2013.04.01 - ArcSight Differentiators in Use Cases

Summary:

The document titled "ArcSight ESM/Express Various Use Cases" provides an overview of various use cases and features related to HP's ArcSight ESM (Enterprise Security Manager) / Express product. It includes detailed information on how the system handles scenarios such as simultaneous logins, tracking activities with generic service accounts, managing IP addresses, applications, people/accounts, and applying specific correlation policies. The document also highlights key functionalities like dashboard reports, access control lists, hierarchical policy containers, extensibility for provisioning new use cases, and support for HAVEn (Hadoop, Avro, Velocity, Elasticsearch, NoSQL) and Big Data environments. The document is divided into several sections covering different functionalities such as accounts management, reporting in the active channel, anomaly detection, and product integrations with external systems like Qualys, McAfee, Imperva, and Cisco. Use cases are numbered from UC 21 to UC 39, each corresponding to a specific task or feature related to system administration, data manipulation, and integration with other software products for security information event management (SIEM). Some key functionalities include adding and configuring new log event-generating devices, manipulating policies, group/tag structure, general settings, lookups to external data sets including both static and queryable types, extracting data for reporting purposes, triggering alerts based on anomalies detected within the platform, and more. The document is currently undergoing conversion and will be available soon, with some sections providing an approximation of the original content due to conversion challenges. This format may not fully represent the original document's fidelity but aims to provide a readable version for users trying to access or understand its contents.

Details:

The document titled "ArcSight ESM/Express Various Use Cases" provides a detailed overview of various use cases and features related to HP's ArcSight ESM (Enterprise Security Manager) / Express product. It includes information about how the system can handle different scenarios such as simultaneous logins, tracking activities with generic service accounts, and managing IP addresses, applications, people/accounts, and applying specific correlation policies. The document also highlights key functionalities like dashboard reports, access control lists, hierarchical policy containers, extensibility for provisioning new use cases, and support for HAVEn (Hadoop, Avro, Velocity, Elasticsearch, NoSQL) and Big Data environments. This text appears to be a documentation summary or overview of various use cases related to an unspecified system or product, likely part of a larger software suite. The document is divided into several sections covering different functionalities such as accounts management, reporting in the active channel, anomaly detection, and product integrations with external systems like Qualys, McAfee, Imperva, and Cisco. The use cases are numbered from UC 21 to UC 39, each corresponding to a specific task or feature related to system administration, data manipulation, and integration with other software products for security information event management (SIEM). For example:

• Use Case 21 involves adding and configuring new log event-generating devices.

• Use Case 22 covers manipulating policies, group/tag structure, and general settings.

• Use Case 23 is about lookups to external data sets including both static and queryable types.

• Use Case 24 pertains to extracting data from the system for reporting purposes.

• Use Case 25 allows users to trigger alerts based on certain conditions or anomalies detected within the platform.

The document also mentions specific integrations such as Qualys, McAfee ePolicy Orchestrator (ePO), Imperva SecureSpher Web Application Firewall, and Snort IDS. These integrations are crucial for extending the capabilities of the system to monitor and manage external security events more effectively. The use cases cover not only basic configuration but also advanced features such as writing custom parsers for unique or specialized log formats used in anomaly detection when asset or event data diverges from expected profiles, thresholds based on baseline comparisons like too many or too few events within a normal temporal window are considered. The document is currently undergoing conversion and will be available soon, with some sections providing an approximation of the original content due to conversion challenges. This format may not fully represent the original document's fidelity but aims to provide a readable version for users trying to access or understand its contents. This email communication appears to be a part of an organizational or project management system where users can interact with documents and share information. The user has received an email notification about a document related to ESM (Event Stream Management) and Express, possibly referring to technical documentation or event-related material. The message includes several actions that the recipient could take: 1. **Stop Email Notifications**: This suggests that the user can opt out of receiving future notifications for this particular document or thread in the communication system. 2. **Send as Email**: The user has the option to resend the email notification containing information about the document, possibly so others who may not have received the initial notification can view it. 3. **Bookmark This**: Indicates a feature where users can save important documents for quick access later, which in this case is bookmarked by two users (Connections). 4. **Bookmarked By (2)**: Shows that two other users have found this document valuable enough to bookmark it. 5. **View**: Users are given options on how they wish to view the content, including all connections, only notes, or navigating through previous and next documents in the sequence. 6. **Retrieving data ...**: Indicates ongoing processing of information related to the ESM and Express documentation. 7. **Incoming Links**: This might refer to other internal links within the system that connect this document with others, potentially indicating relationships between different pieces of information or events. 8. **More Like This**: The system suggests additional resources or documents that may be similar in content or context to the ESM and Express documentation based on previous user interactions or patterns. The platform itself is a tool used for managing emails related to specific topics, projects, or discussions within an organization, providing features for organization, collaboration, and accessibility of information.