Using ArcSight ESM for Malicious Domain Detection
Speaker: Chris Watley, Information Assurance Engineer, U.S. Government Agency
The traditional way for detecting traffic to malicious domains involves writing Snort-based signatures to monitor DNS and HTTP traffic. This style of detection can have a high false-positive rate and deteriorate the performance of the sensors. By migrating detections into ArcSight ESM, false-positives no longer exist, and the sensors can be used for more proactive signatures. This session discusses how to utilize ArcSight ESM for domain detections: the interaction between active lists, filters and rules, with a heavy focus on the variables used. Attendees of this session should have an understanding of ArcSight rules, active lists and filters.