ArcSight Multi-Sensor Data Fusion Model

Introduction

The Multi-Sensor Data Fusion Model is the core of the ArcSight Activate Framework. The DataFusionModel-walkthrough.pdf document provides a more detailed description of how it works. There is also a video with a simple example of data fusion.

Data Fusion Model Overview Graphic

  • MSDFMcycle.png

Data Fusion Model Overview Table

  • DFMstack.png

Distinctions between the Levels

Level 0 - Data Refinement

This is the Data Refinement level. For ArcSight, this includes the auditing and logging configurations of the devices. We are assuming that you are following best practices for any given device or product with respect to that device's functionality. We also include the log data collection mechanism in this level, i.e., the connectors.

Level 1 - Indicators and Warnings (Object Refinement)

This includes content from both product packages and L1 packages.

There are some aspects of L1 that are often confused with L2, and that confusion is usually based on topics such as privileged accounts, critical services, etc.

To resolve some of this, we have stopped referring to "critical services," using the term "essential services," instead. There is a definite difference between a "critical service" and a "critical host." For example, the network service on any host is critical to that host's capability to participate on the network, but that does not make that host "L2." Therefore, we now say that services such as the network service are "essential."

With privileged accounts, however, things are a bit different. One would normally consider a privileged account to be L2 data. However, this is not true for default privileged accounts, e.g., the Windows Administrator default account, or the *nix root account. In this case, we need to make the distinction between default privileged accounts and custom privileged accounts. A default account, regardless of its privileges, exists on every system (until and if it is removed after deployment), regardless of who owns that system. Every Windows system has a set of default accounts and groups.

--

PrenticeHayes - 24 May 2017
Topic attachments
I Attachment Action Size Date Who Comment
DFMstack.pngpng DFMstack.png manage 165.2 K 02 Nov 2017 - 22:54 PrenticeHayes  
DataFusionModel-walkthrough.pdfpdf DataFusionModel-walkthrough.pdf manage 252.8 K 02 Nov 2017 - 22:54 PrenticeHayes  
MSDFMcycle.pngpng MSDFMcycle.png manage 193.3 K 02 Nov 2017 - 22:54 PrenticeHayes  
Edit | Attach | Print version | History: r6 | r4 < r3 < r2 < r1 | Backlinks | View wiki text | Edit WikiText | More topic actions...
Topic revision: r3 - 03 Nov 2017, PrenticeHayes


 


Activate Wiki 2.1.0.0

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback