I will try, but please be aware that I am trying to keep the videos to a sensible length for people to watch. Between 15-20 minutes is about as much as anyone can take in one go and hence I am trying to keep them to that length. Longer and the chance that someone will sit through them all is drastically reduced. Shorter and they have less value. I will try however - but its a video so you can stop and start when you like.
I have a connector with 2 destinations - but the event counts are not matching - aggregations and other destination settings are same. can someone help me with that
Hi Paul, I am trying to write an evaluation report for Arcsight SIEM for its custom visualization generation capabilities. However, I couldn't understand how its visualization system works. It has a web interface and there is this console. Is SIEM sends data to both of them for visualization? Thanks in advance
Good question and the way that ArcSight ESM works is that it has a multi-threaded process for the events itself. That means that all events (external and internal) go through this processing engine and it goes through the correlation engine as well as additional processing (such as for analytics or visualization). With visualization capabilities it uses a 'bucket' system. That means that events that match the filter defined for the visualization tool is applied and any events that go through the pipeline will get dropped into these 'buckets' for processing. If it doesn't match the filter then it doesn't get processed. Therefore the visualization engine will take these events and fill the 'buckets' to create the calculations for what you want to do. Visualizations then build out these calculations and when you define a dashboard with a component to get this data, it will display it. Sounds complicated, but its good to know how it operates in the background. So you define the visualization mechanism, collect the data in the buckets and then display it in a dashboard. Nothing else needed. What you do need to do is create the dashboard though, which can be displayed in both the thick client as well as the web client. The web interface is on HTTPS on 8443 and you will need to authenticate obviously, but its for display only, all creation of visualizations are done in the thick console. You will find them in the Dashboard section and look for the tabs on the right to create them - its not that obvious, but its there. Create the objects for visualization will cause them to be operational, even if you don't display them - so be cautious.
Thank You for these videos, these are very good indeed, request you to arrange this in sequence please.
thanks Paul i need this as a refresher i will be taking my exam april i guess
Dear PauThank for u r session ..one request... please explain slowly , because non English people can also understand. Thank u
I will try, but please be aware that I am trying to keep the videos to a sensible length for people to watch. Between 15-20 minutes is about as much as anyone can take in one go and hence I am trying to keep them to that length. Longer and the chance that someone will sit through them all is drastically reduced. Shorter and they have less value. I will try however - but its a video so you can stop and start when you like.
Zakir bro Ask Bhutta sab he can clear you on this I don't feel there is any issue on the delivery you need to listen them with more attention :)
Hello paul thanks for the content, can you provide all videos in sequence so it ks easy to learn one by one
I have a connector with 2 destinations - but the event counts are not matching - aggregations and other destination settings are same. can someone help me with that
Hi Paul, I am trying to write an evaluation report for Arcsight SIEM for its custom visualization generation capabilities. However, I couldn't understand how its visualization system works. It has a web interface and there is this console. Is SIEM sends data to both of them for visualization? Thanks in advance
Good question and the way that ArcSight ESM works is that it has a multi-threaded process for the events itself. That means that all events (external and internal) go through this processing engine and it goes through the correlation engine as well as additional processing (such as for analytics or visualization). With visualization capabilities it uses a 'bucket' system. That means that events that match the filter defined for the visualization tool is applied and any events that go through the pipeline will get dropped into these 'buckets' for processing. If it doesn't match the filter then it doesn't get processed. Therefore the visualization engine will take these events and fill the 'buckets' to create the calculations for what you want to do. Visualizations then build out these calculations and when you define a dashboard with a component to get this data, it will display it. Sounds complicated, but its good to know how it operates in the background.
So you define the visualization mechanism, collect the data in the buckets and then display it in a dashboard. Nothing else needed. What you do need to do is create the dashboard though, which can be displayed in both the thick client as well as the web client. The web interface is on HTTPS on 8443 and you will need to authenticate obviously, but its for display only, all creation of visualizations are done in the thick console. You will find them in the Dashboard section and look for the tabs on the right to create them - its not that obvious, but its there. Create the objects for visualization will cause them to be operational, even if you don't display them - so be cautious.
Dear Paul, Thank you for your reply. It helped me to understand the ArcSight better :)