Detailed Course Outline
Module 1: ESM Overview
- Identify ESM Architecture
- Describe the content of the ArcSight Event Schema
- List the phases of the ArcSight Event Lifecycle
- Describe the event processing and schema population performed during each phase of the event lifecycle
- List the resources and tools applicable to specific phases of the event lifecycle
Module 2: Command Center
- Access the ArcSight ESM Command Center
- Monitor Usage Metrics
- View System Metrics
- Use the SOC/MITRE Dashboards
- Access and use Active Lists
- Utilize Field Sets
Module 3: ArcSight Console
- Launch the ArcSight Console
- Identify toolbar components and their functions
- List the different views available in the Viewer panel
- Identify three methods to access Console Help
- Describe the Reference Resources and their characteristics
- Identify ESM Console preference options
- Customize your ESM Console
Module 4: Active Channels
- Create a new Active Channel
- View the details of an event
- Identify Dynamic and Static Active Channels
Module 5: Filters
- Describe Filter types and usage
- Add, edit and save Filters to an Active Channel
- Define the Common Conditions Editor
Module 6: Variable Customization
- Describe functions available in Variables
- Create both Local and Global Variables
- Promote Local to Global Variables
- Share Global Variables among multiple resources
Module 7: Data Monitors and Dashbords
- Identify Data Monitor types and functions
- Create a Data Monitor
- Access and Use Dashboards
- Modify Dashboard Data Monitor Layouts
Module 8: ESM Lists
- Describe the differences between Active and Session Lists
- Create and validate Active and Session List integration Rules
Module 9: ESM Rules
- Create and validate the following:
- Rule behavior
- Brute Force Login Attempt and Successful rules
- Light Weight rules and Pre-Persistent rules
Module 10: Query Viewers Authoring
- Define Queries
- Describe Query Viewers
- Explain the advantages of using Query Viewers
- Create the following functions with Query Viewers:
- Drilldowns
- Baselines
- Reports
- Dashboard views
Module 11: ESM Reports
- List the components in the Report Workflow
- List the different types of Reports
- Run a Report from the Navigator panel
- View an Archive Report from the Navigator panel
- Set up a scheduled Report job
- Build a custom Report
- Build a custom Trend Report
Module 12: Unified Event Search Tools
- Describe how keyword, field-based and pipeline searches are performed
- Describe how search results are displayed
- Use the unified Search page to initiate any type of search
- Use Search Helper and Search Builder features to save time constructing search expressions
- Load, modify, and save search filters and saved searches
- Enable peer ESM and Logger instances for searching