Peer ESMs

Perform a search on a peer

Create a package and sync to a peer

Manually push a package

Verify successful distribution of a package\nModule 16: Event Search

• how keyword, field-based and pipeline searches are performed
• Describe how search results are displayed
• Use the unified Search page to initiate any type of search
• Use Search Helper and Search Builder features to save time constructing search expressions
• Load, modify, and save search filters and saved searches
• Enable peer ESM and Logger instances for searching