We use ArcSight Intelligence for some user behavioral analytics. The solution is used to integrate the logs properly with different Unix-based and Microsoft-based connectors. The solution gives us alerts on a single console to give us clear visibility of the total network and filter the unnecessary false positives.

We have a subscription service to gather global intelligence from the cloud. Within that, we get various feeds. We can get notifications about various types of global attacks that are happening. We can also get updates for our correlation engines from these subscriptions. We are using its latest version.

All network devices send their logs to the ArcSight logger as Syslog. Logs may include power failure, link failure, multiple failed login attempts, successful user login failure, and more. Security logs are stored in ArcSight's database for up to 90 days (this can be varied depending on the environment). Examples of security logs include authentication and authorization failures, incorrect logins, and wrong passwords; non-security logs such as link and device failure, module failure, STP logs, and unicast/multicast storm problems. These are some of the primary uses of the ArcSight Logger. 

We use the platform for monitoring purposes.