ESM processes events in phases to
identify and act upon events of interest. The graphic
below provides an overview of the
major steps in the life cycle of an event through ESM.
Figure 2-1 Lifecycle of an event through
ESM. Data sources generate thousands of events.
SmartConnectors, hosted individually or
part of the ArcSight Connector Appliance, parse them
into the ESM event schema. ArcSight Logger
(an optional and separately licensed storage
appliance), stores and sorts every event
and forwards qualifying events to the Manager. Each
step narrows events down to those that are
more likely to be of interest.
Once the event stream is narrowed, ESM provides
tools to monitor and investigate events
of interest, track and escalate developing
situations, and analyze and report on incidents.
Event data is then stored and archived according to
policies set during configuration.