Understanding the Architecture of ArcSight

ArcSight is a combination of security, user, and entity behavior analytics solutions integrated together so that you get the required benefits quickly without having to host or deploy the solutions yourself. However, you as the customer must host some data-collection components to ensure that data sources within your environment send data to ArcSight. To collect data, your local environment uses SmartConnectors.

For environments with only the Log Management and Compliance service, the SmartConnectors connect to an Amazon S3 destination through an AWS Identity and Access Management (IAM) user. If your environment includes the Real-time Threat Detection service, then the SmartConnectors connect to an ArcSight SaaS destination using credentials that OpenText provides. The SmartConnectors must have internet connectivity directly or through a proxy. By configuring the connectors to connect directly or through a proxy to the Amazon S3 bucket or ArcSight SaaS destination, you avoid the need to open specific firewall ports or establish a VPN connection for each connector. When you configure the SmartConnectors, you specify the Amazon S3 bucket or ArcSight SaaS destination as the destination for the collected data.

ArcSight is powered by a unified datastore that delivers high-speed query response and short-term archival storage across all of the ArcSight product components, as well as long-term archival storage for the Log Management and Compliance service. You can use the Search and reporting features in ArcSight SaaS to hunt for undetected threats, check data compliance, and create charts and dashboards to analyze filtered data. To improve efficiency in responding to cyberattacks, ArcSight SaaS includes SOAR as a part of its base platform. Use SOAR to ingest security events, triage, investigate cases, and automate your responses to incidents with playbooks automation. To have users access the service, you create user accounts in ArcSight. Note that, in the OpenText SIEM as a Service (SaaS) environment, all services use a limited version of Advanced Authentication Service to authenticate users that log in to all of the services.

 

Understanding the Base Platform

Understanding the ArcSight Services

Understanding Data Ingestion from Your Environment