Integrating SEP With ArcSight
I'm stepping into a setup in which SEP moves some (not all) threat-related traffic log data from the SQL Server to the ArcSight Connector device.
The problem is that SEP is apparently *moving* (instead of copying) the data over to ArcSight and, to make matters worse, there are no configuration options set on SEP's "external logging" panel - how is this thing even working in the first place????
Does anyone here know a bit more about the relationship between these two products and how changes can be made? I need to hold onto threat data for at least a week in order to perform initial threat analysis and setting up an ArcSight account to view the data from SEP is incredibly expensive and it just doesn't make sense for us to pay to see the data I'm (apparently) giving away! ;-)
Thanks for any insight you can bring,