ArcSight is Only as Powerful as its Log Sources
ArcSight’s greatest strengths are its correlation and reporting features. These allow you to associate events across different log sources to detect, report upon and escalate potential security issues in real-time. Of course, this feature is only valuable if you have a wide variety of log sources reporting into the Micro Focus ArcSight ESM. To get the most from the ArcSight ESM, you need logs not only from security platforms such as endpoint protection, IPS, IDS, DLP, proxies, directory servers and firewalls, but also from non-security databases, application hosts, point-of-sale hosts and other devices. Once onboarded, the real value comes from incorporating all these log sources into your ArcSight ESM content, so you can cross-correlate between different platforms.
The SEMplicity Onboarding Sprint – The Easy Way to Get ArcSight Working
We have found that a one or two-week sprint is often the best way to onboard a variety of log sources and, most importantly, integrate them into your ArcSight ESM content. By careful filtering, this need not create storage constraints on your ArcSight Loggers or ESM. But it will maximize the value of your ArcSight SIEM deployment by enabling the full power of ArcSight ESM cross-platform event correlation.
|Scoping Determination||Initial call and follow-up with ArcSight and other security personnel to determine which log sources to onboard their use cases and integration into existing content.|
|Pre-Sprint Checklist||Work with multiple groups within the client to gather credentials, configure devices, open firewall ports, etc. to comprehensively prepare for sprint activities.|
|Logger Configuration||If required, configure ArcSight Logger storage pools to comply with retention policies for new log sources.|
|Onboard Log Sources||Based on the scope, onboard selected log sources. This usually involves the installation and configuration of various SmartConnectors, either standalone or on Connector Appliances.|
|Filtering and Aggregation||Based on use cases, implement extensive filtering and aggregation to only send to ESM the log records necessary to implement the use cases.|
|Content Integration||Integrate new log sources into existing content|
|Content Development||As determined in the scoping call, develop new use case content for the new log sources.|
|Engagement Report, ArcSight Training||Document all log sources and use cases for the client. Provide Micro Focus ArcSight training to internal staff on new log sources and their use cases.|
This package may be combined with our Micro Focus ArcSight FlexConnector Development Services to onboard custom log sources not supported by ArcSight.
The key to a successful sprint is preparation, and SEMplicity will work closely with you throughout this critical phase.
In general, an onboarding sprint is vulnerable to delays resulting from change requests. Many log sources require configuration changes in order to send log records. All change requests necessary to support the implementation should be complete before the engagement starts. SEMplicity will work with the client to develop a comprehensive checklist and thus assure that the site is ready before starting the sprint. Furthermore, during the scoping call, SEMplicity will determine the exact change requirements for your implementation.
The other primary risk involves credentials. The Micro Focus ArcSight ESM collects many log sources via JDBC or web services. This requires appropriate credentials and sometimes the creation of a special log collection account. SEMplicity will make certain that all the credentials and accounts necessary are provisioned prior to the start of the sprint.
In general, a sprint onboarding five or more log sources takes between two weeks and one month between the initial scoping call and the start of the sprint to develop the checklist, make necessary changes and acquire the credentials.