ESM280-70 ArcSight Creating Advanced ESM Content for Security Use Cases
Monday, September 7, 2020, 9:00 AM - Friday, September 11, 2020, 5:00 PM (UTC+02:00) Amsterdam
Countdown to the Event
Course Description
Creating Advanced ESM Content for Security Use Cases covers ArcSight security problem solving methodology
within the ESM context. In this course, you will learn advanced techniques to use ArcSight ESM content to find,
track and remediate security incidents specifically identified in the course use cases. During the training, you will
learn to:
• Use variables and correlation activities
• Customize report templates to use dynamic content
• Customize notification templates to send the appropriate notification based upon specific attributes of an
event
Audience/Job Roles
This course is intended for:
• Defining organization’s security objectives
• Building ArcSight ESM content to adhere to those objectives
Course Objectives
Upon successful completion of this course, you should be able to:
• In an ArcSight ESM context, define a Use Case
• Use the Use Case worksheet from an initial problem statement, generate requirement statements and
prioritize objectives
• Identify data sources and ESM resources required to fulfil the objectives of the use case
• To fulfil use case requirements, create identified ESM content
• Construct ArcSight Variables to provide advanced analysis of the event stream
• Develop ArcSight Rules to allow advanced correlation activities
• Build event-based data monitors to provide real-time views of event traffic and anomalies
• Implement custom velocity macros for notification
• Package formulated ESM contents for the Use Case into ArcSight Resource Bundle
Prerequisites/Recommended Skills
To be successful in this course, you should have the following prerequisites or knowledge:
• 12 months experience creating ArcSight ESM content (recommended)
• Computer desktop, browser, and file system navigation skills
• Basic understanding of TCP/IP networking and database concepts
• Enterprise security experience [highly advantageous] Plus, an understanding of:
▪ Network device functions and capabilities, such as routers, switches, etc.
▪ Security device functions and capabilities, such as IDS/IPS, firewalls, etc.
▪ TCP/IP networking, file system, and database concepts
▪ SOC Organizational structure and workflow hierarchy
▪ SIEM terminology, such as asset, threat, vulnerability, safeguard, etc.