Last updated on August 9, 2019

ArcSight Logger is one of products from Micro Focus SIEM platform. It  streams real-time data and categorizes them into specific logs and easily integrates with Security Operations. As a result, organizations of any size can use this high performance log data repository to aid in faster forensic analysis of IT operations, application development, and cyber security issues, and to simultaneously address multiple regulations.

Summary

Arc_Sight_Logger_Summary.png?resize=320%2C192&ssl=1Arc_Sight_Logger_Summary.png?resize=320%2C192&ssl=1

Analyzer
Search

Arc_Sight_Logger_Analyzer_-_Search.png?resize=320%2C222&ssl=1Arc_Sight_Logger_Analyzer_-_Search.png?resize=320%2C222&ssl=1

 Live Event Viewer

Arc_Sight_Logger_Analyzer_-_Live_Event_Viewer.png?resize=320%2C258&ssl=1Arc_Sight_Logger_Analyzer_-_Live_Event_Viewer.png?resize=320%2C258&ssl=1

Dashboard

Arc_Sight_Logger_Dashboard.png?resize=320%2C227&ssl=1Arc_Sight_Logger_Dashboard.png?resize=320%2C227&ssl=1

Reports

Reports.png?resize=320%2C198&ssl=1Reports.png?resize=320%2C198&ssl=1

Configuration

Configuration_-_Saved_Search.png?resize=320%2C200&ssl=1Configuration_-_Saved_Search.png?resize=320%2C200&ssl=1

YouTube Video for Web Gui OverView:

Search Example:
a. 
sourceAddress=1.1.1.2 and name startswith “TCP” and name contains “DEN” | fields requestUrl

arcsight_search.png?resize=558%2C640&ssl=1arcsight_search.png?resize=558%2C640&ssl=1

b. 
((name CONTAINS “Search.cgi Command Injection Vulnerability” ) and destinationAddress = “14.47.251.171”)  AND deviceInboundInterface CONTAINS “11”| fields sourceAddress,destinationAddress,deviceInboundInterface

c.
CEF “failed” | dedup name

Removes duplicate events from search results. That is, events that contain the same value in the specified field. The first matching event is kept, and the subsequent events with the same value in the specified field are removed.

It will search all logs which has ‘failed’ word then listed first found one in name field.

Some Useful SIEM Use Case Reports
Daily
1. Routers/Switches/Firewalls Commands and Configuration Changes
2. Successful Device Login Summary
3. Internal IPS Permitted Events
4. Internal IPS Denied Events
5. Firewall Denials

Weekly
1. Web Security Appliance URL Detections
2. Failed Device Login Details
3. Denied outbound connections by src-dst / src -ports
4. Remote VPN Authentication Report
5. IPS Top Attacks Weekly
6. IPS Top blocked events weekly
7. IPS Top allowed events weekly
8. Top WSA Websites
9. IronPort WSA Overview Weekly Report
10. IronPort ESA Overview Weekly Report

References: