ArcSight-ESM-Advanced Analyst with Certified Expert Exam

ArcSight-ESM-Advanced Analyst with Certified Expert ExamESM320-76MFOpenTextMF-ESM320-767.6Upon successful completion of this course, you should be able to: <ul> <li>Navigate ArcSight ESM console and command center to correlate, investigate, analyze and remediate both exposed and obscure threats</li><li>Construct ArcSight variables to provide advanced analysis of the event stream</li><li>Develop ArcSight lists and rules to allow advanced correlation activities</li><li>Optimize event-based data monitors to provide real-time viewing of event traffic and anomalies</li><li>Design new report templates and create functional reports</li><li>Find events through the search tools</li></ul>To be successful in this course, you should have the following prerequisites or knowledge: <ul> <li>Common security devices such as IDS and firewalls</li><li>Common network device functions, such as routers, switches, and hubs</li><li>TCP/IP functions such as CIDR blocks, subnets, addressing, and communications</li><li>Basic Windows operating system tasks and functions</li><li>Possible attack activities, such as scans, man in the middle, sniffing, DoS, and possible abnormal activities, such as worms, Trojans, and viruses</li><li>SIEM terminology, such as threat, vulnerability, risk, asset, exposure, and safeguards</li><li>Completed the ArcSight ESM Administrator and Analyst course or 6 months experience administering ArcSight ESM</li></ul>This course is intended for analysts responsible for: <ul> <li>Defining their organization’s security objectives</li><li>Building or using advanced content to correlate, view and respond to those security objectives.</li></ul><ul> <li></li></ul><ul> <li>Module 1: ESM Overview</li><li>Module 2: Command Center</li><li>Module 3: ArcSight Console</li><li>Module 4: Active Channels</li><li>Module 5: Filters</li><li>Module 6: Variable Customization</li><li>Module 7: Data Monitors and Dashbords</li><li>Module 8: ESM Lists</li><li>Module 9: ESM Rules</li><li>Module 10: Query Viewers Authoring</li><li>Module 11: ESM Reports</li><li>Module 12: Unified Event Search Tools</li></ul>Module 1: ESM Overview <ul> <li>Identify ESM Architecture</li><li>Describe the content of the ArcSight Event Schema</li><li>List the phases of the ArcSight Event Lifecycle</li><li>Describe the event processing and schema population performed during each phase of the event lifecycle</li><li>List the resources and tools applicable to specific phases of the event lifecycle</li></ul>Module 2: Command Center <ul> <li>Access the ArcSight ESM Command Center</li><li>Monitor Usage Metrics</li><li>View System Metrics</li><li>Use the SOC/MITRE Dashboards</li><li>Access and use Active Lists</li><li>Utilize Field Sets</li></ul>Module 3: ArcSight Console <ul> <li>Launch the ArcSight Console</li><li>Identify toolbar components and their functions</li><li>List the different views available in the Viewer panel</li><li>Identify three methods to access Console Help</li><li>Describe the Reference Resources and their characteristics</li><li>Identify ESM Console preference options</li><li>Customize your ESM Console</li></ul>Module 4: Active Channels <ul> <li>Create a new Active Channel</li><li>View the details of an event</li><li>Identify Dynamic and Static Active Channels</li></ul>Module 5: Filters <ul> <li>Describe Filter types and usage</li><li>Add, edit and save Filters to an Active Channel</li><li>Define the Common Conditions Editor</li></ul>Module 6: Variable Customization <ul> <li>Describe functions available in Variables</li><li>Create both Local and Global Variables</li><li>Promote Local to Global Variables</li><li>Share Global Variables among multiple resources</li></ul>Module 7: Data Monitors and Dashbords <ul> <li>Identify Data Monitor types and functions</li><li>Create a Data Monitor</li><li>Access and Use Dashboards</li><li>Modify Dashboard Data Monitor Layouts</li></ul>Module 8: ESM Lists <ul> <li>Describe the differences between Active and Session Lists</li><li>Create and validate Active and Session List integration Rules</li></ul>Module 9: ESM Rules <ul> <li>Create and validate the following:</li><li>Rule behavior</li><li>Brute Force Login Attempt and Successful rules</li><li>Light Weight rules and Pre-Persistent rules</li></ul>Module 10: Query Viewers Authoring <ul> <li>Define Queries</li><li>Describe Query Viewers</li><li>Explain the advantages of using Query Viewers</li><li>Create the following functions with Query Viewers:</li><li>Drilldowns</li><li>Baselines</li><li>Reports</li><li>Dashboard views</li></ul>Module 11: ESM Reports <ul> <li>List the components in the Report Workflow</li><li>List the different types of Reports</li><li>Run a Report from the Navigator panel</li><li>View an Archive Report from the Navigator panel</li><li>Set up a scheduled Report job</li><li>Build a custom Report</li><li>Build a custom Trend Report</li></ul>Module 12: Unified Event Search Tools <ul> <li>Describe how keyword, field-based and pipeline searches are performed</li><li>Describe how search results are displayed</li><li>Use the unified Search page to initiate any type of search</li><li>Use Search Helper and Search Builder features to save time constructing search expressions</li><li>Load, modify, and save search filters and saved searches</li><li>Enable peer ESM and Logger instances for searching</li></ul>Upon successful completion of this course, you should be able to: - Navigate ArcSight ESM console and command center to correlate, investigate, analyze and remediate both exposed and obscure threats - Construct ArcSight variables to provide advanced analysis of the event stream - Develop ArcSight lists and rules to allow advanced correlation activities - Optimize event-based data monitors to provide real-time viewing of event traffic and anomalies - Design new report templates and create functional reports - Find events through the search toolsTo be successful in this course, you should have the following prerequisites or knowledge: - Common security devices such as IDS and firewalls - Common network device functions, such as routers, switches, and hubs - TCP/IP functions such as CIDR blocks, subnets, addressing, and communications - Basic Windows operating system tasks and functions - Possible attack activities, such as scans, man in the middle, sniffing, DoS, and possible abnormal activities, such as worms, Trojans, and viruses - SIEM terminology, such as threat, vulnerability, risk, asset, exposure, and safeguards - Completed the ArcSight ESM Administrator and Analyst course or 6 months experience administering ArcSight ESMThis course is intended for analysts responsible for: - Defining their organization’s security objectives - Building or using advanced content to correlate, view and respond to those security objectives. -- Module 1: ESM Overview - Module 2: Command Center - Module 3: ArcSight Console - Module 4: Active Channels - Module 5: Filters - Module 6: Variable Customization - Module 7: Data Monitors and Dashbords - Module 8: ESM Lists - Module 9: ESM Rules - Module 10: Query Viewers Authoring - Module 11: ESM Reports - Module 12: Unified Event Search ToolsModule 1: ESM Overview - Identify ESM Architecture - Describe the content of the ArcSight Event Schema - List the phases of the ArcSight Event Lifecycle - Describe the event processing and schema population performed during each phase of the event lifecycle - List the resources and tools applicable to specific phases of the event lifecycle Module 2: Command Center - Access the ArcSight ESM Command Center - Monitor Usage Metrics - View System Metrics - Use the SOC/MITRE Dashboards - Access and use Active Lists - Utilize Field Sets Module 3: ArcSight Console - Launch the ArcSight Console - Identify toolbar components and their functions - List the different views available in the Viewer panel - Identify three methods to access Console Help - Describe the Reference Resources and their characteristics - Identify ESM Console preference options - Customize your ESM Console Module 4: Active Channels - Create a new Active Channel - View the details of an event - Identify Dynamic and Static Active Channels Module 5: Filters - Describe Filter types and usage - Add, edit and save Filters to an Active Channel - Define the Common Conditions Editor Module 6: Variable Customization - Describe functions available in Variables - Create both Local and Global Variables - Promote Local to Global Variables - Share Global Variables among multiple resources Module 7: Data Monitors and Dashbords - Identify Data Monitor types and functions - Create a Data Monitor - Access and Use Dashboards - Modify Dashboard Data Monitor Layouts Module 8: ESM Lists - Describe the differences between Active and Session Lists - Create and validate Active and Session List integration Rules Module 9: ESM Rules - Create and validate the following: - Rule behavior - Brute Force Login Attempt and Successful rules - Light Weight rules and Pre-Persistent rules Module 10: Query Viewers Authoring - Define Queries - Describe Query Viewers - Explain the advantages of using Query Viewers - Create the following functions with Query Viewers: - Drilldowns - Baselines - Reports - Dashboard views Module 11: ESM Reports - List the components in the Report Workflow - List the different types of Reports - Run a Report from the Navigator panel - View an Archive Report from the Navigator panel - Set up a scheduled Report job - Build a custom Report - Build a custom Trend Report Module 12: Unified Event Search Tools - Describe how keyword, field-based and pipeline searches are performed - Describe how search results are displayed - Use the unified Search page to initiate any type of search - Use Search Helper and Search Builder features to save time constructing search expressions - Load, modify, and save search filters and saved searches - Enable peer ESM and Logger instances for searching5 days3750.004000.00