Working with ArcSight Management System

Nov 5


Thiyari Sai Manikanth

Thiyari Sai Manikanth

  • Share this article on Facebook
  • Share this article on Twitter
  • Share this article on Linkedin

Arcsight is a cybersecurity tool released in 2000. It is an intelligence software for security information and event management (SIEM) and log management. Arcsight is designed to help the organization in identifying security threats, track response activities, and simplify compliance and audit activities.


Introduction to ArcSight 

ArcSight is a security management system that is built to monitor and track the data insights of a business product. It is a portfolio that is designed to work with multiple products to solve security-related threats for improving productivity. ArcSight mainly consists of three major components.

  • ArcSight user analytics.
  • ArcSight DMA.
  • ArcSight App analytics.

In this article,Working with ArcSight Management System Articles we had explained each and every feature of ArcSight that will help you to gain real knowledge of using the ArcSight portal in managing the data with its components. This Arcsight training will make you professional in handling end to end security tasks in an organization.

Now, let go through the insights of the Arcsight.

What is ArcSight?

ArcSight is an ESM platform which stands for Enterprise Security Manager. It is a tool that is designed and implemented for managing the security policies within an organization. It is used in detecting, analyzing, and resolving cybersecurity-related threats within a short duration of time. The ESM platform includes the products for collecting the events, real-time event management, log management, automatic response, and compliance management.

Briefing about the ArcSight Components

ArcSight describes the components of the security model consisting of security monitoring features and functionalities. ArcSight resolves the problems of several requirements by collecting and storing the data for long term use cases.

  • The features include storage, reporting, searching, monitoring the use cases, and finding the correlation among the products.
  • It collects the information of log events from applications, clouds, network environments, endpoints, systems, security products.
  • ArcSight correlates the data and stores the information for compliance use cases.
  • Generating automated alerts for the investigation work that is carried out on the data.

ArcSight Components Classification

1. Arcsight SIEM Platform 

 The ArcSight SIEM Platform environment includes the security and visibility operations which leverage the monitoring platform infrastructure. The platform captures, normalizes, and categorizes all the events and logs from network and security devices.

2. ArcSight ESM

 The ArcSight ESM has the capability of collecting the broad log information combined with the powerful correlation engine which can detect the threats from multiple products and alerts the customers to take action on the vulnerabilities.

3. ArcSight Logger

 The ArcSight Logger provides log management and storage capabilities with automated compliance reporting. It can store up to 42TB of log data that can search for multiple events per second over structured and unstructured data. It supports automated reporting for SOX, PCI DSS, NERC, and other regulations.

4. ArcSight Express

The ArcSight Express includes the technologies of real-time correlation and log management from ESM and logger. The Express is referred to as “security expert in a box” which has several built-in correlation rules, dashboards, and reports. It provides deployment and low-cost monitoring solutions for the infrastructure.

5. ArcSight SmartConnectors

 The ArcSight SmartConnectors collect the event data from network devices and normalizes the data structure into a schema. The connectors can filter the data, save the network bandwidth and storage space. The SmartConnectors improves efficiency by aggregating the events to reduce the quantity of the same type. The events can be categorized into a readable format which makes it easier for using the events to build the filters, rules, and reports.

ArcSight ESM Network model

The ArcSight ESM Network model is the combination of network and asserts models together builds the correlation criteria. 

  • The network model represents the nodes and characteristics of the network.
  • The assert model represents the attributes of assets.

The elements of the network model consist of the following resources.

  • Asserts - It represents the nodes on the network consisting of the servers, routers, and devices.
  • Assert Ranges - It represents the set of network nodes with a block of IP address. 
  • Zones - It represents the portion of the network categorized by a block of addresses.
  • Networks - It differentiates the two private address spaces.
  • Customers - These are the business units associated with the networks.


  • The Asserts resources identify any network endpoint within an IP address, MAC address, hostname, external ID.
  • An assert resource is the specification of network identity which includes
  • Assert name.
  • Network IP address.
  • MAC address.
  • Hostname.
  • External ID.

Assert Ranges

  • An Assert Ranges is the group of asserts attached to a network that uses a block of IP address.
  • When an event is processed by the SmartConnector, its endpoints are identified as a single asset or an asset that belongs to a particular assert range. A reference to an assert or assert range identifier is populated in the event schema.


  • Zones usually represent a functional group within a network or a subnet such as LAN, VPN or DMZ identified with the block of IP address.
  • Every assert or address range is associated with a zone. ESM is already configured with the global IP address which helps in resolving without setting up any additional zones.
  • The address range in the zones in the same network cannot overlap.
  • When SmartConnector processes an event, it evaluates each IP address in an event and tries to locate the zone associated with the IP address among the ordered list of networks. If a matching zone is found then the search is over, if not it moves with the order specified in the next network during SmartConnector configuration. 


  • Networks are ArcSight resources that are used to differentiate between the zones when IP ranges overlap.
  • Local and Global are two standard networks configured for ESM.
  • Network designations will enable the SmartConnector to tag the events with the correct zone such that the manager can find the correct model for assert events.


  • The customers tagging is a feature that is developed to support Managed Security Services Provider (MSSP) environments.
  • A customer will be considered as an “owner” of an event instead of considering it as a source or target of an event.
  • The customer variables can be either a fixed string or a velocity template variable.

Event life Cycle in ArcSight

There are seven event life cycle in ArcSight ESM

1. Data collection and event processing

 The data is gathered from various sources and then it is processed.

2. Network model lookup and priority evaluation

 Here we apply the logical setup of a network with the naming and structures so as to understand the environment, location, and then is set for priority evaluation.

3. Correlation evaluation

 In this phase, the correlations will be evaluated and then will move to monitor and investigate.

4. Monitoring and investigation

 The scenarios have to be properly understood to know what it is in order to monitor and is then allowed for investigation from an analyst so as to move to the workflow.

5. Workflow

 In this phase, the workflow process model is implemented.

6. Incident analysis and reporting

 Here we have to report the data and provide the analysis for what is obtained or received.

7. Event archival

 Finally, the events will be archived into an external storage environment. The data can be stored for an extended period of time. An event is passed from all these seven stages. 


The ArcSight tutorial gives you a clear vision of the usage and understanding of components that implement the compliance policy rules for detecting the vulnerabilities and resolving the issues with data management on security products.