SmartAgents
SmartAgents (agents) are the interface to the network nodes that generate ArcSight-relevant data on your network. Agents collect event data from network nodes, then normalize it in two ways: first they normalize values (such as severity, priority, and time zone) into a common format, then they normalize the data structure into a common schema. Agents can then filter and aggregate events to reduce the volume of events sent to the ArcSight Manager, which increases ArcSight’s efficiency and accuracy, and reduces event processing time.
Agents also support commands that alter the source and/or execute commands on the local host, such as instructing a scanner to run a scan. Agents also add information to the data they gather, such as looking up IP and/or host names in order to resolve IP/host name lookup at the Manager.
Agents perform the following functions:
Parse individual events and normalize them into a common schema (format) for use by ArcSight.
Collect all the data you need from a source device, so you do not have to go back to the device during an investigation or audit.
Filter out data you know will not be needed for analysis to save network bandwidth and storage space.
Aggregate events to reduce the quantity of events sent to the Manager.
Pass events to the Manager after they have been processed.
Categorize events using a common, human-readable format. This saves you from having to be an expert in reading the output from a myriad of devices from multiple vendors, and makes it easier to use those event categories to build filters, rules, reports, and data monitors.
Depending on the network node, some agents can also instruct the device to issue commands to devices. These actions can be executed manually or through automated actions from rules and some data monitors.
ArcSight releases new and updated agents regularly.
ArcSight Supported Data Sources
ArcSight collects output from data sources with network nodes, such as intrusion detection and prevention systems, vulnerability assessment tools, firewalls, anti-virus and anti-spam tools, encryption tools, application audit logs, and physical security logs.
The graphic on the next page shows the types of data sources that ArcSight supports.
ArcSight Manager
The Manager is the heart of the ArcSight solution. It is a Java-based server that drives ArcSight’s analyses, workflow, and services. The ArcSight Manager is portable across a variety of operating systems and hardware platforms. It also correlates output from a wide variety of security systems.
ArcSight Database
As events stream into the Manager from the agents, they are written to the ArcSight database with a normalized schema. This enables ArcSight to collect all the events generated by devices on your network for later analysis and reference.
The ArcSight database is based on Oracle 9i. A typical installation will retain active data online for a period ranging from weeks to months
ArcSight Console
The ArcSight Console is a workstation-based interface intended for use by yfull-time security staff in a Security Operations Center (SOC) or similar security-monitoring environment. It is the authoring tool for building ArcSight filters, rules, reports, Pattern Discovery, dashboards and data monitors. It is also the interface for administering users and resources.
No comments:
Post a Comment