ArcSight-ESM-Advanced Analyst with Certified Expert Exam

Module 1: ESM Overview

• Identify ESM Architecture
• Describe the content of the ArcSight Event Schema
• List the phases of the ArcSight Event Lifecycle
• Describe the event processing and schema population performed during each phase of the event lifecycle
• List the resources and tools applicable to specific phases of the event lifecycle

Module 2: Command Center

• Access the ArcSight ESM Command Center
• Monitor Usage Metrics
• View System Metrics
• Use the SOC/MITRE Dashboards
• Access and use Active Lists
• Utilize Field Sets

Module 3: ArcSight Console

• Launch the ArcSight Console
• Identify toolbar components and their functions
• List the different views available in the Viewer panel
• Identify three methods to access Console Help
• Describe the Reference Resources and their characteristics
• Identify ESM Console preference options
• Customize your ESM Console

Module 4: Active Channels

• Create a new Active Channel
• View the details of an event
• Identify Dynamic and Static Active Channels

Module 5: Filters

• Describe Filter types and usage
• Add, edit and save Filters to an Active Channel
• Define the Common Conditions Editor

Module 6: Variable Customization

• Describe functions available in Variables
• Create both Local and Global Variables
• Promote Local to Global Variables
• Share Global Variables among multiple resources

Module 7: Data Monitors and Dashbords

• Identify Data Monitor types and functions
• Create a Data Monitor
• Access and Use Dashboards
• Modify Dashboard Data Monitor Layouts

Module 8: ESM Lists

• Describe the differences between Active and Session Lists
• Create and validate Active and Session List integration Rules

Module 9: ESM Rules

• Create and validate the following:
• Rule behavior
• Brute Force Login Attempt and Successful rules
• Light Weight rules and Pre-Persistent rules

Module 10: Query Viewers Authoring

• Define Queries
• Describe Query Viewers
• Explain the advantages of using Query Viewers
• Create the following functions with Query Viewers:
• Drilldowns
• Baselines
• Reports
• Dashboard views

Module 11: ESM Reports

• List the components in the Report Workflow
• List the different types of Reports
• Run a Report from the Navigator panel
• View an Archive Report from the Navigator panel
• Set up a scheduled Report job
• Build a custom Report
• Build a custom Trend Report

Module 12: Unified Event Search Tools

• Describe how keyword, field-based and pipeline searches are performed
• Describe how search results are displayed
• Use the unified Search page to initiate any type of search
• Use Search Helper and Search Builder features to save time constructing search expressions
• Load, modify, and save search filters and saved searches
• Enable peer ESM and Logger instances for searching