Home  >  Blog  >   ArcSight

ArcSight ESM - A Complete Guide

ArcSight Enterprise Security Manager (ESM) is a tool used to address security concerns and increase efficiency. This post addresses every aspect of the ArcSight ESM to help you gain a practical grasp of utilizing the ArcSight ESM to handle data and its components.

Rating: 4.6

ArcSight is a cyber security product that offers big data security analytics and intelligence software for SIEM and log management. It is designed to help clients discover and prioritize security risks, organize and manage incident response activities, and ease audit and compliance tasks. This article will cover all you need to know to get started with ArcSight ESM.

ArcSight ESM - Table of contents

What is ArcSight ESM?

ArcSight Enterprise Security Manager (ESM) is a Big Data analytics-based enterprise security solution that turns Big Data into actionable insight. ArcSight ESM is a market-leading security event information collection, correlation, and reporting system.ArcSight ESM evaluates and analyses every login, logoff, file access, and database query in the organization to give actual security risk ranking and breach of enforcement. 

What is the Use of ArcSight ESM?

ArcSight ESM is a market-leading security event information collection, correlation, and reporting system. ArcSight ESM aids you in the following areas:

  • Real-time correlation of data from any source to discover issues before they become a breach.
  • Building Security Use Cases with ArcSight ESM gives you a thorough understanding of ArcSight's security problem-solving approach in the context of ESM.
If you want to enrich your career and become a professional in ForgeRock, then enroll in "ArcSight Training". This course will help you to achieve excellence in this domain.

ArcSight ESM Overview

ESM uses ArcSight ESM Overview ArcSight ESM Architecture SmartConnectors to collect event data from your network.

SmartConnectors transform device event data into a standard format that may use to correlate.

The Manager in the CORR Engine is in charge of Processing and storing event data. Users may monitor events, run reports, produce resources, conduct investigations, and control the system using the ArcSight Console or the ArcSight Command Center.

ESM's underlying architecture is used to power additional ArcSight products that control event flow, simplify event analysis, and offer security warnings and incident response.

Do you want to know more about ArcSight? Take a Look at this "ArcSight Tutorial"

ArcSight ESM Architecture

Several components make up the ESM for the Fusion environment, allowing it to receive and show data from sources like ESM. The following picture will help you comprehend the software and components that make up your ESM for Fusion setup. 

ArcSight ESM Architecture

ArcSight ESM Key Features

The following are critical features of ArcSight:

Layered Security Analytics.

It's a one-stop solution for real-time correlation, hypothesis-based threat hunting, and behavioural analytics.

Native SOAR Out-of-the-Box 

Security Orchestration Automation and Response offers automated, coordinated, and expedited incident response.

Log Management and Reporting

Unified storage, quick big-data search, rich analytics, visualization, and reporting speed up threat hunting and make compliance easier.

MITRE ATT&CK Integration

Extensive coverage of MITRE ATT&CK methodologies and tactics, with tiered analytics and threat monitoring content packages.

Security Data Operating Platform

Real-time data collection and enrichment Device, connector, and destination management have been streamlined.

 MindMajix YouTube Channel

ArcSight ESM Event Ingestion for Security Operations integration

Security incident analysts may gather associated events and automate the development of security incidents with the ServiceNow platform thanks to the ArcSight ESM event ingestion interface with the Security Incident Response solution. Data is continuously absorbed depending on a polling schedule, and analysts utilise it to identify and respond to possible cyber security risks.

Correlated events that are candidates for security incidents can be ingested regularly using this integration. You may map fields in associated events to security incident fields, preview the configuration of an event as a security incident, and schedule event ingestion to automatically produce security incidents.

Check out ArcSight Interview Questions and Answers that help you grab high-paying jobs

This connection gives a security operations centre (SOC) analyst access to ArcSight ESM correlation events. This data may be linked to Now Platform Security Incident Response (SIR) security incidents for further analysis and repair. Different correlation event types are produced and made available via correlation query viewers in ArcSight ESM, and your Now Platform instance profiles are built to manage them.

These profiles control the appearance of specific ArcSight ESM associated event fields for SIR security events.
This integration includes the following critical functionalities:

  • Create several event intake profiles to generate SIR security events for various risks such as malware and unauthorised access attempts.
  • Drag-and-drop mapping of ArcSight ESM correlation event field values to corresponding SIR security incident fields
  • To verify event mapping information, a preview of the SIR security incident layout based on example correlation events is supplied.
  • Input prior correlation events as well as new significant occurrences at predefined intervals.
  • Remove correlation events that do not meet SIR incident creation criteria, such as low priority events.

ArcSight ESM Supported Versions

The ArcSight ESM Manager version was used to test this integration. The integration supports ArcSight ESM on-premises and Cloud/Hosted service environments.

MID Server

When the ArcSight ESM server is deployed within your corporate network, this integration requires an installed and configured MID Server in your Now Platform instance to connect to the ArcSight ESM service. A MID Server is unnecessary if you use the ArcSight ESM cloud service. 


With this, we have come to the end of this blog of ArcSight ESM. We hope the information covered is valuable and helps you gain a thorough grasp of ArcSight ESM.

Join our newsletter

Stay updated with our newsletter, packed with Tutorials, Interview Questions, How-to's, Tips & Tricks, Latest Trends & Updates, and more ➤ Straight to your inbox!

Course Schedule
ArcSight TrainingMay 25 to Jun 09View Details
ArcSight TrainingMay 28 to Jun 12View Details
ArcSight TrainingJun 01 to Jun 16View Details
ArcSight TrainingJun 04 to Jun 19View Details
Last updated: 04 Apr 2023
About Author

Kalla Saikumar is a technology expert and is currently working as a Marketing Analyst at MindMajix. Write articles on multiple platforms such as Tableau, PowerBi, Business Analysis, SQL Server, MySQL, Oracle, and other courses. And you can join him on LinkedIn and Twitter.

read more
Recommended Courses

1 / 15