ArcSight Interview Questions and Answers

There are so many well experienced peoples are there in this community. They know each and every aspects of Arcsight SIEM tool and they might be taking many interviews.As a beginner in Arcsight , I and many beginners in this group want your help in this.

1. What will ArcSight electronic warfare symbolize and what’s its primary use?

Ans:

• Micro Focus ArcSight is a cyber security product, first released in 2000, that provides big data security analytics and intelligence software for security information and event management (SIEM) and log management.
• ArcSight is designed to help customers identify and prioritize security threats, organize and track incident response activities, and simplify audit and compliance activities.
• ArcSight became a subsidiary of Hewlett-Packard in 2010. It was merged with Micro Focus on September 1, 2017.
• ArcSight ESM leverages the Security Open Data Platform, whose SmartConnectors can connect to 450+ data source types to collect, aggregate, clean, and enrich your data before feeding it into your security analytics.
• By structuring your data, ESM makes it both more useful and more cost-effective. It’s also scalable, so you don’t have to worry about data growth.

2. What will SIEM symbolize and what’s it about?

Ans:

1. 1. SIEM stands for Security data and Event management.
2. 2. So this can be a platform wherever a holistic read of the protection method is enforced at intervals in the organization.
3. 3. The letter e is silent and it’s addressed as the “SIM” platform.
4. 4. Basically, during this method, the information is all gathered into one secure repository wherever the logs area unit used for future security analysis.
5. 5. This method is widely utilized in the Payment Card trade. It’s really classified as information security normal within the Payment Card trade.

3. What area unit the key options of the ArcSight Enterprise Security Manager?

Ans:

The key options of the ArcSight Enterprise Security Manager Area unit as follows.

1. 1. Enriched Security Event knowledge
2. 2. Powerful period knowledge visual image and correlation
3. 3. machine-controlled workflows
4. 4. Security method optimized
5. 5. ArcSight Enterprise Security Manager tool is compatible with ArcSight knowledge Platform and ArcSight Investigate

4. Make a case for however ArcSight electronic warfare is protective businesses across the globe?

Ans:

The subsequent area unit the various ways in which the business is truly protected by victimization ArcSight electronic warfare tool, as follows.

1. 1. It’s capable of collection knowledge or data from any variety of log supply.
2. 2. It enormously reduces the latent period and conjointly helps in reducing the harm also.
3. 3. It will expeditiously store data wherever the data will be retrieved as we have a tendency to typically neutralize enterprise-level databases.
4. 4. It provides role relevant reports that area unit out there at intervals the enterprise.
5. 5. The design is ascendable.
6. 6. Simply customizable and maintains the superior system.

5. However will ArcSight electronic warfare offer Powerful period knowledge correlation?

Ans:

• Well, ArcSight electronic warfare provides powerful period knowledge correlation by the process of the number of events per second.
• Supporting this analysis an additional correct outcome is projected.
• Therefore supported this analysis, the threats that violate the interior rules area unit escalated at intervals on the platform.
• Electronic warfare really processes seventy-five, 000 events per-second basis.

6. What will be done to victimize ArcSight ESM?

Ans:

ArcSight electronic warfare really helps the organizations and also the people as below.

1. 1. All the event knowledge is collected centrally and hold on and monitor.
2. 2. User-friendly compliance reportage AN exceedingly in a very single bit provides necessary knowledge in an acceptable format.
3. 3. It has the capability to observe and mitigate the chance.
4. 4. Eliminates manual method the maximum amount as attainable.
5. 5. Saves valuable hours of security analyst wherever they pay on false alarms.
6. 6. Brings awareness to the team concerning the protection method in situ and also the countermeasures enforced.

7. Why do organizations like Security data and Event Management systems?

Ans:

Well, most of the tiny firms haven’t got enough men to create certain that their security method is unbroken.

However they will not be ready to be proactive and warn the team that there can be an attainable threat attack, this can be as a result of they do not have any automatic mechanism that triggers a threat attack.

Therefore to resolve the period issue and conjointly confirm the protection checks area unit monitored and analyzed, we have got a Security data and Event Management system.

Out of this method is ArcSight SEM. therefore essentially all the machine log knowledge is analyzed and understands the patterns of traditional behavior vs abnormal behavior.

So creating it an ideal tool wherever it will perceive the protection logs to this point and supported the analysis will trigger some data which could stop an even bigger threat to the complete organization.

8. However will ArcSight electronic warfare facilitate organizations in terms of security aspects?

Ans:

Well, ArcSight electronic warfare will facilitate the organizations building additional increased use cases to boost the APT’s (Advanced Persistent Threats) which can permit a quicker and targeted response in an exceedingly timely fashion.

9. What will ArcSight feller do?

Ans:

So, ArcSight feller is nothing however a log management answer that may be used widely in security practices.

Therefore victimization answers, the users are ready to capture and analyze a completely different variety of log knowledge and supply necessary inputs to all or any the individual’s groups therefore their queries area unit answered.

Eventually, this could be enlarged into an Associate in nursing enterprise-level log management answer if required.

So victimization this answer, topics like compliance and risk management area unit are taken into due thought.

Also, the information will be used for looking, indexing, reporting, analysis functions, and retention also.

10. What’s the SIEM tool, make a case for briefly?

Ans:

In the field of data technology and pc security, the product which {offer} or offer services like period security generated alerts analysis will be classified as SIEM tool.

11. What’s a SOC team?

Ans:

The term SOC stands for “Security Operations Center”. So essentially this can be middle for all the websites, applications, databases, knowledge centers and servers, networks area unit punctually monitored and analyzed, and well defended.

12. Make a case for what’s the core providing of ArcSight ESM?

Ans:

The core providing of ArcSight electronic warfare is.

1. 1. Analyzes completely different threats to an info
2. 2. Checks with the logs that were captured
3. 3. Offer attainable solutions or recommendation supported the chance level

13. What’s the purpose of ArcSight Express?

Ans:

Essentially, ArcSight specifically provides constant functionalities that they are doing at ArcSight electronic warfare however at a really abundant smaller scale.

ArcSight specifically analyzes threats at intervals info and provides the choice items.

14. What’s the best use of ArcSight Logger?

Ans:

The most use of ArcSight feller is to capture or stream period knowledge and reason them into completely different buckets of specific logs.

15. What area unit the key capabilities of ArcSight Logger?

Ans:

The key capabilities of ArcSight feller are.

1. 1. It collects logs from any style of log generating supply
2. 2. Once collection the information, it categorizes and registers as Common Event Format (CEF)
3. 3. These events will be searched with the employment of a straightforward interface
4. 4. It will handle and store year’s price of logs data
5. 5. It’s good for automation analysis which might be later used for reportage, the intelligence of logs or events for IT Security functions, and logs analytics.

16. What will ArcSight Connectors mean?

Ans:

The most use of ArcSight Connectors is listed below.

•  With the employment of ArcSight connectors, the user will really modify the method of collection and managing the logs regardless of the device. All the information will be normalized into a CEF, i.e. Common Event Format
• ArcSight connectors offer a bunch of universal knowledge collections from completely different distinctive devices.

17. What will ArcSight Manager do, make a case for in brief?

Ans:

The employment of ArcSight manager is to easily place in situ sturdy security parameters at intervals of the organization.

Therefore it’s one amongst the superior service engines that really filters, manages, correlates all security-related events that are unit collected by the IT system.

The main components that area unit essential for the ArcSight manager to figure fittingly are.

1. 1. ArcSight Console
2. 2. ACC
3. 3. CORR Engine
4. 4. ArcSight Smart Connectors

The operational atmosphere for ArcSight Manager is nothing however the underlying OS and also the filing system that area unit in situ.

18. What will IDS stand for?

Ans:

IDS stands for “Intrusion Detection System”. This can be the most part once it involves ArcSight electronic warfare.

19. Few bullet points on ArcSight ESM?

Ans:

The subsequent area unit the small print concerning the ArcSight electronic warfare tool.

1. 1. With this tool, directors and analyst will really sight additional incidents
2. 2. Operate additional expeditiously
3. 3. Constant knowledge set will be used for period correlation of the information and a log management application will use a constant dataset.

20. What area unit the system needs for implementing ArcSight ESM?

Ans:

Supported in operating systems are.

• Red Hat Enterprise Linux Version half-dozen.2, 64 bit CPU
• Memory 16-36GB
• Space for 2-4 TB
• Average Compression of 10.1 SAS 15K rev

21. How is the Licensing completed in Arcsight? Is it supported no. of devices or the EPS or the other data?

Ans:

All market-leading SIEMs licenses supported EPS. ArcSight conjointly takes device count.

22. What is a special feature in ArcSight that makes it prime siem product?

Ans:

23. Can you please share the Arcsight Dashboard and also the functions?

Ans:

Dashboards show indicators that communicate the state of your enterprise as reportable by Smart Connectors from knowledge sources on your network.

Dashboards area unit created of individual knowledge monitors and/or question viewers in an exceeding style of graphical and tabular formats that summarize the event flow and communicate the impact of event traffic on specific systems on the network or show the standing of electronic warfare parts.

The protection Activity Statistics dashboard is simply one amongst the quality dashboards that display a spread of system standing knowledge monitors, that communicate the state of your network security conjointly you’ll be able to produce bespoken dashboards as per the environment.

24. Where is that knowledge held primarily in ArcSight. electronic warfare or Logger?

Ans:

If there’s no feller in your atmosphere electronic warfare can store all data. If feller out there storing knowledge in feller is better.

25. What area unit devices will we monitor victimization Arcsight?

Ans:

• We can monitor any devices that all area unit generating logs. If ArcSight connectors support the logs we will directly use good connectors.
• For different non-supported devices, we’ve to develop custom connectors.

26. What is SIEM ?

Ans:

Security information and event management (SIEM) is an approach to security management that seeks to provide a holistic view of an organizations information technology (IT) security.

27. What are the general monitoring parameters for middleware applications like sharepoint?

Ans:

• Application logs, access logs can be monitored.
• In backend if the application is using database then database audit logs can be monitor.

28. What all parameters can be monitored using the tool ?

Ans:

This is based on the device logs… For example if it’s a firewall then all the traffic and configuration logs can be monitored.   

29. List out the features of SIEM?

Ans:

1. 1. Log management
2. 2. Log monitoring
3. 3. Dashboard
4. 4. Pattern discovery
5. 5. Asset modeling and many more features  

30. Using ArcSight how can we secure our application environment?

Ans:

Since Arcsight is an SIEM tool where we can monitor the logs for any vulnerabilities. So by using this Arcsight we can alert the application owner for suspicious activity.

31. What is the diff bw SIEM,SIM and SEM

Ans:

Security information and event management (SIEM) is an approach to security management that seeks to provide a holistic view of an organizations information technology (IT) security.

SIEM combines SIM (security information management) and SEM (security event management) functions into one security management system. 

32. Why to use Arcsight, when other tools like RSA and Q-Radar are available in the market ?

Ans:

• Arcsight is an agent based SIEM Tool.
• Compared to RSA, Arcsight is a user friendly tool.
• Based on the requirement we can select the tool.

33. Difference between arcsight express & ESM

Ans:

Arcsight Express is a Appliance based and ESM is an ApplicationSoftware based   

34. Why do we need to use ArcSight ?

Ans:

For log management and Live log monitoring wch helps us to identify the suspicious traffic  

35. From an architecture standpoint, what all components do we have we have in arcsight ?

Ans:

For ESM. We should have Manager and database server, Console which is used to monitor the logs, Web browser, Arcsight web server, and agent

36. Is there any provision in Arcsight which can check the connectivity between servers to monitor assets?

Ans:

We need to enable device monitoring at connector level. Also by seeing the connector status we can identify the connection. 

37. What is the difference between Arcsight logger and Smart Connector?

Ans:

Arcsight logger is an appliance or Application which is used to store the logs for longer days. Smart connector is a connector/agent used to collect the logs.

38. What is the major difference b/w Arcsight and RSA Envision tool

Ans:

Arcsight is agent based Tool and RSA is a agent less based Tool   

39. Which is the arcsight smart connector for sharepoint?

Ans:

Arcsight has some 300+ default smart connectors.

For SharePoint we don’t have smart connector hence we need to develop Flex connector 

40. What is the difference b/w correlation,aggregation,normalization.

Ans:

Correlation:

• Logically linking events based on multiple conditions. A rule can have one or more conditions.
• If there is one condition, the rule acts as a filtering tool.
• If there is more than one condition, the rule acts as a correlation tool. 
• A rule can be created for any incoming event from one or more event generators, with various conditions, logic statements, and thresholds. 

Aggregation:

• Aggregation is a composition technique for building a new event from one or more existing events that support some or all of the new event’s conditions. 

Normalization:

• This will convert Raw events to CEF Common event format 

41. Is this arcsight application available on net for practice ?

Ans:

No 

42. What is Basic knowledge required to monitor these tools ,as in technical knowledge ?

Ans:

1. 1. Basic security
2. 2. Network knowledge   

43. Is SIEM software based or hardware based?

Ans:

Both are available. Its completely based on the type tool/vendor.   

44. Is it restricted to network and security device monitoring ?

Ans:

No, we can monitor security , network, application and own house application also.

45. Heard about connectors, loggers and all. Can you please brief me about that?

Ans:

Connector – it is used to collect the logs and push towards the arcsight database server.

Logger – it is used to collect the logs from the collector and also it can store the logs.

46. Whether from arc sight we can detect Zero day attacks? if yes How?

Ans:

Yes, but we need to analyze logs also with the help of Pattern discovery.

47. How is a smart connector different from RSA collector appliances?

Ans:

RSA collector appliance is a windows based server, and Arcsight collector connector is an application where we can install on any OS flavors.

48. Is Storage device can be support by ArcSight

Ans:

Yes

49. What are the minimum requirement for implementing the tool in a new environment?

Ans:

Prerequisites will vary based on the end devices.   

50. What is latest version of arcsight and on what is the base OS for the same.

Ans:

6.5C it will Linux 6.2 Red hat.

51. In arcsight which tools are comes under SEM and SIM 

Ans:

ESM and Express BoX is under SIM. Logger is SEM  

52. Can u pls tell me how the data flows in Arcsight tool.

Ans:

End device to-collector–to- Arcsight Manager -to–Arcsight database  

53. What is Connector, Logger?? Is it related to ESM?

Ans:

Connector and logger is explained already. Yes both are related to ESM, but based on the Setup.

54. What are the ports to be opened for logger and SmartConnectors?

Ans:

In between Logger and smart connector — Https 443  

55. Whether this tool will only identify the suspicious traffic or it will block/rectify traffic?

Ans:

Its monitoring tool.We can’t block the traffic through the Arcsight…  

56. Can we integrate Arcsight with WHIPS?

Ans:

Yes,we have Arcsight smart connector.   

57. What is the difference between flex connector and smart connector ?

Ans:

Smart connector is a Arcsight Default connector and Flex connector is Customized connector. 

58. Can you suggest some good books/links to learn about ArcSight.

Ans:

ESM 101 document..https.//protect724.arcsight.com   

59. How we can take the configuration backup.

Ans:

Through packages and also through databases.   

60. What is ArcSight Manager? How does it work?

Ans:

• The Manager is the heart of the ESM solution.
• It is a Java-based server that drives analysis, workflow, and services.
• The Manager is portable across a variety of operating systems and hardware platforms.
• It also correlates output from a wide variety of security systems.
• The Manager writes events to the Database as they stream into the system.
• It simultaneously processes them through the correlation engine, which evaluates each event with network model and vulnerability information to develop real-time threat summaries.