ArcSight ESM - A Complete Guide

ArcSight is a cyber security product that offers big data security analytics and intelligence software for SIEM and log management. It is designed to help clients discover and prioritize security risks, organize and manage incident response activities, and ease audit and compliance tasks. This article will cover all you need to know to get started with ArcSight ESM.

ArcSight ESM - Table of contents

What is ArcSight ESM?

ArcSight Enterprise Security Manager (ESM) is a Big Data analytics-based enterprise security solution that turns Big Data into actionable insight. ArcSight ESM is a market-leading security event information collection, correlation, and reporting system.ArcSight ESM evaluates and analyses every login, logoff, file access, and database query in the organization to give actual security risk ranking and breach of enforcement. 

What is the Use of ArcSight ESM?

ArcSight ESM is a market-leading security event information collection, correlation, and reporting system. ArcSight ESM aids you in the following areas:

• Real-time correlation of data from any source to discover issues before they become a breach.
• Building Security Use Cases with ArcSight ESM gives you a thorough understanding of ArcSight's security problem-solving approach in the context of ESM.

ArcSight ESM Overview

ESM uses ArcSight ESM Overview ArcSight ESM Architecture SmartConnectors to collect event data from your network.

SmartConnectors transform device event data into a standard format that may use to correlate.

The Manager in the CORR Engine is in charge of Processing and storing event data. Users may monitor events, run reports, produce resources, conduct investigations, and control the system using the ArcSight Console or the ArcSight Command Center.

ESM's underlying architecture is used to power additional ArcSight products that control event flow, simplify event analysis, and offer security warnings and incident response.

ArcSight ESM Architecture

Several components make up the ESM for the Fusion environment, allowing it to receive and show data from sources like ESM. The following picture will help you comprehend the software and components that make up your ESM for Fusion setup. 

ArcSight ESM Key Features

The following are critical features of ArcSight:

Layered Security Analytics.

It's a one-stop solution for real-time correlation, hypothesis-based threat hunting, and behavioural analytics.

Native SOAR Out-of-the-Box 

Security Orchestration Automation and Response offers automated, coordinated, and expedited incident response.

Log Management and Reporting

Unified storage, quick big-data search, rich analytics, visualization, and reporting speed up threat hunting and make compliance easier.

MITRE ATT&CK Integration

Extensive coverage of MITRE ATT&CK methodologies and tactics, with tiered analytics and threat monitoring content packages.

Security Data Operating Platform

Real-time data collection and enrichment Device, connector, and destination management have been streamlined.

ArcSight ESM Event Ingestion for Security Operations integration

Security incident analysts may gather associated events and automate the development of security incidents with the ServiceNow platform thanks to the ArcSight ESM event ingestion interface with the Security Incident Response solution. Data is continuously absorbed depending on a polling schedule, and analysts utilise it to identify and respond to possible cyber security risks.

Correlated events that are candidates for security incidents can be ingested regularly using this integration. You may map fields in associated events to security incident fields, preview the configuration of an event as a security incident, and schedule event ingestion to automatically produce security incidents.

This connection gives a security operations centre (SOC) analyst access to ArcSight ESM correlation events. This data may be linked to Now Platform Security Incident Response (SIR) security incidents for further analysis and repair. Different correlation event types are produced and made available via correlation query viewers in ArcSight ESM, and your Now Platform instance profiles are built to manage them.

These profiles control the appearance of specific ArcSight ESM associated event fields for SIR security events.
This integration includes the following critical functionalities:

• Create several event intake profiles to generate SIR security events for various risks such as malware and unauthorised access attempts.
• Drag-and-drop mapping of ArcSight ESM correlation event field values to corresponding SIR security incident fields
• To verify event mapping information, a preview of the SIR security incident layout based on example correlation events is supplied.
• Input prior correlation events as well as new significant occurrences at predefined intervals.
• Remove correlation events that do not meet SIR incident creation criteria, such as low priority events.

ArcSight ESM Supported Versions

The ArcSight ESM Manager version 7.0.0.2436 was used to test this integration. The integration supports ArcSight ESM on-premises and Cloud/Hosted service environments.

MID Server

When the ArcSight ESM server is deployed within your corporate network, this integration requires an installed and configured MID Server in your Now Platform instance to connect to the ArcSight ESM service. A MID Server is unnecessary if you use the ArcSight ESM cloud service. 

Conclusion:

With this, we have come to the end of this blog of ArcSight ESM. We hope the information covered is valuable and helps you gain a thorough grasp of ArcSight ESM.