ArcSight_ESM_brochure

Micro Focus SecurityArcSight ESMSoftware Version:7.5Backup and Recovery Tech Note for Compact and Distributed ModeDocument Release Date:May2021Software Release Date:May2021Backup and Recovery Tech Note for Compact and Distributed ModeLegal NoticesCopyright Notice©Copyright2001-2021 Micro Focus or one of its affiliatesConfidential computer software.Valid license from Micro Focus required for possession,use or copying.Theinformation contained herein is subject to change without notice.The only warranties for Micro Focus products and services are set forth in the express warranty statementsaccompanying such products and services.Nothing herein should be construed as constituting an additional warranty.Micro Focus shall not be liable for technical or editorial errors or omissions contained herein.No portion of this product's documentation may be reproduced or transmitted in any form or by any means,electronic or mechanical,including photocopying,recording,or information storage and retrieval systems,for any purpose other than the purchaser's internal use,without the express written permission of Micro Focus.Notwithstanding anything to the contrary in your license agreement for Micro Focus ArcSight software,you may reverse engineer and modify certain open source components of the software in accordance with the license terms for those particular components.See below for the applicable terms.ernmental Rights.For purposes of your license to Micro Focus ArcSight software,“commercial computer software”is defined at FAR2.101.If acquired by or on behalf of a civilian agency,the ernment acquires this commercial computer software and/or commercial computer software documentation and other technical data subject to the terms of the Agreement as specified in48C.F.R.12.212(Computer Software)and12.211(Technical Data)of the Federal Acquisition Regulation(“FAR”)and its successors.If acquired by or on behalf of any agency within theDepartment of Defense(“DOD”),the ernment acquires this commercial computer software and/orcommercial computer software documentation subject to the terms of the Agreement as specified in48C.F.R.227.7202-3of the DOD FAR Supplement(“DFARS”)and its successors.This ernment Rights Section18.11is in lieu of,and supersedes,any other FAR,DFARS,or other clause or provision that addresses government rights incomputer software or technical data.Trademark NoticesAdobe™is a trademark of Adobe Systems Incorporated.Microsoft®and Windows®are U.S.registered trademarks of Microsoft Corporation.UNIX®is a registered trademark of The Open Group.SupportContact InformationPhone A list of phone numbers is available on the Technical SupportPage: https:///support-contact-informationSupport Web Site https:///ArcSight Product Documentation https:///t5/ArcSight-Product-Documentation/ct-p/productdocsContentsSummary4 Backing up ESM6 Recovering ESM11 Send Documentation Feedback16SummaryThe information in this technical note applies to ArcSight ESM in both compact and distributed correlation modes.This procedure is for backing up ESM and recovering it on the same system or on a new system with a configuration that is identical to the original system.This does not cover backup and recovery of any connectors that are installed on the original system.For all backup operations,back up directly to data storage media other than the one that currently holds the data.Add up the sizes of all relevant files and folders to ensure that the backup media is large enough.Database tables compress well,but event archives do not.Note:Steps specific to distributed mode are prefixed with Distributed mode only.Some steps apply to compact and distributed mode but have special instructions for distributedmode.The portion that is specific to distributed mode is identified within the step.Following is a summary of the backup procedure:1.Shut down all of the ESM services except mysqld and postgresql.Distributed modeonly:Do this on the persistor node.2.Back up selected files and folders.3.Export selected database tables.4.Export trends.5.Back up configuration data.6.Back up archive data.7.Distributed mode only:Back up the following services:l Repositoryl Distributed cachel Correlatorsl Aggregators8.Restart the services.Following is a summary of the recovery procedure:1.Reinstall ESM.For more information,see the ESM Installation Guide.2.Import database tables.3.Import trend data.4.Recover configuration data.Summary5.Recover the files and folders you backed up.6.Recover archive data.7.Distributed mode only:Recover the following services:l Repositoryl Message bus control and message bus datal Distributed cachel Correlatorsl Aggregators8.Start all services.Backing up ESMUse this procedure to back up ESM(including data)installed in compact or distributed mode. For every file,directory,and exported database table,save the backup copy in a safe location on another computer.To back up ESM:1.Stop connectors so that they do not continue sending events to ESM.2.As user arcsight,stop all of the ArcSight services except mysqld and postgresql.Distributed mode only:Do this on the persistor node./etc/init.d/arcsight_services stop all/etc/init.d/arcsight_services start mysqld/etc/init.d/arcsight_services start postgresqle the cp command to back up the following files and folders:l/etc/hostsl/home/arcsight/.bash_profilel/opt/arcsight/logger/current/arcsight/logger/user/logger/logger.properti esl/opt/arcsight/logger/data/mysql/fl/opt/arcsight/manager/config/database.propertiesl/opt/arcsight/manager/config/esm.properties Distributed mode only:Do this on all nodes.l/opt/arcsight/manager/config/jetty Distributed mode only:Do this on all nodes.l/opt/arcsight/manager/config/keystore*Distributed mode only:Do this on allnodes.l/opt/arcsight/manager/config/server.propertiesl/opt/arcsight/manager/config/server.wrapper.confl/opt/arcsight/java/esm/current/jre/lib/security/cacerts Distributed mode only:Do this on all nodes.l/opt/arcsight/manager/user/manager/license(back up the entire directory)l Distributed mode only:l/opt/arcsight/manager/config/cluster/hazelcast.xml(do this on all nodes) l/opt/arcsight/manager/config/cluster/hazelcast-client.xml(do this on allnodes)l/opt/arcsight/manager/config/jaas.config(do this on all nodes)l/opt/arcsight/var/config(on all nodes,back up all files in this directory andsubdirectories)l/opt/arcsight/manager/tmp/default/processConfig.yaml(do this on all nodes) l On all nodes where correlators are configured,/opt/arcsight/manager/config/correlator.defaults.propertiesl On all nodes where aggregators are configured,/opt/arcsight/manager/config/aggregator.defaults.properties4.Run the following command to export system tables:/opt/arcsight/manager/bin/arcsight export_system_tables arcsight<mysql_ password>arcsight–sBecause the command generates a large file,Micro Focus recommends running gzip /opt/arcsight/manager/tmp/arcsight_dump_system_tables.sql and then backing up the resulting.gz file.5.As user arcsight,run the following command to export selected tables from thedatabase:/opt/arcsight/logger/current/arcsight/bin/mysqldump-uarcsight-parcsight${tablename}|gzip>/tmp/${tablename}.sql.gzwhere:l-uarcsight specifies to use the database user account called arcsightl-p specifies to prompt for a passwordl arcsight is the name of the databasel${tablename}is the name of the table to export(see the list below)l the path(/tmp/in this case)is the desired locationSpecify the following tables:l user_sequencesl arc_event_annotationl arc_event_annotation_pl arc_event_path_infol arc_event_payloadl arc_event_payload_pl arc_event_pl arc_epd_statsThis command uses compression to reduce disk space.For large databases,compression is also likely to reduce the amount of time for the commands to complete.The user_sequences table is the table where the ESM Manager gets event IDs from the database.Export the user_sequences table daily.When the export is complete,copy the.gz file to the same backup location as the other backup files.6.If you need to keep trends,as user arcsight,run the following commands:DBTODUMP=arcsightSQL="SET group_concat_max_len=10240;"SQL="${SQL}SELECT GROUP_CONCAT(table_name separator'')"SQL="${SQL}FROM information_schema.tables WHERE table_schema='${DBTODUMP}'"SQL="${SQL}AND(table_name like'arc_trend%');"TBLIST=`/opt/arcsight/logger/current/arcsight/bin/mysql-u arcsight–p-AN-e"${SQL}"`/opt/arcsight/logger/current/arcsight/bin/mysqldump-u arcsight-p${DBTODUMP}${TBLIST}>/tmp/arcsight_trends.sqlWhen the export is complete,copy the.sql file to the same backup location as the other backup files.7.Make a note of the following items,which must match exactly on the computer where yourecover the backup:l Operating system and versionl Computer domain name,host name,and IP addressesl File system typel Path to the archive locations for each storage groupl ESM versionl MySQL passwordl Timezone of the computerl Distributed mode only:operating system version and ESM version on all nodes(youmust install and configure the same versions on all nodes where you recover thebackup)8.Run the following command to back up configuration data:/opt/arcsight/logger/current/arcsight/logger/bin/arcsight configbackupThe command creates a configs.tar.gz file in/opt/arcsight/logger/current/arcsight/logger/tmp/configs.Copy the.gz file to the same location as the other backup files.9.Back up the archive located at/opt/arcsight/logger/data/archives.Back up the archive separately.If the archive location has been moved to a SAN,set up a backup schedule there.If you do not want to lose events that occurred since midnight(when the last archive was created),back up/opt/arcsight/logger/data/logger.However,in addition to the un-archived data since midnight,you will also archive events from each day from yesterday to the beginning of your retention period.This backup also has to include the metadata.Ensure that the postgresql service isrunning.Run the following command:/opt/arcsight/logger/current/arcsight/bin/pg_dump-d rwdb-c-n data-U web|gzip-9-v>/tmp/postgres_data.sql.gzCopy postgres_data.sql.gz to a backup location.10.Distributed mode only:Run the following command to back up the repository:opt/arcsight/manager/bin/arcsight createRepoBackup<repo_instance>Note:All repository instances create the same backup file,so you only need to back up oneinstance.Assuming the repository instance is repo2,the command backs up/opt/arcsight/var/data/repo2to/opt/arcsight/var/data/repo2Backup.tar.gz.Save the file for the recovery procedure.11.Distributed mode only:Make a note of all of the nodes where an mbus instance is running(for example,all nodes except the persistor node).12.Distributed mode only:Make a note of all of the nodes where a repository instance isconfigured,along with the repository ID on each node.13.As user arcsight,run the following command to restart the services:Note:If your next step is to upgrade the operating system or reinstall ESM,skip this step andthe next step./etc/init.d/arcsight_services start all14.Restart connectors.Recovering ESMThis procedure recovers ESM on the same system or on a new system with a configuration that is identical to the original system.Ensure that the following items are the same on both systems:l Operating system and version(if using configbackup and disasterrecovery commands as part of this process)l Domain names,host names,and IP addressesl File system typel Path to the archive locations for each storage groupl ESM versionDistributed mode only:If you are configuring a new system,when you install ESM in distributed mode,do not configure any services.The recovery procedure will automatically configure the services.l MySQL passwordl Timezonel Distributed mode only:operating system version and ESM version on all nodes(you must install and configure the same versions on all nodes where you recover the backup)To recover ESM:1.Stop connectors so that they do not continue sending events to ESM.2.Ensure that the system is running the same operating system and is configured with thesame host name and IP addresses as the original system.Distributed mode only:Ensure that all computers on which you will install distributed services match the original computer configurations.3.Reinstall ESM.Distributed mode only:Do not configure the distributed correlation services(aggregator,correlator,dcache,repo,mbus_data,and mbus_control).The services will be configured automatically.For more information,see the ESM Installation Guide.4.Distributed mode only:If you have not done so already,run the following command onthe persistor node:/etc/init.d/arcsight_services sshSetup5.As user arcsight,stop all of the ArcSight services except mysqld and postgresql.Distributed mode only:Do this on all nodes.Start services only on the persistor node./etc/init.d/arcsight_services stop all/etc/init.d/arcsight_services start mysqld/etc/init.d/arcsight_services start postgresql6.As user arcsight,run the following command to import system tables:Note: If you compressed the exported file with gzip,unzip it:gzip-d<path>/arcsight_dump_system_tables.sql.gz/opt/arcsight/manager/bin/arcsight import_system_tables arcsight<mysql_ password>arcsight<path>/arcsight_dump_system_tables.sqlIf you receive an error about the user_sequence table,run the following commands: gzip–d/tmp/${tablename}.sql.gz/opt/arcsight/logger/current/arcsight/bin/mysql-uarcsight-p arcsight< /tmp/user_sequences.sql7.To import trend data,as user arcsight,run the following command:/opt/arcsight/logger/current/arcsight/bin/mysql-u arcsight-p arcsight< /tmp/arcsight_trends.sqlThe command above assumes that your trend data was copied from the backup to the /tmp/directory.Your file name or directory might differ.8.Recover the back up files that you previously created:l/etc/hostsl/home/arcsight/.bash_profilel/opt/arcsight/logger/current/arcsight/logger/user/logger/logger.properti esl/opt/arcsight/logger/data/mysql/fl/opt/arcsight/manager/config/database.propertiesl/opt/arcsight/manager/config/esm.properties Distributed mode only:Do this on all nodes.l/opt/arcsight/manager/config/jetty Distributed mode only:Do this on all nodes.l/opt/arcsight/manager/config/keystore*Distributed mode only:Do this on all nodes.l/opt/arcsight/manager/config/server.propertiesl/opt/arcsight/manager/config/server.wrapper.confl/opt/arcsight/java/esm/current/jre/lib/security/cacerts Distributed mode only:Do this on all nodes.l/opt/arcsight/manager/user/manager/license(recover the entire directory)l Distributed mode only:l/opt/arcsight/manager/config/cluster/hazelcast.xml(do this on all nodes)l/opt/arcsight/manager/config/cluster/hazelcast-client.xml(do this on allnodes)l/opt/arcsight/manager/config/jaas.config(do this on all nodes)l/opt/arcsight/var/config(on all nodes,recover all files in this directory andsubdirectories)l/opt/arcsight/manager/tmp/default/processConfig.yaml(do this on all nodes) l On all nodes where correlators are configured,/opt/arcsight/manager/config/correlator.defaults.propertiesl On all nodes where aggregators are configured,/opt/arcsight/manager/config/aggregator.defaults.properties9.Log in and run a MySQL command to ensure that the database is running:/opt/arcsight/logger/current/arcsight/bin/mysql-u arcsight-p<password> arcsightdescribe arc_resource;If you can run both commands without errors,the MySQL database is operational.10.Recover configuration data.Distributed mode only:Do this on the persistor node.a.Copy the configs.tar.gz file from the backup folder to the/opt/arcsight/logger/current/backups/folder.b.Ensure that the logger services are stopped.If not,as user arcsight,run thearcsight_services command to stop them.c.Run the following commands:cd/opt/arcsight/logger/current/arcsight/logger/binarcsight disasterrecovery startThe disasterrecovery command recovers the configs.tar.gz file.It requires thatthe operating system version be the same as it was when you ran configbackup. 11.Recover archive data.Distributed mode only:Do this on the persistor node.a.Restore the archive files back to/opt/arcsight/logger/data/archives.b.If you backed up/opt/arcsight/logger/data/logger,restore it and then run thefollowing commands to recover the metadata:gzip-d/opt/backup/postgres_data.sql.gz/opt/arcsight/logger/current/arcsight/bin/psql-d rwdb-U web-f/opt/backup/postgres_data.sqlThis example assumes that your backup file is in the/opt/backup directory.Yourlocation might differ.12.As user arcsight,run the following commands to recover the tables that you exported inBacking up ESM.Distributed mode only:Do this on the persistor node.gzip–d/tmp/${tablename}.sql.gz/opt/arcsight/logger/current/arcsight/bin/mysql-uarcsight-p arcsight< /tmp/${tablename}.sqlwhere:l-uarcsight specifies to use the database user account called arcsightl-p specifies to prompt for a passwordl arcsight is the name of the databasel${tablename}is the name of the table to exportl the path(/tmp/in this case)is the desired recovery location13.Distributed mode only:Recover repository instances:Note:These instructions assume that the instance that you backed up was repo2,and theinstance you are recovering is repo1.Repeat this step for each node where repositoryinstances were configured,using the repository ID for each node as recorded during thebackup procedure.a.Log in as user arcsight.b.If the/opt/arcsight/var/data directory does not exist,create it.c.Copy repo2Backup.tar.gz to/opt/arcsight/var/data/repo1Backup.tar.gz:rm-rf/var/opt/arcsight/data/repo1mkdir-p/var/opt/arcsight/data/repo1ln-fs/var/opt/arcsight/data/repo1/opt/arcsight/var/datamkdir/opt/arcsight/var/tmp/repo1mkdir/opt/arcsight/var/logs/repo1/opt/arcsight/manager/mbus/bin/mbus_setup_bits.shd.Run the following command on the node where repo1was configured:/opt/arcsight/manager/bin/arcsight extractRepoBackup repo1e.Repeat the above steps for each repository instance.f.On the persistor node,start the repository:/etc/init.d/arcsight_services start repo14.Distributed mode only:Run the following command on each of the nodes that had mbus_control and mbus_data instances,as recorded during the backup procedure:/opt/arcsight/manager/bin/arcsight mbus-configure-instancesThis command uses mbus instances that are defined in the restored information repository to set up mbus directories and configure mbus instances on the node.During recovery,this command replaces the mbus_setup command that is typically used to create mbus instances after installation.15.Restart the services:(Distributed mode only:Do this on the persistor node.)/etc/init.d/arcsight_services start all16.Restart connectors.Send Documentation FeedbackIf you have comments about this document,you can contact the documentation team by email. If an email client is configured on this computer,click the link above and an email window opens with the following information in the subject line:Feedback on Backup and Recovery Tech Note for Compact and Distributed Mode(ESM7.5) Just add your feedback to the email and click send.If no email client is available,copy the information above to a new message in a web mail client,and send your feedback to*************************************.We appreciate your feedback!。

Why Upgrade?Why consider upgrading if your versionof ArcSight Enterprise Security Manager (ESM) by OpenText is working fine as it is? The ArcSight Product line by OpenText has been busy implementing improvements across its security operations portfolio.If you’re behind in your version currency, you are missing out on key featuresand functionality.Best Overall ExperienceWith all the new enhancements, additions and integrations to the portfolio, ArcSight ESM 7.5 gives you the best overall experience the ArcSight Product line has ever offered. Tighter integrations with the rest of the ArcSight portfolio, MITRE ATT&CK reports and dashboards, faster analytics, and an improved user interface are some of the things you’ll enjoy when you upgrade to the latest version. An upgrade should always be under consideration to ensure your software is operating at its peak, and providing the maximum benefit to your company andits operations.ArcSight SOARArcSight SOAR by OpenText is now a native integration to ArcSight ESM, doesn’t incur additional licensing costs, and offers a massive boost in automated response capabilities for your organization. Y ou can accelerate incident response, take advantage of pre-built and customizable playbooks, and improve collaboration between people, tools and processes.Prep for Containerized VersionsFor those who are waiting for ArcSight ESM containerization before undergoing the upgrade process, it is important to noteUpgrading ArcSight ESM2that upgrading to ArcSight ESM 7.5 is one of the best ways to prepare for the upcoming containerization.Cloud and SaaS IntegrationCloud integration is a major priority moving forward, and we’ll continue to add to our cloud and SaaS arsenal. ArcSight ESM, as well as most of our other ArcSight products, can now be installed in AWS or Azure cloud marketplaces, which reduces hardwarecosts and maintenance. Our SmartConnector technology offers extensive cloud monitoring capabilities that span AWS, Azure, Google Cloud, and with the help of FlexConnectors, can ingest events from most others as well. Furthermore, we’ve recently released both ArcSight Intelligence by OpenText™ and ArcSight Recon by OpenText to the SaaS environment, which the latest version of ArcSight ESM can readily integrate with.Upgrade PathOnce you have the all the requiredinformation to get started, you’ll need to choose the upgrade path that will best fit your situation.Sequential UpgradeThe upgrade to ArcSight ESM 7.5 can be done in one of two ways. The first which is to do a full sequential product upgrade. For a detailed guide describing how to update your version of ArcSight ESM, please refer to the ArcSight ESM Upgrading Guide. This will help ensure that all your customizations and settings from your current version are carried over to the latest version, while gaining the most recent and most advanced capabilities of the ArcSight Product line.New Instance of ArcSight ESMThe second is possible by standing up a new but separate instance of ArcSightESM and then re-creating all your desired customizations, rules, and personalized settings. This method may be more costly than the sequential upgrade since you’ll be purchasing a new license, and possibly even new hardware, while you move everything over. The benefit of this option is you’lldrastically decrease product downtime compared to the sequential upgrade.Once you’re sure everything is ready to go in your new install of ArcSight ESM, you can then terminate the license of the originaland outdated version of ArcSight ESM..Getting StartedDepending on your situation, upgrading your ArcSight product’s software to the latest version may seem like an insurmountable task. With resources and optional services at your disposal, we let you determine the amount of professional assistance you require. Whichever route you undertake, upgrading ArcSight ESM will not only ensure you maintain reliable SIEM performance, but it will also enhance your experienceand capabilities by bringing a wider and more capable set of functionality to your SIEM solution.Self-InstallationIf you and your team feel confident inyour technical abilities, knowledge of your environment, and have read the ArcSight ESM Upgrading Guide, you should feel empowered to start with self-installation. This is obviously the cheapest option for your organization, and depending on your situation, may not be terribly difficult toaccomplish. As mentioned in the upgrading guide, if your deployment of ArcSight ESM contains large trends with IP addresses,contains large datasets, or if you have issues with system performance, your total upgrade times will be longer than those outlined documentation resources, the OpenText Community, and the free levels of support offered to all of our customers.Support PackagesArcSight ESM is an extremely flexible and capable product, and is often installed in very complex environments. With this in mind, there are several support and service resources available to help you. Reading documentation and watching videos can only get you so far, and there are times when getting more personal assistance to guide you through the process may be a good option. We have a full range of upgrade support services available which can be engaged at different levels to best meet your needs. Our support also offers flexibility with services such as the premium offering, which enhances the OpenText business support, or even short-term support with OpenText flexible credits.Professional ServicesWe have a team of professional services consultants who will work with you not just for upgrades but also to develop secure business solutions to meet your business goals. Our specialists are prepared to help with the upgrade preparation process as well as the upgrade itself. Recently, many ArcSight product line customers have opted to utilize our Professional Services team to implement their complementary license of ArcSight SOAR. Although our Professional Services option is a paid service, the combination of expert advice, work performed, and time Connect with Us 。

HPE ArcSight ESM Support MatrixWarrantyThe only warranties for HPE products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HPE shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without Restricted Rights LegendConfidential computer software. Valid license from HPE required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.Copyright Notice© Copyright 2017 Hewlett Packard Enterprise Development LPFollow this link to see a complete statement of copyrights and acknowledgements:https:///docs/DOC-13026HPE ArcSight Enterprise Security Management Support MatrixThis document describes current and planned platform support and end-of-life (EOL) dates for all versions of ArcSight Enterprise Security Management (ESM) and its components. The components include:- ArcSight Manager- ArcSight Console- Correlation Optimized Retrieval and Retention Engine (CORRE)(ESM 6.0c and later)- ArcSight Database (based on Oracle) (ESM 5.6 and earlier)- Management Console (ESM 6.0c)- ArcSight Command Center (ESM 6.5c and later)- ArcSight Web ( ESM 6.8c and earlier)DefinitionsThis document uses the following terms.END-OF-SUPPORT-AND-LIFE NOTICESNote these end-of-support-and-life dates.Products at End of Support and LifeThe following product versions are currently in an end-of-support-and-life state.Platforms at End of Support and LifeThe following platforms are currently in an end-of-support-and-life state.ArcSight ConsoleOracle DBESM Support of Other ArcSight Products/ComponentsActivClient and Browser Support90Meter Card and Browser SupportHPE ArcSight ESM Support Matrix Page 7Updated 04/07/2017。

––––Automating the Asset Model Import Process ArcSight ESM Asset ManagementChris MaennerCybersecurity Threat Discovery EngineerChris Maenner,CISSPSecurity Technology AuditSenior Security ConsultantInformation Assurance EngineerAnti-Tamper EngineerDatabase administrator Cybersecurity Threat Discovery EngineerAgenda•Asset Model Importance and Tools •ArcSight Archive Utility•ArcSight Asset Model Connector•What’s the difference between the tools?•Generating Asset File(s)•Comcast’s Asset Automation Process •Benefits, Best Practices, and ResourcesD e v ic e s Assigning a Priority Formula (Threat Level Formula)More accurate organizational asset management Risk rate assets by criticalityVulnerability tracking of assetsRouter type?Who’s laptop?Is it mobile?Cloud Service?ArcSight ESM Asset Modeling Importance•The ArcSight Archive utility is a multi-function command-line tool that can be used by ArcSight Administrators to perform routine maintenance, such as back-up and restore from an Extensible Markup Language (XML) file•Why do we care to use this utility?•Creating, removing, or updating asset objects:•Asset Ranges•Assets•Categories •Customers•Filters •Locations •Networks•Zones ESM Administrator’s Guide : Administrative Commands : ESM ArcSight Commands•Further details can be found:ArcSight Archive UtilityArcSight Asset Model Import Connector•The Asset Model Import Connector allows you to import asset objects from a comma separated value (CSV) file. This enables you to create and maintain ESM Network Model data, and keep this data in sync with the data in your Asset Management system.•Why do we care to use this utility?•Add, Move, Remove, or Update:•Asset(s)•Categories•Zones•Further details can be found:ESM 101 : The Network Model : Ways to Populate the Network ModelWhat’s the difference between the tools?Archive Utility ProcessESM XML •Command is mandatory for archive •/opt/arcsight/manager/bin/arcsight archive -u <USER> -m <FQDN> -i -f assets.xml •Data validation prior to import •Verbose output to user during import process (by default to the *terminal)Asset Model Import Connector ProcessESMXML CSV Connector •The connector does not validate the file data•The connector is a wrapper that uses the Archive Utility tool•No verbose output to determine if there were issues during importPros vs ConsArchive Utility Tool Asset Model Import Connector Asset import progress information✅❌Asset file setup❌✅Asset tool setup✅❌Ease of use✅✅File documentation support❌✅•XML is the only file format supported•Three stage process occurs:o Determine if the objects are to be Inserted, Updated, or Removedo Stage importing of objectso Complete organization of objects and will either insert, update, or remove objects•Provides progress information while doing the archive operation •CSV is the only file format supported•Three stage process occurs:o Determine if the objects are to be Inserted, Updated, or Removedo Stage importing of objectso Complete organization of objects and will either insert, update, or remove objects•Does not provide progress information while doing the archive operation•CSV file content must match parser configurationArcSight Archive Utility Asset Model Import Connector Generating Asset File(s)•Type*•Name*•IP Address*•MAC Address •Host Name •External ID •Alias•Parent Group URI •Description •Zone URI •Location URI •CategoriesAssets•Type*•Name*•External ID •Alias•Parent Group URI •DescriptionCategories•Type*•Name*•Address1•Address2•City •State•Postal Code • 2 Digit Country Code•External ID •Alias•Parent Group URI •DescriptionCustomer•Type*•Name*•Latitude •Longitude •City•Region Code •Postal Code •Country• 2 Digit Country Code•External ID •Alias•Parent Group URI •DescriptionLocations•Type*•Name*•External ID •Alias•Parent Group URI •Description •Customer URI •Location URINetworks•Type*•Name*•Start Address*•End Address*•Dynamic Addressing •External ID •Alias•Parent Group URI •Location URI •Network URI •CategoriesZonesObject element types that are used to create XML file(s):•The column title signifies the “Type” element•Not listed in presentation are “Asset Ranges” and “Filters”ArcSight Archive Utility Support*Mandatory elementsArcSight Resource Generator Tool –Java Archive (JAR) tool that can generate XML files •ArcSight Resource Generator Tool dissected (decompiled):•Replaced the ArcSight Resource Generator Tool with a custom Python script using the following modules:•lxml(http://lxml.de)•Used to write XML elements to each XML file type•More efficient parser compared to ElementTree(Python standard library since version 2.5)•netaddr(https:///pypi/netaddr)• A network address manipulation library•Used to support Zones XML creation•Provides a simple method to grab network and broadcast address from network CIDR•requests (/en/master)•Provides native thread-safe connection pooling•Powered by urllib3 (https://urllib3.readthedocs.io/en/latest)•This module is used as a personal preference, urllib2 would be fine to use•Use this module to query Google Maps API to get up-to-date latitude and longitude coordinatesAsset Model Import Connector SupportCSV example for Asset Model ConnectoraddAsset,Active,Activated on 07/04/2016,,192.168.1.1,G0:0D:B3:RG:3R:SS,foo-server.local,fooServer,myFooServer,/All Assets/Organization/Foo Corp,Router to perform,fooServer,/All Zones/Organization/Foo Corp/Fooville/Fooville192.168.1.0/24,/All Locations/Organization/FooCorp/Fooville,/All Asset Categories/System Asset Categories/Criticality/High;/All Asset Categories/System Asset Categories/Compliance/PCIDetails:•Mandatory column types: [“Action”, “Active/Inactive”, “AssetName”, “IP Address”]•Action types:[“addAsset”, “updateAsset”, “removeAsset”, “addCategory”, “removeCategory”, “addZone”, “removeZone”, ”moveAsset”]•Column types: ["Active/Inactive Reason", "MAC Address", "HostName", "External ID", "Alias", "ParentGroupURI", "OldParentGroupURI", "AssetDescription", "ZoneURI", "LocationURI", "AssetCategory"]•AssetCategory:to add multiple categories, the string delimeter must have a semicolonMore details can be found in: HP ArcSight Asset Model Import FlexConnector Developer’s GuideCSV Parser Example and Template for the Asset Model Connector####### BEGIN ###### comments.start.with=# delimiter=,token.count=15token[0].name=Actiontoken[0].type=Stringtoken[1].name=Activetoken[1].type=Stringtoken[2].name=ActiveReason token[2].type=Stringtoken[3].name=AssetName token[3].type=Stringtoken[4].name=Iptoken[4].type=Stringtoken[5].name=Mactoken[5].type=Stringtoken[6].name=HostName token[6].type=String####### CONTINUED ######token[7].name=ExternalIDtoken[7].type=Stringtoken[8].name=Aliastoken[8].type=Stringtoken[9].name=ParentGroupUritoken[9].type=Stringtoken[10].name=OldParentGroupUritoken[10].type=Stringtoken[11].name=AssetDescriptiontoken[11].type=Stringtoken[12].name=ZoneUritoken[12].type=Stringtoken[13].name=LocationUritoken[13].type=Stringtoken[14].name=AssetCategorytoken[14].type=String####### CONTINUED #########keep these 7 fields unchanged###additionaldata.enabled=trueadditionaldata.duplicate.keys.allowed=falseevent.deviceEventCategory=__stringConstant(Asset)event.deviceCustomString1Label=__stringConstant(model.sender)event.deviceCustomString1=__stringConstant(flexcsv)event.deviceCustomString2Label=__stringConstant(model.template)event.deviceCustomString2=__stringConstant(mic/asset_flexfile/asset.vm)###field mappings###event.deviceVendor=__getVendor(CSV File)event.deviceProduct=__stringConstant(Assets)event.deviceAction=Actionadditionaldata.Action=Actionevent.externalId=ExternalIdevent.flexString1=AssetName#following mappings maybe removed in future but required for nowadditionaldata.UniqueUserId=AssetNameevent.destinationUserId=AssetName####### END ######Make sure to set the following fields on the ESM connector:123ESM 6.8cArchive ToolExternal AssetsNote :•Each resource needs to be unique, duplicates will cause import failures •Order of import is vital due to how assets inherit object attributes1.Customer2.Locationwork4.Category5.Zone6.AssetComcast’s Asset Automation ProcessAsset Model Benefits•Automates the reconnaissance of the environment •Helps management with training staff•Assigns threat level formula’s to assets•Categorizes high/low value assets•Easier transition in understanding environment •Helps teams focus on job requirements:•Incident Response•Focus on closing cases and root cause analysis of incidents •Threat Discovery (Hunting)•Risk rates targets to help with determining hunting exercises •Provides accurate threat details for your organizationBest Practices•Prior to import:•Assets must have unique fully qualified domain name (FQDN) or host name•Asset must have unique IP Address•Asset must only be in one zone•Categories are accurate and do not contain forward or back slashes •Limit categories due to system resources (pending system architecture)•Updating assets:•If asset moved between zones, make sure ParentGroupURI is properly associated •Removing assets:•If you have a vulnerability scanner updating assets, all historical vulnerabilitydata will be removed from assetResources•ESM 101 for ESM 6.8c: https:///docs/DOC-11937•CORRe Internals: https:///docs/DOC-11998•ESM Asset Model Import FlexConnector Configuration Guide: https:///docs/DOC-11925•ESM Asset Model FlexConnector Developer's Guide for ESM 6.8c: https:///docs/DOC-11989•SN21: How it Works: Assets, Zones, Networks and Customers https:///docs/DOC-1130•SmartConnector for Qualys QualysGuard Filehttps:///docs/DOC-2372Questions?We are hiring!––––。

Christopher L Kaija ––––Hacking the HallwaysSIEM and PSIM,RevisitedSession B10024 Christopher L Kaija, CISSPLake Health•Lake County Ohio’s primary Hospital provider, 30 miles east of Cleveland.•Lake Health has been operating as the primary health care provider in this area since 1902.•We are a non-profit with strategic partnerships with both the Cleveland Clinic and University Hospitals Seidman Cancer Center.Lake Health –ArcSight Infrastructure “Information wants to be free…. it also wants to be expensive” Steven Brand to Steve Wozniak, The Whole Earth ReviewWho is this person?•ArcSight Express 3.0, 4.0, Express 6.9.1c •ArcSight Logger 5.1 to 6.1•ConApp/ ArcMc migration to MC 2.2•Smart Connectors v5 to v7•IT industry since 2000, previous USN. Cisco, Juniper, Riverbed, F5 networks, Blue Coat, Aruba Wireless, Checkpoint etc.Tip of the Hat to the Experts •Colby DeRodeff–Co-Founder and CSO of Anomali, Inc. author of “The Convergence of Physical and Logical Security.”•Brian Contos–Securonix, Head of Worldwide Security Strategy and contributor to CSO online •They created and gave the original “Hacking the Hallways” presentations and podcast in 2006.Crime Prevention Through Environmental Design •CPTED principles include Natural Surveillance, Natural Access Control, Territorial Reinforcement, Maintenance and Management.•Most organizations handle the first three in a top notch fashion. Security Plans reviewed, planned, mapped, reviewed again, and finally approved and installed see the following examples.Natural Access ControlNatural Surveillance Aokigahara Forest, Japan Hitachi Seaside Park, JapanTerritorial ReinforcementDemographics: Environmental Studies •Sources of new untapped data analytics for use in multiple areas SIEM and PSIM integrations.•Govt. Census Data, Neighborhood breakdowns (address, zip code, county, city.)•Vendor based and free solutions abound: ESRI, Movoto, Cross Check, City-Data all have a free limited and paid version of the demographics they offer.Integrations, are they truly possible?•Yes, most vendors have either API’s or allow for database level queries to gain customer requested information.•You have to know what you want to find before pulling it all into a PSIM or SIEM. If you’re using a Big Data solution, there is more give and take, as the previous two may be size constrained.Office Space = RISK•IT Security should require constant review and mitigation of overall Organizational Exposure tounwanted or preventable risk.•Office Space –the immediate location or area under which an entity provides goods or services at a fixed or pre-determined location.•Mitigating controls would include constant review of policy, procedures, and the logical and physical security components to ensure nominal working order.Process Improvement?Case Study –The restraining order that could have worked.•Restraining Order issued for a person with a known vehicle license plate.•Video Surveillance software capable of scanning license plates and sending alerts based on recognition factors.•Due to system implementation restraining order was allowed to be violated due to inaction.Case Study –contd.•Process review –need for a Service Catalog, documentation, employee and Guard training, along with implementation and testing of the new capability.•Legal liability limited due to nature of the incident and parties involved.Case Study 2 –Violent Crime on the Commuter Train •2006 Homeland Security News Wire, writes a scathing article against the installation or use of dummy cameras as a means of deterrence.•2016 In response to a previous fatal shooting on a commuter train, BART admits not all cameras actuallyfunction, and states all trains will receive working cameras.•Legal Liability –Off the charts, as the legal precedence when seeing cameras at use in the area a prudent person expects a nominal amount of safety and security.Case Study 2 –Security is the new Free WiFi •Ask yourself –At your facilities, are all cameras live?•When you see signs that say “Protected by X” do you feel safer?•If you see a blue call box, do you expect it to work and someone to answer?•If so, society as a whole now has an expectation of Security –no longer should it be a ‘nice to have’ or an option.Case Study 3 –Fire in the Hole!•Life Saving –the quintessential must do of all Physical Security implementations is Life Saving, protecting the assets is a by-product.•Mag Locks, Card Readers, Alarm Panels, Elevators, all automatically react if an emergency is detected and this pre-programed response is activated automatically.Case Study 3 –contd.•In some organizations not all doors Fail Open in a fire, however the first responders have away around that –the Knox Box.•Knox Box –a small fire proof lock or combination box on the outside of a building that contains badges for use in an emergency that have been granted access to alldoors and areas within the premises.•Knox Box, key and/or combination are typically head by the local first responders who typically do not work for the organization.Case Study 3 –contd.•Organizations should after every incident pull all Physical Security access reports to review and track the locations of all Knox badge uses as appropriate.•If the incident was on the fifth floor, why was a badge used on the fourth, or in the R&D section at an adjacent building?Case Study 3 –contd.•Integrating your Physical Security infrastructure into your SIEM just makes sense.•SIEM’s typically already see where you logged in, what devices you use, what websites you browse, and what behavioral activity is deemed normal for your job role, individually or as a group.•Now expand to include every where you went inside the buildings, remotely across the world in real-time.ArcSight–Physical Security Modeling •This can be achieved in ArcSight Express 3.0c, 4.0c, 40c Patch 1, and ESM 6.9.0c and 6.9.1c. It is time consuming but highly doable even with limited staff.•Requirements –A high level of understanding or the Physical security infrastructure set up and dependencies.ArcSight–Mapping Cameras to Asset Zones •Two Ways to bring in yourSecurity Cameras –Vulnerability scan with autoasset creation or manually.•Locations –SF-HQ can be geo-located, if the network is uniquewith an ArcSight collection pointalso you can dynamicallymanage all assets and prioritizealerting in a more manageablefashion.•To remain consistent to thePhysical alarm structure keepyour Asset Zone names similarwhere possible.ArcSight–Alarm Panels to Asset Zones •Most vendors thealarm panel itself isnetwork aware, if itloses networkconnectivity the panelcontains a copy ofcard access andalarm configurations.ArcSight–Alarm Panels to Asset Zones •These typically can be taken into ArcSight the same way as the IP Cameras using either vulnerability scans and auto asset creation or manually. (Manual maybe best a lot of these are considered fragile systems.)•The same process can be used for all HVAC panels, generator panels, etc.ArcSight–Door/Card Readers to Alerting •This is the hardest part of this exercise –most Card Readers are near field devices with no ability to truly be network aware, so currently lake Health uses alternate interfaces off of the Alarm Panels to track door input fields and tie those back to logical names.•ArcSight–Alerting limitation –you can not alert on an Asset if an IP is not associated with it, so all Door alerts appear as Panel Alarms with additional information attached.ArcSight–Requirements to integrate Badges •Our Vendor –LENEL•Preferred –5 MS SQL system views that can be queried against remotely on a scheduled basis and output to csv. ( All badges, All Swipes, All Users, All User Activity, All Camera/ Panel Alarms.)•ArcSight Flex Connector –to read the above output.ArcSight–Current implementation •Automated Queries on the Lenel DB directly, ArcSight picks up files remotely processes and deletes old files.•SQL are on the next slide these are cleaned up and using default Lenel names for DB tables.•Process Improvements –SystemViews would remove application versioning issues with SQL table, and FlexConnector testing is time consuming.ArcSight–List for Badge to Unique User •This is used to refresh Active Lists with net new badges, users, or changes. This works in hand with IAM solutions to verify multiple data points.ArcSight–SQL Queries for Badge Swipes •This query ties all Badge Swipes to the User’s BadgeArcSight–Lenel give it all -•This query is a good one if you see weird fields or unparsed events in your Flex Connector.ArcSight–Requirements to integrate Cameras •Our Vendor –Axis, Hitachi, older Lenel •Preferred –All scripted API calls from the main management server –stills saved locally to SD card, and recorded video –archived to DC for review.•ArcSight–Alerts raised to a channel or dashboard, using integration commands that trigger scripts to fire if necessary.ArcSight–Current implementation •ArcSight Console –integrated command launch camera IP, Log on, Snap Still.•API’s for Axis Cameras and Python script that works on some Hitachi’s next slides.•Process Improvements –Get better at scripting, replace old cameras, review camera placements, cut OPEX.ArcSight–Still Camera API (sample)•This is from the original Hacking the Hallways the console UI and triggers virtually unchanged.ArcSight–IP Camera Vendors API scripts •Axis -/us/en/support/technical-notes/live-snapshots•Hitachi –depends on camera –Crucial imaging or standard –Hitachi support was able to provide the script used –I will check with them if we can distribute the support URL or pdf.ArcSight–Activate Framework –I do, Do you?•This is not available under ArcSight Express 3.0 or 4.0.•Activate was previously used within ESM.•Activate does work with new Express 6.9.0c and 6.91c.•Functionally it improves the performance and speed of the Manager, across all operations.ArcSight Activate Framework –100 ft view •Helps reduce Rule sprawl by condensing functional areas of interest into Packages.•As an example take the Express Package for Cisco Monitoring –its perfectly fine package works for all things Cisco.•However I also need rules, filters, content for Citrix NetScalers, Array Networks, F5, WatchGuard Firewall, Juniper router and firewall, various remote VPN solutions.•Activate does this all in a Network Monitoring Package, it’s possible not all the products will be there, but there are more than just Cisco.ArcSight–Activate –resources •HPe ArcSight Activate wiki –https:///foswiki/bin/view/ArcSightActivate/WebHome •HPe ArcSight–Protect 724https:///welcome•HPe ArcSight Marketplace –https:///marketplace/arcsightQuestions?41Private | Confidential | Internal Use OnlyFor more information–Seeking Insider Threats:B10054 –FRI –11:30 –Annapolis 1–HPe Security ArcSight as the security nerve center: B9909 –FRI –9:00 –Magnolia 1–Tuning and deploying with HPe Security ArcSight Marketplace and Activate Framework –600 HPe ShowcaseAlso at the Conference Additional sites of interest–HPe Security ArcSight ActivateThreat Intelligence packages:B10039 –WED –3:45 –Baltimore5–HPe Security ArcSight ESM –ESMnow and the way forward: B10334–Thu –4:15 Baltimore 2–/marketplace/arcsight–https:///welcome–https:///us/en/services/consulting.html–https:///us/en/services.html–/us/en/software-solutions/enterprise-security.html42––––。

HPE Security ArcSight Model Import Connector for RepSM PlusSoftware Version:7.3.0.7972.0Configuration GuideDecember16,2016Legal NoticesWarrantyThe only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services.Nothing herein should be construed as constituting an additional warranty.Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.The information contained herein is subject to change without notice.The network information used in the examples in this document (including IP addresses and hostnames)is for illustration purposes only.HPE Security ArcSight products are highly flexible and function as you configure them.The accessibility,integrity,and confidentiality of your data is your responsibility.Implement a comprehensive security strategy and follow good security practices.This document is confidential.Restricted Rights LegendConfidential computer software.Valid license from Hewlett Packard Enterprise required for possession,use or copying.Consistent with FAR 12.211and 12.212,Commercial Computer Software,Computer Software Documentation,and Technical Data for Commercial Items are licensed to the ernment under vendor's standard commercial license.Copyright Notice©Copyright 2016Hewlett Packard Enterprise Development,LPFollow this link to see a complete statement of copyrights and acknowledgements:https:///docs/DOC-13026Support Phone A list of phone numbers is available on the HPE Security ArcSight Technical SupportPage: https:///documents/10180/14684/esp-support-contact-listSupport Web Sitehttps:// Protect 724Community https://Contact InformationConfiguration GuideContentsModel Import Connector for RepSM Plus4 Features and Functional Summary4 Installing the Connector5 Model Import Connector Installation5 Running Connectors7 Connector Upgrade8 Administrative Tasks-RepSM Plus Configuration Using the ArcSight Console8 Setting up the Model Import User in ESM8 Starting and Stopping Data Import9 Optional-Reloading RepSM Plus Data9 Optional-Optimization of Data Transfer Using a Timer9 Send Documentation Feedback11Model Import Connector for RepSM PlusThis guide describes installing the Model Import Connector for HPE Security ArcSight Reputation Security Monitor Plus(RepSM Plus)and configuring the device for data collection.The HPE RepSM Plus solution uses internet reputation data to provide a list of known bad or harmful domains of IP addresses to provide context to security events.The Model Import Connector for RepSM Plus is a component of RepSM Plus which retrieves reputation data from the RepSM Plus threat intelligence service,processes this data,and forwards it to ArcSight ESM.The threat intelligence includes reputation information about internet nodes which are known to exhibit bad behavior.The ill reputed nodes are identified by their network address or Domain Name System (DNS)name.This data is used by the accompanying RepSM Plus content package to detect malware infected machines,zero day attacks,and dangerous browsing.The user can also use the data to implement custom ESM solutions.For further details on this solution,see the HPE Reputation Security Monitor Solution Guide.Features and Functional SummaryThe Model Import Connector for RepSM Plus retrieves the reputation data and forwards it to ESM.This connector supports one ESM destination.The connector only sends the delta information from the last retrieved data to the ESM.These entries are:l IPv4addressesl Host and domain namesFor each entry these reputation attributes are retrieved:l Reputation Scorel Exploit TypeThe initial import happens when the connector is started for the first time and the initial import command is issued from the ESM console.Following the initial load of the entries,the connector checks for updates,by default,every two hours.With the data from this query,the connector will process the deltas to add or delete the entries or update the threat scores as required and sends this information to the ESM.Installing the ConnectorBefore installing the connector,verify that ESM(the product with which the connector will communicate)and Console have already been installed correctly.It is recommended that the connector not be installed on the same machine as ESM.Also,be sure the following are available:l Additional2GB memory if the connector is run in standalone mode.l Local administrator access to the machine on which the connector will be installed.l The machine,on which the connector will be installed,has external access over the Internet to any system over port443and connectivity to the ESM machine over port8443(default)or the configured port if the default was not used.l ESM IP address,port,administrator user name,and password.Model Import Connector InstallationThis section provides instructions on how to install the Model Import Connector for RepSM Plus.To install the Model Import Connector for RepSM Plus:1.Download the Model Import Connector for RepSM Plus installation executable using the linkprovided in the e-mail sent to you by HPE.2.Start the connector installer by running the executable.Follow the installation wizard through the following folder selection tasks and installation of the core connector software:l Introductionl Choose Install Folderl Choose Shortcut Folderl Pre-Installation Summaryl Installing...3.Select Add a Connector.4.Model Import Connector for RepSM Plus is already selected.Click Next.5.Enter the required parameters to configure the connector,then click Next.6.ArcSight Manager(encrypted)is selected.Click Next.7.Enter destination parameters,including the host and port information,and click Next.8.Enter a Name for the connector and provide other information identifying the connector's use inyour environment.Click Next.9.Select whether to import a certificate.10.Review the Add connector Summary and click Next.If the summary is incorrect,click Previous tomake changes.11.The wizard now prompts you to choose whether you want to run the connector as a stand-aloneprocess or as a service.Choose either Install as a service or Leave as a standalone application.Click Next.12.To close the installation wizard,choose Exit and click Next.There are further installation stepsafter you close the wizard.Be sure to continue with the subsequent installation steps.13.If the connector is run in standalone mode,the default heap size is256MB.For proper operation ofthe connector,HPE recommends that you modify the heap size setting to2GB.There is no need to modify memory if the connector is run as a service;if the connector is configured to run as a service, the heap size is set to2GB by default.Increase the memory for the connector by doing the following(in the following examplecommands,ARCSIGHT_HOME represents the name of the directory where the connector isinstalled):l For Linux-create the following shell script and be sure it is executable:~/ARCSIGHT_HOME/current/user/agent/setmem.shwith the following content:ARCSIGHT_MEMORY_OPTIONS="-Xms1024m-Xmx2048m"l For Windows-create the following batch file:$ARCSIGHT_HOME\current\user\agent\setmem.batwith the following content:SET ARCSIGHT_MEMORY_OPTIONS="-Xms1024m-Xmx2048m"Be sure to use regular double quote characters in the file content in either the shell script or the batch file.14.Verify that the connector is running.You can check the ArcSight Console Navigator in theResources tab,under Connectors.If the connector is running,you will see<connector_name> (running)listed.See"Running Connectors"below.15.Set up the Model Import user in ESM.See"Setting up the Model Import User in ESM"on the nextpage.16.Start the data import.See"Starting and Stopping Data Import"on page 9. Running ConnectorsConnectors can be installed and run in standalone mode,on Windows platforms as a Windows service, or on UNIX platforms as a UNIX daemon,depending upon the platform supported.On Windows platforms,connectors also can be run using shortcuts and optional Start menu entries.If installed standalone,the connector must be started manually,and is not automatically active when a host is restarted.If installed as a service or daemon,the connector runs automatically when the host is restarted.For information about connectors running as services or daemons,see the ArcSight SmartConnector User's Guide,Chapter3,Installing SmartConnectors,in the section“Running SmartConnectors”.For connectors installed standalone,to run all installed connectors on a particular host,open a command window,go to$ARCSIGHT_HOME\current\bin and run:./arcsight agentsTo view the connector log,read the file:For Windows-$ARCSIGHT_HOME\current\logs\agent.logFor Linux-~/ARCSIGHT_HOME/current/logs/agent.logTo stop all connectors,enter Ctrl+C in the command window.Connector UpgradeTo upgrade the Model Import Connector for RepSM Plus,you must uninstall the current version of the connector and then install the latest version.For information about uninstalling connectors,see the ArcSight SmartConnector User's Guide.Administrative Tasks-RepSM Plus Configuration Using the ArcSight ConsoleThere are mandatory and optional administrative tasks."Setting up the Model Import User in ESM" below and"Starting and Stopping Data Import"on the next page are mandatory steps for connector installation,and are mentioned as part of the installation procedure.See"Installing the Connector"on page 5for details.You might also find that you need to perform these tasks outside of the context of the installation procedure.The tasks"Optional-Reloading RepSM Plus Data"on the next page and"Optional-Optimization of Data Transfer Using a Timer"on the next page can be performed as needed.Setting up the Model Import User in ESMAfter installing,configuring,and starting the connector,from the ArcSight Console set the Model Import User for the connector(this must be a user with Console administrative privileges).Setting the user links the user to the assets,and that user is then treated as the“creator”of the assets.The connector is then run on that user’s behalf.1.From the ArcSight Console,go to the Navigator panel and choose the Resources tab.2.Under Resources,choose the Connectors resource.3.Under All Connectors,navigate to your Model Import Connector for RepSM Plus.4.Right click on the connector and select Configure.5.On the Inspect/Edit panel,choose the Connector tab.6.Under the Connector tab,go to Model Import User and select a user from the Administratorsgroup.7.Click OK.Starting and Stopping Data ImportBy default the connector’s data import capability is not started.You must start the import manually in the ArcSight Console.To start and stop import for the Model Import Connector for RepSM Plus:1.Select the Model Import Connector for RepSM Plus and right-click.2.Select Send Command>Model Import Connector>Start or Stop.Optional-Reloading RepSM Plus DataTo reload RepSM Plus data:1.If active,stop the connector.2.Remove all files at:Linux-~/ARCSIGHT_HOME/current/user/agent/agentdataWindows-$\ARCSIGHT_HOME\current\user\agent\agentdata3.Remove all folders and XML files(if any)at:Linux-~/ARCSIGHT_HOME/current/user/agent/mic/repsmWindows-$\ARCSIGHT_HOME\current\user\agent\mic\repsm4.At the ArcSight Console,clear all entries in the Malicious Domains and Malicious IP AddressesActive Lists.For each Active List:a.Under Reputation Security Monitor,select the Malicious Domains and/or the Malicious IPAddresses Active List and right-click.b.Select Clear Entries.5.Restart the connector.Optional-Optimization of Data Transfer Using a TimerThe time interval between archives sent by the connector to ESM can be controlled by the buildmodeldelay property.The default value is1minute.To increase or decrease this time interval,you can add the buildmodeldelay property to the file agent.properties(located at$ARCSIGHT_HOME\current\user\agent).The property buildmodeldelay is expressed in milliseconds.For example,the following property sets the time interval to10seconds:ponent[35].buildmodeldelay=10000Send Documentation FeedbackIf you have comments about this document,you can contact the documentation team by email.If an email client is configured on this system,click the link above and an email window opens with the following information in the subject line:Feedback on Configuration Guide(Model Import Connector for RepSM Plus7.3.0.7972.0)Just add your feedback to the email and click send.If no email client is available,copy the information above to a new message in a web mail client,and send your feedback to***************.We appreciate your feedback!HPE Model Import Connector for RepSM Plus7.3.0.7972.0Page11of11。

Table of ContentsIntegration Tool Summary for URL (2)About Integration Commands (2)Blacklist/Reputation Check for IP Address (3)Other Useful Sites for Investigation: (9)Integration Tool Summary for Script/Tool: (10)Modified/Updated byBalahasan V. | SIEM EngineerIntegration Tool Summary for URLAbout Integration CommandsIntegration commands leverage the power of security and event management, and broaden its view to show external, snap-in views from appliances like ArcSight NSP TRM and ArcSight Logger, as well as third-party applicationsIntegration commands enable you to link from the ArcSight Console to information in other views and applications. You can also build and launch commands locally and on remote servers or appliances, using field values in events as command parameters. You can configure the commands as context-aware, right-click options on different views, resources, and editors on the ArcSight Console.Command execution mechanisms∙URI (HTTP)∙Local script/executable (“tool”)∙CounterAct Connector (TRM)Result rendering∙Internal web browser/external web browser∙Script/executable output∙CounterAct structured result∙Attach to case∙Save to a fileBlacklist/Reputation Check for IP AddressCentralized Visibility into global threat activity by integrating Threat feeds can’t be relied upon completely, since we use multiple open source feeds and even paid threat feeds also gives us false positives. Then only way to make sure the True positive correlated event is generated by investigating the Feed Destinations, here are few open source URL’s and what we are actually investigating for∙Phishing URL/email blacklists∙Trojan/Botnet watch lists∙Suspicious domain registrations∙Infected IPs from malware victims∙C&C/Botnet communications monitoring∙Dynamic DNS communication∙Fast flux monitoring∙Honeypot threat intelligence∙HTTP Referrer and User Agent Profiling∙Malicious Nameserverwatch lists∙Passive DNS monitoring∙Phishing dropsitemonitoring∙Proprietary validation scannersInvestigate: Threat Expert (link – no integration)Command Type: URLCommand Syntax: /reports.aspx?find=&x=10&y=7Configuration Name: Investigate: Blacklist CheckingConfiguration Attributes: InternalConfiguration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All Selections | IP Address, String, All Data TypesInvestigate: Google Maps LocationBasically, create a set of commands called "Google Attacker" and "Google Target" respectively and use the URL type command with both with the following stringsFor Attacker:Command Type: URLCommand Syntax:/maps?q=${attackerGeoLatitude},${attackerGeoLongitude}Configuration Name: Investigate: IP GeoLocationConfiguration Attributes: InternalConfiguration Context: Viewer | All Views| All Selections |All Data TypesFor Target:Command Type: URLCommand Syntax:/maps?q=${targetGeoLatitude},${targetGeoLongitude} Configuration Name: Investigate: IP GeoLocationConfiguration Attributes: InternalConfiguration Context: Viewer | All Views| All Selections |All Data TypesInvestigate: Robtex IP CheckCommand Type: URLCommand Syntax:https:///ip/$selectedItemhttps:///dns/$selectedItemConfiguration Name: Investigate: Blacklist CheckingConfiguration Attributes: InternalConfiguration Context: Viewer | All Views| All Selections |All Data TypesInvestigate: IPVoid CheckCommand Type: URLCommand Syntax:/scan/$selectedItem/Configuration Name: Investigate: Blacklist CheckingConfiguration Attributes: InternalConfiguration Context: Viewer | All Views| All Selections |All Data TypesInvestigate: IP/URL Check-myIP.msCommand Type: URLCommand Syntax:http://myip.ms/view/ip_addresses/$selectedItemConfiguration Name: Investigate: Blacklist CheckingConfiguration Attributes: InternalConfiguration Context: Viewer | All Views| All Selections |All Data TypesInvestigate: IP/URL Check-Multirbl.valliCommand Type: URLCommand Syntax:/lookup/$selectedItemConfiguration Name: Investigate: Blacklist CheckingConfiguration Attributes: InternalConfiguration Context: Viewer | All Views| All Selections |All Data TypesInvestigate: mxtoolbox-BlacklistCommand Type: URLCommand Syntax: /SuperTool.aspx?action=blacklist:$selectedItem Configuration Name: Investigate: Blacklist CheckingConfiguration Attributes: InternalConfiguration Context: Viewer | All Views | All Selections | IP Address, StringInvestigate: mxtoolbox-SMTP CheckCommand Type: URLCommand Syntax: /SuperTool.aspx?action=smtp:$selectedItem Configuration Name: Investigate: SMTP CheckConfiguration Attributes: InternalConfiguration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All Selections | IP Address, String, All Data TypesInvestigate: IP/URL Check-UmaskCommand Type: URLCommand Syntax:/?domain=$selectedItem&privacy=PUBLICConfiguration Name: Investigate: Blacklist CheckingConfiguration Attributes: InternalConfiguration Context: Viewer | All Views| All Selections |All Data TypesInvestigate: URL Check –AVGCommand Type: URLCommand Syntax:/website-safety-reports/domain/$selectedItemConfiguration Name: Investigate: URL Blacklist CheckingConfiguration Attributes: InternalConfiguration Context: Viewer | All Views| All Selections |All Data TypesInvestigate: URL Check -RobtexCommand Type: URLCommand Syntax:https:///dns/$selectedItemConfiguration Name: Investigate: URL Blacklist CheckingConfiguration Attributes: InternalConfiguration Context: Viewer | All Views| All Selections |All Data TypesInvestigate: URL Check –Hosts-fileCommand Type: URLCommand Syntax:/default.asp?s=$selectedItemConfiguration Name: Investigate: URL Blacklist CheckingConfiguration Attributes: InternalConfiguration Context: Viewer | All Views| All Selections |All Data TypesInvestigate: URL Check –MaldbCommand Type: URLCommand Syntax:/$selectedItemConfiguration Name: Investigate: URL Blacklist CheckingConfiguration Attributes: InternalConfiguration Context: Viewer | All Views| All Selections |All Data TypesInvestigate: URL Check –SucuriCommand Type: URLCommand Syntax:/results/$selectedItemConfiguration Name: Investigate: URL Blacklist CheckingConfiguration Attributes: InternalConfiguration Context: Viewer | All Views| All Selections |All Data TypesInvestigate: URL Check –SiteAdvisorCommand Type: URLCommand Syntax:/sites/$selectedItemConfiguration Name: Investigate: URL Blacklist CheckingConfiguration Attributes: InternalConfiguration Context: Viewer | All Views| All Selections |All Data TypesInvestigate: MS Malware Protection CenterCommand Type: URLCommand Syntax:/security/portal/Threat/Encyclopedia/Search.aspx?query=$selectedItem Configuration Name: Investigate: Blacklist CheckingConfiguration Attributes: InternalConfiguration Context: Viewer | All Views | All Selections | IP Address, Strings | IP Address, String, All Data TypesInvestigate: URL Check –URL VoidCommand Type: URLCommand Syntax:/scan/$selectedItemConfiguration Name: Investigate: URL Blacklist CheckingConfiguration Attributes: InternalConfiguration Context: Viewer | All Views| All Selections |All Data TypesInvestigate: URL Check –WebutationsCommand Type: URLCommand Syntax:/go/review/$selectedItemConfiguration Name: Investigate: URL Reputation CheckConfiguration Attributes: InternalConfiguration Context: Viewer | All Views| All Selections |All Data TypesInvestigate: Suspected MalwareCommand Type: URLCommand Syntax:/mdl.php?search=$selectedItemConfiguration Name: Investigate: Blacklist CheckingConfiguration Attributes: InternalConfiguration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All Selections | IP Address, String, All Data TypesInvestigate: URL Check –MyWOTCommand Type: URLCommand Syntax:/site/$selectedItemConfiguration Name: Investigate: URL Reputation CheckConfiguration Attributes: InternalConfiguration Context: Viewer | All Views| All Selections |All Data TypesInvestigate: IP/URL Check –WatchGaurdCommand Type: URLCommand Syntax:/lookup.php?ip=$selectedItemConfiguration Name: Investigate: Reputation CheckingConfiguration Attributes: InternalConfiguration Context: Viewer | All Views| All Selections |All Data TypesInvestigate: URL Check –PingdomCommand Type: URLCommand Syntax:/fpt/#!/$selectedItemConfiguration Name: Investigate: Full Site ScanConfiguration Attributes: InternalConfiguration Context: Viewer | All Views| All Selections |All Data TypesInvestigate: URL Check –vURLCommand Type: URLCommand Syntax:/default.asp?url=http://$selectedItem&btnvURL=Dissect&selUAStr=1&selServer =1&ref=&cbxSource=on&cbxBlacklist=onConfiguration Name: Investigate: Full Site ScanConfiguration Attributes: InternalConfiguration Context: Viewer | All Views| All Selections |All Data TypesInvestigate: mxtoolbox-Internet Port ScanCommand Type: URLCommand Syntax: /SuperTool.aspx?action=scan:$selectedItem Configuration Name: Investigate: Internet Port ScanConfiguration Attributes: InternalConfiguration Context: Viewer | All Views | All Selections | IP Address, Strings | IP Address, String, All Data TypesInvestigate: Windows Event IDCommand Type: URLCommand Syntax:/securitylog/encyclopedia/event.aspx?eventid=${deviceEvent ClassId}Configuration Name: Investigate: Windows EventConfiguration Attributes: InternalConfiguration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All Selections | IP Address, String, All Data TypesSome of the Snapshots of Integration Commands from ESM:Other Useful Sites for Investigation:https://managerip:8443/arcsight/web/manage.jsp/web-page-analyzer.html/index.php/search.scumware/en/lookup/community/advisories/en-us/security/advisory/en-us/threat-center/threat-analyses.aspxhttp://dnslookup.me/dynamic-dns/cohttps:///wiki/search_ip.php/?/listing-urls.php/tools/beautifyhttps:///en//en-us/threat-center/ip-lookup.aspx/threat-intelligence/domain/popular.aspxhttps:///enhttps:///submission//en//index.php?target=test/security/portal/threat/threats.aspx?id=1/malware-analysis-tools/malware-auto-analysisIntegration Tool Summary for Script/ToolSample Integration Tools Used:- Dig for Windows v9.3.2- Nmap for Windows v5.21- Windump v3.9.5- WinPcap v4.1.2- PathPing v5.2.3790.0 (Windows Only)- Nbtstat v5.2.3790.3959 (Windows Only)- Nessuscmd for Windows v4.2.2 (Build 9129)Installation - Step 1:Installation of the Integration Commands requires that the tools and their associated paths be available installing the .arb file.1) Open the ArcSight Console and select "Packages" in the Resource Navigator.2) Select "Import" and select the location of the "Investigation_Integration_Pack.arb" file.3) Once imported you will see the following tools under Integration Commands / Configurations:/All Integration Commands+ /ArcNet Commands+ /ArcNet Configurations/All Files+ /ArcNet Files+ /Investigation Integration Apps+ Investigation Integration ToolsInstallation - Step 2:Various command line utilities have been placed in /All Files/ArcNet Files/Investigation Integration Apps/Investigation Integration Tools.zipDownload the zip file (right-mouse click > select download) and install the tools in the directory(C:\arcsight\tools).Installation of the tools that are referenced must be located in the following directories, as configured in the integration commands:Investigate: DNS Lookup: %arcsight%\tools\dig.exeInvestigate: NBTstat: %system32%\nbtstat.exeInvestigate: NMAP (TCP): %program files%\nmap\nmap.exeInvestigate: NMAP (UDP): %program files%\nmap\nmap.exeInvestigate: Open Shares: %arcsight%\tools\netview.cmdInvestigate: OS Fingerprint: %program files%\nmap\nmap.exeInvestigate: Packet Capture: %arcsight%\tools\windump.exeInvestigate: PathPing: %system32%\pathping.exeInvestigate: Vulnerability Scan: %program files%\tenable\nessus\nessuscmdUsage:Once the tools have been installed in the appropriate directories, Integration Commands are available on right-click context menus from a variety of contexts in the ESM Console including:- Relevant fields in active channels (e.g. IP address, host name)- Relevant resources (for example, assets)- Active Lists, sessions lists, query viewers and channelsOnce invoked, a script output or internal browser window will appear where the output of the integration command can be viewed. The output of script actions will allow analysts to export the results to a file or add the output to an existing case.When the output window is closed the command will stop running and be removed from memory.WinDump Note:Running multiple instances of memory intensive applications such as WinDump for long periods will degrade the performance of the system hosting the ArcSight Console. WinDump should be run on a separate system with a UNC path to the tool configured in the "Investigate: Packet Capture" command.Additionally, a typical protocol analysis program such as WinDump (or tcpdump) is usually configured with an interface that is connected to a switchport that is mirroring all VLAN traffic (or spanning) to the system listening in promiscuous mode. This is not the case with the current configuration with the provided "Investigate: Packet Capture" command, as this was developed in a VM environment and tested against simulated data targeting the machine that was hosting both the ESM manager and the console.Investigate: DNS LookupCommand Type: ScriptCommand Syntax: %arcsight%\tools\dig.exe -t ANY $selectedItemConfiguration Name: Investigate: DNS LookupConfiguration Attributes: Text RendererConfiguration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All SelectionInvestigate: NBTstatCommand Type: ScriptCommand Syntax: %system32%\nbtstat.exe -a $selectedItemConfiguration Name: Investigate: NBTstatConfiguration Attributes: Text Rendererbalahasan.venkatesanConfiguration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All Selections | IP Address, String, All Data TypesInvestigate: NMAP (UDP)Command Type: ScriptCommand Syntax: %program files%\nmap\nmap.exe -vv -sU -p0 $selectedItemConfiguration Name: Investigate: NMAP (UDP)Configuration Attributes: Text RendererConfiguration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All Selections | IP Address, String, All Data TypesInvestigate: Open SharesCommand Type: ScriptCommand Syntax: %arcsight%\tools\netview.cmd $selectedItemConfiguration Name: Investigate: Open SharesConfiguration Attributes: Text RendererConfiguration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All Selections | IP Address, String, All Data TypesInvestigate: OS FingerprintCommand Type: ScriptCommand Syntax: %program files%\nmap\nmap.exe -vvv -A -O -PN $selectedItemConfiguration Name: Investigate: OS FingerprintConfiguration Attributes: Text RendererConfiguration Context: Viewer | All Views | All Selections | IP Address, StringInvestigate: Packet CaptureCommand Type: ScriptCommand Syntax: %arcsight%\tools\windump.exe -i 3 -l -x -n host $selectedItemConfiguration Name: Investigate: Packet CaptureConfiguration Attributes: Text RendererConfiguration Context: Viewer | All Views | All Selections | IP Address, StringInvestigate: PathPingCommand Type: ScriptCommand Syntax: %system32%\pathping.exe $selectedItemConfiguration Name: Investigate: PathPingConfiguration Attributes: Text RendererConfiguration Context: Viewer | All Views | All Selections | IP AddressInvestigate: Vulnerability ScanCommand Type: ScriptCommand Syntax: %program files%\tenable\nessus\nessus\nessuscmd -U -p139,445 -V -i 10150,34477 $selectedItemConfiguration Name: Investigate: Vulnerability ScanConfiguration Attributes: Text RendererConfiguration Context: Viewer, Resource, Editor | All Views, Assets, All Editors | Selected Cell, All Selections | IP Address, String, All Data TypesFor Snort SID searches, you can do the following:Create a 'Evaluate Velocity Template' Global Variable with the following code:#set( $sid = $deviceEventClassId )#set( $format_sid1 = $sid.replace(":", "-") )#set( $format_sid2 = $format_sid1.replace("[", "") )#set( $format_sid3 = $format_sid2.replace("]", "") )${format_sid3}Integration Command URL: https:///search/sid/${Global Var Name}TRM Example:Other Docs and References:Sourcefire Integration Command GuideHP TippingPoint Command Line Interface (CLI) Reference for TOS v3.2 Netwitness Right-Click Integration - URL-based Session Drill-down Guidance Software_EnCase Cybersecurity_4 4_Action_2012Gary Freeman PostsSOC Investigation Tools which are being built in my Environment。

Getting Started with ArcSight™ ESM ApplianceESM v4.5 SP1August 28, 2009Getting Started with ArcSight™ ESM ApplianceAugust 28, 2009Copyright © 2009 ArcSight, Inc. All rights reserved. ArcSight, the ArcSight logo, ArcSight TRM, ArcSight NCM, ArcSight Enterprise Security Alliance, ArcSight Enterprise Security Alliance logo, ArcSight Interactive Discovery, ArcSight Pattern Discovery, ArcSight Logger, FlexConnector, SmartConnector, SmartStorage and CounterACT are trademarks of ArcSight, Inc. All other brands, products and company names used herein may be trademarks of their respective owners.Follow this link to see a complete statement of ArcSight's copyrights, trademarks, and acknowledgements: /copyrightnotice.The network information used in the examples in this document (including IP addresses and hostnames) is for illustration purposes only.This document is ArcSight Confidential.ContentsGetting Started with ArcSight™ ESM Appliance (1)Installation Instructions (1)Installing ArcSight ESM (1)Preparing for Oracle Database Installation (2)Oracle Installation (2)Restoring Factory Settings (3)Customer Support (11)Getting Started with ArcSight™ ESM ApplianceUse this document and the Rack Installation Guide , included in the ArcSight ESM Appliance, to install your appliance and connect to it the first time.The ArcSight ESM Administrator’s Guide explains in detail how to deploy, configure and use ArcSight ESM. The guide is available:From the ESM Console Browse Docs pageAs a download from https://On the Server in the /opt/arcsight/docs directoryInstallation Instructions 1. Follow the instructions in the Rack Installation Guide for unpacking the appliance and its accompanying accessories. 2. Securely mount the appliance in a rack and make the rear panel connections. 3. Attach a monitor, keyboard and mouse to the system.4. Power on the system, and wait for the system to boot.The ArcSight ESM Appliance comes with the Oracle Enterprise Linux operating system already installed. When setting preferences for Oracle Enterprise Linux, consider the following:• When you accept the License agreement, note that the license agreement is for Oracle Linux only. ArcSight ESM has a separate license agreementthat appears when ArcSight ESM component is installed.•If you choose to enable the firewall, you will need to open ports 8443 and 9443 for ArcSight Manager and ArcSight Web communication. You might also want to open port 22 for remote SSH access. For more information on Oracle Enterprise Linux, see /linux/.Installing ArcSight ESMThe installation files for ArcSight ESM components are available in the/opt/arcsight/installers directory. Navigate to this directory and install the ESM components according to the instructions found in the ArcSight ESM Installation and Configuration Guide .CAUTIONRead through the instructions, cautions, and warnings in the Rack Installation Guide carefully. Failing to do so can result in bodily injury or system malfunction.After installing the ArcSight Manager, download the Console installer file fromthe ArcSight Customer Support website and install the Console on one ormore systems.Note that the ‘arcsight’ user is pre-defined in the system. You do not need tocreate this user.Preparing to Install the Oracle DatabaseBefore you install the ArcSight Database, please note the following recommendations:•There are 6 physical disks set up in a RAID 10 group that appear as a single logical disk to the Operating System. This is partitioned so thatthere is approximately 1 TB on /opt/data and 100 GB on “/”. ArcSight recommends:a.Installing the ArcSight Database in the/usr/local/arcsight/db45sp1 directoryb.Setting the Oracle user home and installation directory as/home/oracle and Oracle Home as /home/oracle/OraHome10g.c.Storing Redo Logs and default Oracle data files (System, SysAux,etc.) under default /home/oracle/OraHome10g/oradata/arcsight.d.Storing data files for all arcsight tablespaces (ARC_*) in/opt/data.•Estimate your retention needs and whether you want to enable partition archiving or not. Contact ArcSight Support if you need help withenablement. You can completely fill the /opt/data directory with datafiles.•Review the “Preparing a Linux System” section, steps 5-7 in the ArcSight ESM Installation and Configuration Guide for details on how to configure and verify that the hostname is properly set and can be pinged. TheOracle installation will fail if your host system cannot be pinged.•When the Oracle database installation is complete, install the ArcSight Manager in the /home/arcsight/ directory, for example/home/arcsight/manager45sp1.Oracle InstallationFor more information about Oracle installation, see the ArcSight ESM Installation and Configuration Guide. Refer to the ArcSight ESM Administrator’s Guide for instructions on how to use ArcSight ESM and confirm that initialization was successful. Also, refer to the appropriate Release Notes, available on the ArcSight Customer Support site,https://.When you are prompted to set the ArcSight Database Template, ArcSight recommends choosing the Extra Large template. This template will dedicate 6 GB memory for Oracle, leaving enough memory for the ArcSight Manager, operating system, and any other ArcSight components you need.Restoring Factory SettingsArcSight ESM Appliance can be restored to its original factory settings usingbuilt-in Acronis True Image software.Restoring ArcSight ESM Appliance to factory settings will irrevocablydelete all event data and configuration settings.To restore ArcSight ESM Appliance to its original factory settings, perform these steps:1.Attach a keyboard, monitor, and mouse directly to the ArcSight ESMAppliance system.2.Reboot ArcSight ESM Appliance.3.When the system has started, use the mouse or arrow keys to selectSystem Restore and press Enter.4.On the Pick a Task list, choose Recovery.5.The Restore Data Wizard opens. Click Next to continue.6.Select the Acronis Secure Zone and click Next. You will have an opportunityto review the choices you make on this page and the wizard pages thatfollow before initiating the restore process.7.Select Restore disks or partitions, and then click Next. Only choose otheroptions if specifically directed to do so by ArcSight Customer Support.8.Select the entire drive, labeled ‘sda’ in the figure below. Click Next tocontinue.9. Select Generate new NT signature, and then click Next.10. Choose the drive to restore (‘sda’), and then click Next.11. Choose Yes, I want to delete all the partitions on the destination hard disk drive before restoring, and then click Next.12. Because there are no other partitions or disks to restore, choose No, I do not, and then click Next.13. Select Restart machine automatically if needed for recovery, and then click Next.14. Review the checklist of operations to be performed and click Proceed to begin the restore process, or click Back to revisit previous wizard pages.Do not interrupt or power-down ArcSight ESM Appliance duringthe restore process. Interrupting the restore process may forcethe system into a state from which it cannot be recovered.15. The progress bars shown in the figure below display the status of thecurrent and total operations. When the restoration is complete, an alert is displayed that says “Data was successfully restored.” Click OK.16. Close the Acronis True Image Server window to reboot ArcSight ESMAppliance.Customer SupportTo answer any questions, contact ArcSight Customer Support: Phone: 1-866-535-3285 (North America)+44 (0)870 141 7487 (EMEA)E-mail:********************Web: https://。

The ArcSight™ ESM Service LayerIntroductionBeginning with ArcSight™ ESM v5.0, the ESM Service Layer is available and exposes ESMfunctionalities as Web Services. By consuming the exposed Web Services, you canintegrate ESM functionality in your own applications. ESM Service Layer uses a service-oriented architecture (SOA) that supports multiple Web Service clients written in differentlanguages.You will have the ability to create programs thatRun an ESM report and feed it back to your third-party home-grown system Execute full-text searches on ESM resourcesThe SOA approach enables ESM Service Layer to support multiple consumption options, forexample:Java developers can take advantage of the ESM Service Layer SDK to create SOAP orGoogle Web Toolkit (GWT) clients.See “ESM Service Layer SDK” on page 2.Developers applying Representational State Transfer (REST) principles write scripts toconsume the services. The developers can refer to the Web Services DescriptionLanguage (WSDL) files for a description of each ESM service.For more information about REST , refer to this link:/wiki/Representational_State_TransferThe ArcSight™ ESM Service Layer (1)Introduction (1)Setting Up Your Development Environment (3)Obtaining a List of Available ESM Services (3)Obtaining the Authentication Token (4)Finding Service Information in the WSDL (5)Consuming ESM Services (7)IntroductionDevelopers who prefer to create their own stubs in a language other than Java (forexample, in .NET or C++) can refer to the Web Services Description Language (WSDL)files for a description of each ESM service.ESM Resources as Web ServicesESM Service Layer provides access to the ESM resources listed below.ArcSight ESM has more resources than listed. If you are retrieving information on an ESMresource that is not yet supported, you can use ResourceService to get the Base Resourceattributes that are common to all resources (the ID, name, and description), but not thedetails unique to the unsupported resource.ESM Service ModulesESM Service Layer groups services in two service modules:Core Service module . This module provides login services (loginService ) byreturning the authentication token (authToken ) needed to begin consuming aservice. The services are designed to be stateless. You will therefore pass theauthentication token every time you consume a service.Manager Service module . This module provides the ESM functionality, for example,ArchiveReportService.ESM Service Layer SDKThe SDK provides a set of tools and libraries for Java applications that consume theservices in ESM Service Layer .SOAP clients use Simple Object Access Protocol (SOAP) XML messages to send requests to and get responses from the ESM Service Layer web server over HTTP . The Google Web Toolkit (GWT) provides the capability to create user interfaces, useRPC to pass Java objects between the client and the server over HTTP , and more.For more information about GWT , start with this link:/webtoolkit/doc/overview.htmlSDK Installation filesThe SDK is distributed as part of the ESM installation. Installation files are located at$ARCSIGHT_HOME/utilities/sdkThe SDK libaries are located atESM Resource NameService Name Archive Report ArchiveReportService DashboardDashboardService Data MonitorDataMonitorService FileFileResourceService ReportReportService Resource ResourceServiceSetting Up Your Development Environment$ARCSIGHT_HOME/utilities/sdk/libSetting Up Your Development EnvironmentFollowing are the requirements to set up your development environment:All exposed ESM services are TLS/SSL-secured, therefore, import the ArcSight ESMManager’s certificate into your development/runtime environment. The certificateoption was chosen during ArcSight ESM installation. It could be a temporary certificateauthority (CA), a self-signed certificate, or a signed certificate from a trusted CA. Askyour ArcSight administrator about which certificate option was chosen duringinstallation and import that certificate into your development JRE’sjre/lib/security/cacerts .The ESM Sevice Layer modules are core-ws-client.jar and manager-ws-client.jar , respectively. Include these jar files in your Java classpath.Install the Java API for XML Web Services (JAX-WS) libraries, for example, the toolkitfor Apache Axis2, from your preferred software provider .Obtaining a List of Available ESM ServicesAfter setting up your development environment, you will next want to know the servicesavailable for consumption. You do this by displaying the listServices file provided by theManager Service module.To view the listServices file1Open your browser and enter the URL with the following format:https://myhost :8443/www/manager-service/services/listServices2Replace myhostas appropriate.Under /lib , you will also find the Javadoc containing the API descriptions. The Javadoc is distributed in jar format.Obtaining the Authentication TokenThe browser displays the listServices page. Scroll down to view more services. Thefollowing example is the ArchiveReportService.The listServices file provides the information about a service, including:The service’s end point reference (EPR) URLA list of service names, for example, ArchiveReportServiceThe methods associated with each serviceThe parameters associated with each method are available in the resource’s WSDL file(described in “Finding Service Information in the WSDL” on page5). Obtaining the Authentication TokenAn authentication token is the first requirement for accessing ESM Service Layer to obtainservice information and then consume the services. Two examples on how to get this tokenare provided: REST and SOAP. As explained earlier, the Core Service module handlesauthentication token requests. You will then use the returned token to log in to theManager Services module and consume the desired service.REST ExampleThe following example shows how to enter the URL to the Core Service module and obtainthe authToken string. The first part of the URL address, https://host:8443/www/,constitutes the base URL. You will always start your URLs with this base URL.To log in and obtain an authentication token1In the browser, enter the URL in the following format:https://myhost:8443/www/core-service/rest/LoginService/login?login=admin&password=password2Replace myhost, admin, and password as appropriate.Finding Service Information in the WSDL The browser displays the response which is the authentication token string. You willpass that string every time you consume a service.Java ExampleThe following example shows how to invoke the login service of the Core Service moduleand obtain the authToken string. You will pass this string every time you consume aservice. You will also set the base URL in the format https://host:8443/www/.//=================================================// Invoke the Login Service//=================================================//construct LoginServiceFactory (loginService is part of Core Service module) LoginServiceClientFactory loginServiceClientFactory = new LoginServiceClientFactory();//set the service base url. ESM's service base URL is https://host:8443/www/ loginServiceClientFactory.setBaseURL("https://myhost:8443/www/");//create service client instance from factoryLoginService loginService = loginServiceClientFactory.createClient();//invoke login service and get authTokenString authToken = loginService.login(null, "admin", "password"); Finding Service Information in the WSDLThe ESM Service Layer’s Web Service Description Language (WSDL) files are XML-formatted documents describing ESM services, one WSDL file for each service. WSDLs areused to generate clients automatically. Programmers who are writing their own stubsinstead of using the SDK can refer to the WSDLs to get information about ESM services.This topic takes you through different parts of the WSDL file using theArchiveReportService’s findByUUID method as an example. The purpose of thefindByUUID method is to find a resource by its ID. Based on this ID, you will be able toobtain additional details about the resource.Using fragments taken from the WSDL, the example walks you through the followingprocess:Obtain the method parametersObtain the responseTo display the WSDL for a specific service1On your browser, enter the URL using the following format:https://myhost:8443/www/manager-service/services/servicename?wsdl2Replace myhost with the actual server and servicename with the service you want to consume, for example, ArchiveReportService. See “Obtaining a List of AvailableESM Services” on page3 for information about supported ESM services.Finding Service Information in the WSDLThe browser displays the WSDL file for the specified service.Finding the Service’s URLThe following WSDL fragment contains the URL to the service.<wsdl:service name="ArchiveReportService"><wsdl:port name="ArchiveReportServiceHttpport"binding="ns0:ArchiveReportServiceHttpBinding"><http:address location="http://localhost:9090/manager-service/services/ArchiveReportService"/></wsdl:port></wsdl:service>Finding the MethodThe following WSDL fragment provides the URL to the method of interest, findByUUID .<wsdl:operation name="findByUUID"><http:operation location="ArchiveReportService/findByUUID"/><wsdl:input><mime:content type="text/xml" part="findByUUID"/></wsdl:input><wsdl:output><mime:content type="text/xml" part="findByUUID"/></wsdl:output></wsdl:operation>Finding the ParametersThe following WSDL fragment contains the XML Schema description of findByUUID ’sparameters.<xs:element name="findByUUID"><xs:complexType><xs:sequence><xs:element minOccurs="0"name="authToken"MethodDescription authTokenThe parameter that takes the authentication token string idThe ID of the resource to findConsuming ESM Servicesnillable="true"type="xs:string"/><xs:element minOccurs="0"name="id"nillable="true"type="xs:string"/></xs:sequence></xs:complexType></xs:element>Obtaining the Output DescriptionThe following WSDL fragment describes the response to the findByUUID request. Theresponse indicates ArchiveReport to be a complex type.<xs:element name="findByUUIDResponse"><xs:complexType><xs:sequence><xs:element minOccurs="0" name="return"nillable="true" type="ns1:ArchiveReport"/></xs:sequence></xs:complexType></xs:element>Because ArchiveReport is a complex type, this means you will find additional details aboutthe output, as shown in the following WSDL fragment:<xs:complexType name="ArchiveReport"><xs:complexContent><xs:extension base="ax23:Resource"><xs:sequence><xs:element minOccurs="0" name="archiveType"nillable="true" type="xs:string"/><xs:element minOccurs="0" name="expireDate"nillable="true" type="xs:long"/><xs:element minOccurs="0" name="owner"nillable="true" type="xs:string"/><xs:element minOccurs="0" name="reportDefName"nillable="true" type="xs:string"/><xs:element minOccurs="0" name="reportFileName"nillable="true" type="xs:string"/><xs:element minOccurs="0" name="uploaded"nillable="true" type="xs:string"/><xs:element minOccurs="0" name="valid"type="xs:boolean"/></xs:sequence></xs:extension></xs:complexContent></xs:complexType>Consuming ESM ServicesThis topic provides two examples:In REST, how to perform a text search on a resourceFor SOAP clients, how to download a report given report file’s IDConsuming ESM ServicesPerforming a Text Search on a Resource (REST Example) The search is similar to the full text search performed on the ESM Console. It is assumedthat the authToken string is available. In the example, a full text search is performed onthe DataMonitor resource. The search results include the ID. Based on the returned ID, theResourceService is then used to retrieve DataMonitor details.To perform a text search:1In the browser, enter your query string to obtain the corresponding UUID. Enter the URL in the following format:https://myhost:8443/www/manager-service/rest/ManagerSearchService/search1?authToken=authtokenstring&queryStr=datamonitor querystring&pageSize=502Replace myhost as appropriate, authtokenstring with the actual string you obtained in “Obtaining the Authentication Token” on page4, and querystring with your actualstring. For example, you are searching for DataMonitor with the name eventthroughput.The browser displays the UUID string corresponding to the resource that matchesquerystring. For example:-<uri>/All_Data_Monitors/ArcSight_Administration/ESM/System_Health/Events/Event_Throughput/Event_Throughput</uri><uuid>someUUIDstring</uuid>Take note of the returned UUID string. You will use the findByUUID method inResourceService and pass the UUID string to get the data details about theDataMonitor resource with that UUID.3In the browser, enter the URL in the following format:https://myhost:8443/www/manager-service/rest/ResourceService/findByUUID?authToken=authtokenstring&id=UUIDstringThe first part of the URL that starts with https://myhost:8443/www/ is called the baseURL.4Replace myhost as appropriate, authtokenstring with the actual string you obtained in “Obtaining the Authentication Token” on page4, and UUIDstring with the actual UUIDstring returned by your query.The browser displays the resource information. A partial example is shown below:Consuming ESM ServicesDownloading an Archived Report (SOAP Example)The following Java example for SOAP clients shows how to invoke ArchiveReportService,set the base URL in the format https://host:port/www/, and obtain the report’s file ID. Youwill then pass this ID to download the archived report. The example assumes you haveinvoked the login service and passed the authToken string prior to invoking theArchiveReportService. See “Obtaining the Authentication Token” on page4.// Invoke Login Service here and pass the authToken//=================================================// Invoke Archive Report Service//=================================================//Construct ArchiveReportServiceFactory (ArchiveReportService is part of//the Manager Service module)ArchiveReportServiceFactory archiveReportServiceClientFactory = new ArchiveReportServiceFactory ();//Set the service base URL. ESM's service base URL is https://host:port/www/ archiveReportServiceClientFactory.setBaseURL("https://myhost:8443/www/");//Create service client instance from factoryarchiveReportService archiveReportService = archiveReportServiceClientFactory.createClient();//Invoke report service to create archiveReport by its ID. This returns//the archived report’s file ID. Use that ID to download report.String fileId =archiveReportService.initDefaultArchiveReportDownload(authToken," authtokenstring", "Manual");//Download report using the obtained fileId/*** Here is the example of using the fileId to download the report:* https://myhost:8443/www/manager-service* /fileservlet?mand=download&file.id* =2r2Yp5RYNQ2WSmVWa2V9_yAuNLSS4TdTQMV2T3upay4*/Consuming ESM ServicesCopyright © 2010 ArcSight, Inc. ArcSight, the ArcSight logo, ArcSight TRM, ArcSight NCM, ArcSight Enterprise Security Alliance, ArcSight Enterprise Security Alliance logo, ArcSight Interactive Discovery, ArcSight Pattern Discovery, ArcSight Logger, FlexConnector, SmartConnector, SmartStorage and CounterACT are trademarks of ArcSight, Inc. All other brands, products and company names used herein may be trademarks of their respective owners.Follow this link to see a complete statement of ArcSight's copyrights, trademarks, and acknowledgements: /company/copyright/The network information used in the examples in this document (including IP addresses and hostnames) is for illustration purposes only.This document is ArcSight Confidential.Revision HistoryDate Product Version Description05/30/10First version Introductory content to the ArcSight ESM Service Layer.。

Security ArcSight ESM ESM Support MatrixMay21,2018Legal NoticesWarrantyThe only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”)are set forth in the express warranty statements accompanying such products and services.Nothing herein should be construed asconstituting an additional warranty.Micro Focus shall not be liable for technical or editorial errors or omissions contained herein.The information contained herein is subject to change without notice.Restricted Rights LegendConfidential computer software.Except as specifically indicated otherwise,a valid license from Micro Focus is required for possession,use or copying.Consistent with FAR 12.211and 12.212,Commercial Computer Software,Computer Software Documentation,and Technical Data for Commercial Items are licensed to the ernment under vendor's standard commercial license.Copyright Notice©Copyright 2018 Micro Focus or one of its affiliates.Trademark NoticesAdobe™is a trademark of Adobe Systems Incorporated.Microsoft®and Windows®are U.S.registered trademarks of Microsoft Corporation.UNIX®is a registered trademark of The Open Group.SupportPhoneA list of phone numbers is available on the Technical SupportPage: https:///support-contact-informationSupport Web Sitehttps:///ArcSight Product Documentationhttps:///t5/ArcSight-Product-Documentation/ct-p/productdocsContact InformationESM Support MatrixContentsArcSight Enterprise Security Management(ESM)Support Matrix5 Definitions5 End of Product Support Notices6 ESM7.06 ArcSight Console7.07 ESM7.0Support of Other ArcSight Products/Components8 ESM7.0Support for ActivClient10 ESM7.0Support for90Meter SCM10 ESM7.0Support-Third Party10 ESM6.11.012 ArcSight Console6.11.013 ESM6.11.0Support of Other ArcSight Products/Components14 ESM6.11.0Support for ActivClient15 ESM6.11.0Support for90Meter SCM16 ESM6.9.1c16 ArcSight Console6.9.1c17 ESM6.9.1c Support of Other ArcSight Products/Components18 ESM6.9.1c Support for ActivClient19 ESM6.9.1c Support for90Meter SCM20 ESM6.8c20 ArcSight Console6.8c21 ESM6.8c Support of Other ArcSight Products/Components22 ESM6.8c Patch3Support for ActivClient22 ESM5.623 ArcSight Console5.623 ESM5.6Support for Oracle Database24 Send Documentation Feedback25Document Revision HistoryThe title page of this document contains the following identifying information:l Software Version number,which indicates the software version.l Document Release Date,which changes each time the document is updated.To check for recent updates or to verify that you are using the most recent edition of a document,go to the:ArcSight Product Documentation Community on Protect724.Document ChangesArcSight Enterprise Security Management (ESM)Support MatrixThis document describes current platform support for ArcSight Enterprise Security Management(ESM) and its components.The components include:l ArcSight Managerl ArcSight Consolel Correlation Optimized Retrieval and Retention Engine(CORRE)(ESM6.8or later)l ArcSight Database(based on Oracle;ESM5.6)l ArcSight Command Center(ESM6.8and later)l ArcSight Web(ESM5.6and6.8)DefinitionsThis document uses the following terms.End of Product Support NoticesRefer to this site for updated information on end-of-life schedules for all ArcSight products,including ESM:ArcSight product life cycle informationESM7.0GA date April27,2018Latest patch NoneOS for software version Fresh install:l RHEL/CentOS7.3l RHEL/CentOS6.9Distributed Correlation cluster coherence:All server-side services mustl Be on the same OS versionl In the same timezonel Have the same network preference:IPv6,Dual,or IPv4 Upgrade from6.11.0,with or without Patch1:l RHEL/CentOS6.8to RHEL/CentOS6.9JRE version:JRE1.80_141TZData:tzdata-2017c-1.el7.noarch.rpmUpgrade path from l ESM6.11.0,with or without patch1l ESM Appliance(E7600Gen9):SW upgrade from ESM6.11,with or without patch1 l ESM Express(B7500Gen8):SW Upgrade from ESM6.11,with or without patch1 l ESM Express(B7600Gen9):SW Upgrade from ESM6.11,with or without patch1Appliance model/OS Appliance:l Gen9for fresh install and upgrade l Gen8for upgradeOS,G9:l Fresh install on RHEL7.3l Upgrade to RHEL7.3OS,G8:l Upgrade to RHEL6.9l With Patch1,upgrade to RHEL6.9Forwarding Connector 7.7.0.8046.0The ArcSight Forwarding Connector can be installed on any of the OS platforms supported by the ESM Manager with which it is released.Browser l Edge on Windows10,IE11l The latest version of Chrome on Windowsl Firefox ESR52.7.2(64-bit)on Mac OS10.12Sierra,RHEL/CentOS,and Windowsl Safari11.x on Mac OS10.12SierraFIPS140-2Notes:l For FIPS and Suite B also see the ESM Installation Guide section,"Installing ESM in FIPS Mode."l See"ArcSight Console7.0"below for related information regarding Windows10.Suite B128-bit and192-bitNote:For FIPS and Suite B also see the ESM Installation Guide section,"Installing ESM in FIPSMode."Common accesscard(CAC)Yes90Meter See"ESM7.0Support for90Meter SCM"on page 10.ArcSight Console7.0Operating Systeml RHEL Workstation/CentOS6.9,64-bitl RHEL Workstation/CentOS7.3,64-bitl Windows Server2016,64-bitl Windows Server2012R2,64-bitl Windows8.1,64-bitl Windows10,64-bitl macOS Sierra(10.12),64-bitFIPS mode is not supported for Mac Console.JREl 1.8.0_141-b15ESM7.0Support of Other ArcSight Products/ComponentsFor related information,see also the Solutions Support Matrix for Compliance Insight Packages and other external solutions that work with specific ESM releases.Distributed(Peer)Searchesl ESM7.0l Logger6.4and6.5The only search that supports IPv6connectivity and data is among ESM7.0and6.11.0peers. Web Services Layer APIl Core Services1.2l Manager-Client Services1.1Active Directory(Actor)Model Import ConnectorConnector version7.7.0.8047.0OS l Microsoft Windows Server2008R2,64-bitl Microsoft Windows Server2012R2,64-bitl RHEL6.9or7.3,64-bitAsset Model Import FlexConnectorConnector version7.7.0.8048.0OS l Microsoft Windows Server2008R2,64-bitl Microsoft Windows Server2012R2,64-bitl RHEL6.9or7.3,64-bitESM7.0High Availability ModuleSoftware l Install on RHEL7.3with Spectre/Meltdown patchesl Install on RHEL/CentOS6.9with Spectre/Meltdown patchesl Upgrade from RHEL/CentOS6.8to RHEL/CentOS6.9with Spectre/Meltdown patchesl Upgrade to RHEL7.3with Spectre/Meltdown patchesG9B7600appliance l Fresh install:RHEL7.3with Spectre/Meltdown patchesl Upgrade from ESM6.11.0,with or without Patch1,with Spectre/Meltdown patchesl Upgrade to RHEL7.3with Spectre/Meltdown patchesArcSight Data Platform Event BrokerSee the latest ArcSight Data Platform Support Matrix in Protect724.ArcSight InvestigateSee the latest ArcSight Investigate Deployment Guide.ESM7.0Support for ActivClientESM7.0Support for90Meter SCMESM7.0Support-Third PartyHadoopHadoop version2.8is supported.ServiceNow®IT Service Management(ITSM) Jakarta[Rest-API version2]is supported.ESM6.11.0For related information,see also the Solutions Support Matrix for Compliance Insight Packages and other external solutions that work with specific ESM releases.GA date May15,2018Latest patch2Upgrade pathfroml ESM6.9.1c,with or without patch1,2,3or4software versionl ESM Appliance(E7600Gen9):SW upgrade from ESM6.9.1cl ESM Express(B7500Gen8):SW Upgrade from ESM6.9.1cl ESM Express(B7600Gen9):SW Upgrade from ESM6.9.1cAppliance model/OS Appliance:l Gen9for fresh install and upgrade l Gen8for upgradeOS,G9:l Fresh install on RHEL7.3l Upgrade to RHEL7.3OS,G8:l Upgrade to RHEL6.8l With Patch1,upgrade to RHEL6.9OS for software version Fresh install:l RHEL/CentOS6.8l RHEL/CentOS7.36.11.0Patch2:RHEL7.4or CentOS7.46.11.0Patch1:RHEL6.9or CentOS6.9Upgrade from6.9.1:l RHEL/CentOS6.7to RHEL/CentOS6.8 l RHEL/CentOS7.1to RHEL/CentOS7.3 Upgrade from6.9.1P1,P2,P3or P4:l RHEL/CentOS6.7to RHEL/CentOS6.8 l RHEL/CentOS7.1,7.2to RHEL/CentOS7.3Forwarding Connector 7.5.0.7986.0The ArcSight Forwarding Connector can be installed on any of the OS platforms supported by the ESM Manager with which it is released.Browser l Edge on Windows,IE11l The latest version of Chrome on Windowsl Firefox52.7.4(64-bit)ESR on RHEL,CentOS,or Windowsl Safari11.X,on macOS SierraFIPS140-2Note:For FIPS and Suite B also see the ESM Installation Guide section,"Installing ESM in FIPSMode."Suite B128-&192-bitNote:For FIPS and Suite B also see the ESM Installation Guide section,"Installing ESM in FIPSMode."Common accesscard(CAC)Yes90Meter See"ESM6.11.0Support for90Meter SCM"on page 16.ArcSight Console6.11.0Operating Systeml RHEL Workstation/CentOS7.4;64-bit;JRE8,64-bit with P2l RHEL Workstation/CentOS6.9,64-bit;JRE8,64-bit with P1l RHEL Workstation/CentOS6.8,64-bit;JRE8,64-bitl RHEL Workstation/CentOS7.3,64-bit;JRE8,64-bitl RHEL Workstation/CentOS7.4;64-bit;JRE8,64-bit with P2l Windows Server2012R2,64-bit;JRE8,32-bitl Windows8.1,64-bit;JRE8,32-bitl Windows10,64-bit;JRE8,32-bitl macOS Sierra10.12,64-bit;JRE864-bitJVMl32-bitl64-bit on LinuxESM6.11.0Support of Other ArcSight Products/Components Distributed(Peer)Searchesl ESM6.8c,6.9.1c,and6.11.0l Logger6.2Patch1,6.3The only search that supports IPv6connectivity and data is among ESM6.11.0peers.Web Services Layer APIl Core Services1.2l Manager-Client Services1.1Active Directory(Actor)Model Import ConnectorConnector version7.5.0.7988.0OS l Microsoft Windows Server2008R2,64-bitl Microsoft Windows Server2012R2,64-bitl RHEL6.8or7.3,64-bitAsset Model Import FlexConnectorConnector version7.5.0.7987.0OS l Microsoft Windows Server2008R2,64-bitl Microsoft Windows Server2012R2,64-bitl RHEL6.8or7.3,64-bitESM6.11.0High Availability ModuleSoftware l Install on RHEL/CentOS6.8l Install on RHEL/CentOS7.3l Upgrade from RHEL/CentOS7.1to7.3l Upgrade to RHEL/CentOS6.7to6.8G9B7600appliance l Fresh install:RHEL7.3l Upgrade to RHEL7.3(with or without ESM6.9.1P1,P2,or P3)ArcSight Data Platform Event BrokerSee the latest ArcSight Data Platform Support Matrix in Protect724. ArcSight InvestigateSee the latest ArcSight Investigate Deployment Guide.ESM6.11.0Support for ActivClientESM6.11.0Support for90Meter SCMESM6.11.0ESM6.9.1cFor related information,see also the Solutions Support Matrix for Compliance Insight Packages and other external solutions that work with specific ESM releases.GA date July15,2017Latest patch4Upgrade path from l ESM6.8c,ESM6.5c SP1(with latest patch),but not from SuSE Linux l AE4.0P1B7500+RHEL6.xl ESM Express:from6.9.0cAppliance model/OS Appliance:l Gen9for fresh install and upgrade l Gen8for upgradeOS:l Install on RHEL7.1l Upgrade to RHEL7.2(with P1)l Upgrade to RHEL6.8(with P2) OS,G9:l RHEL7.3(with P4)OS,G8:l RHEL6.9(with P4)OS for software version l P4:RHEL6.7,6.8,6.9,7.1,7.2,7.3 CentOS6.7,6.8,6.9,7.1,7.2,7.3l P3:RHEL6.7,6.8,7.1,or7.2 CentOS6.7,6.8,7.1,or7.2l P2:RHEL6.7,6.8,7.1,or7.2 CentOS6.7,6.8,7.1,or7.2l P1:RHEL6.7,7.1,or7.2 CentOS6.7,7.1,or7.2l GA:RHEL6.7or7.1 CentOS6.7or7.1Forwarding Connector 7.1.7.7602.0The ArcSight Forwarding Connector can be installed on any of the OS platforms supported by the ESM Manager with which it is released.Browser l IE11on Windowsl Safari8.x on Mac OSXl Firefox38ESR(Linux,Windows,Mac OSX)l The latest version of Chrome on WindowsFIPS YesNote:For FIPS and Suite B also see the ESM Installation Guide section,"Installing ESM in FIPSMode."Suite B YesNote:For FIPS and Suite B also see the ESM Installation Guide section,"Installing ESM in FIPSMode."Common accesscard(CAC)Yes90Meter YesSee"ESM6.9.1c Support for90Meter SCM"on page 20.ArcSight Console6.9.1cOperating Systeml RHEL Workstation/CentOS6.8,64-bit with P2or laterl RHEL Workstation/CentOS6.7,64-bitl RHEL Workstation/CentOS7.1,64-bitl RHEL Workstation/CentOS7.2,64bit with P1or laterl Windows Server2012R2,64-bitl Windows7and8.1,64-bitl Mac OS X10.10,64-bit(except FIPS)JVMl32-bitl64-bitESM6.9.1c Support of Other ArcSight Products/ComponentsActive Directory(Actor)Model Import ConnectorConnector version7.1.7.7605.0OS l Microsoft Windows Server2008R2,64-bitl Microsoft Windows Server2012R2,64-bitl RHEL6.6,64-bitl RHEL7.1,64-bitAsset Model Import FlexConnectorConnector version7.1.7.7604.0OS Microsoft Windows Server2008R2,64-bitMicrosoft Windows Server2012R2,64-bitRHEL6.6,64-bitRHEL7.1,64-bitESM6.9.1c High Availability ModuleSoftware RHEL7.1,CentOS7.1(and RHEL and CentOS6.7if upgrading)With P1,you can upgrade the OS(and HA)to RHEL or CentOS7.2With P2,RHEL/CentOS6.8if upgraded from ESM6.8cWith P2,you can upgrade the OS(and HA)to RHEL or CentOS7.2ESM6.9.1c Support for ActivClient ESM6.9.1c Patch2and Patch3ESM6.9.1c Patch1ESM6.9.1cESM6.9.1c,continuedESM6.9.1c Support for90Meter SCMESM6.8cFor related information,see also the Solutions Support Matrix for Compliance Insight Packages and other external solutions that work with specific ESM releases.GA date September28,2016Latest patch4Upgrade path from l ESM6.0c to ESM6.8cl ESM6.5c SP1to ESM6.8cl Resource migration from ESM5.x.(see Release Notes for details) l E7400(upgrade only)OS l P4:RHEL6.8and CentOS6.8l P3:RHEL6.6,6.7,and CentOS6.7l P2:RHEL6.6l RHEL6.4&6.5,CentOS6.5,and SuSE Enterprise Linux11SP3,64‐bitForwarding Connector 7.0.7.7286.0The ArcSight Forwarding Connector can be installed on any of the OS platforms supported by the ESM Manager with which it is released.Browser l IE11on Windowsl Safari7.06on Mac OSXl Firefox31ESR(Linux,Windows,Mac OSX)l Chrome(latest)on WindowsFIPS NoSuite B NoCAC YesArcSight Console6.8cGeneral availability release date:September28,2016Patch:4Operating Systeml RHEL or CentOS6.8Workstation,64-bit(starting with P4) l RHEL6.7Workstation,64-bit(starting with P3)l RHEL6.6Workstation,64-bit(starting with P2)l RHEL6.4&6.5Workstation,64-bitl CentOS6.7,64-bit(starting with P3)l CentOS6.5,64-bitl SuSE11SP3,64-bitl Windows Server2012R2,64-bitl Windows Server2012,64-bitl Windows7,8,8.164-bitl Mac OS X10.7,64-bit(not supported for P1or later)l Mac OS X10.9,64-bit(supported for P1or later) Console on Mac does not support FIPS.JVMl32-bitESM6.8c Support of Other ArcSight Products/Components ESM Web Services Layer API1.0API1.0Asset Model Import Connector Connector version:7.1.2.7395.0OS:l Microsoft Windows Server2008R2,64-bitl Microsoft Windows Server2012R2,64-bitl Red Hat Enterprise Linux(RHEL)6.6,64-bitl Red Hat Enterprise Linux(RHEL)7.0,64-bitRisk Insight1.0RHEL6.5Risk Insight1.2RHEL6.5and RHEL6.6for ESM6.8c P2ESM Event Data Transfer Tool1.2Apache Hadoop2.7.2ESM High Availability Module1.0l P3:RHEL6.6,6.7and CentOS6.7l P2:RHEL6.5,6.6and CentOS6.5l RHEL6.5,CentOS6.5ESM6.8c Patch3Support for ActivClientActivClient is certified on ESM6.8c Patch3only.ESM5.6For related information,see also the Solutions Support Matrix for Compliance Insight Packages and other external solutions that work with specific ESM releases.GA date September10,2015Latest patch NoneUpgrade PathfromESM5.5P2to ESM5.6ApplianceModel/OSNoneOS,software version l RHEL6.6,7.0,and7.164-bitl Windows Server2012R264-bitl Windows Server2008R2SP1,64-bit l SuSE Linux11SP3Ent.Server,64-bitForwarding Connector 7.1.3.7495.0The ArcSight Forwarding Connector can be installed on any of the OS platforms supported by the ESM Manager with which it is released.Browser l IE9.10,11l Firefox31.1.6ESR(linux,Windows,Mac OS X)l Safari7.0.6l Chrome(latest)FIPS YesSuite B YesCAC YesArcSight Console5.6Operating Systeml RHEL Workstation7.1(not Korean/TC/SC/JP locales) l RHEL Workstation6.6l CentOS7.1(not Korean/TC/SC/JP locales)l CentOS6.6l Windows Server2012R2l Windows Client7SP1,64-bitl Windows Client8.1,64-bitl Mac OSX10.9,64-bit(except FIPS)JVMl32-bitESM5.6Support for Oracle Database Oracle Database version:Oracle11.2.0.4OS/Platforml RHEL6.6,7.0,and7.164-bitl SuSE Linux11SP3Ent.Server,64-bitl Windows Server2012R264-bitl Windows Server2008R2SP1,64-bitSend Documentation FeedbackIf you have comments about this document,you can contact the documentation team by email.If an email client is configured on this computer,click the link above and an email window opens with the following information in the subject line:Feedback on ESM Support Matrix(ESM)Just add your feedback to the email and click send.If no email client is available,copy the information above to a new message in a web mail client,and send your feedback to***************.We appreciate your feedback!。

Upgrading ArcSight™ Express to v5.0 Patch 1Document StatusThis technical note describes the steps required to upgrade the software components on ArcSight Express from v4.5 SP2 Patch 2 or v4.5 SP3 to v5.0 Patch 1.SummaryThis document covers the following topics:“Upgrading to v5.0 Patch 1” on page 1“Handling Upgrade Failures” on page 4“Upgrading the Console” on page 5Upgrading to v5.0 Patch 1To upgrade the components on your ArcSight Express Appliance:•If you are upgrading from an older version of ESM, you are required to upgrade to v4.5 SP2 Patch 2 or v4.5 SP3 before upgrading to v5.0 Patch 1.•If you are on v4.5 SP2, make sure that you have the v4.5 SP2 Patch 2 installed before upgrading to v5.0 Patch 1. •You will not be able to do two consecutive upgrades on the same day. For example, upgrading from v4.5 SP2 to v4.5 SP3, then upgrading to v5.0 Patch 1 cannot be done on the same day.After doing one upgrade, wait until the execution of the next scheduled Partition Manager job before doing the next upgrade. This allows Partition Manager to create a new partition which allows the system to be recognized as upgraded to an intermediate version. Execution of the Partition Manager scheduled job can be ensured by letting the Manager from the first upgrade run for a day (24 hours). Do the next upgrade after a day.•Although the upgrade program does not prevent you from doing so, upgrading directly from v4.5 SP1 Patch 2 to v5.0 Patch 1 is not supported. If you are on v4.5 SP1 Patch 2 and would like to upgrade to v5.0 Patch 1, make sure you first upgrade to v4.5 SP2 Patch 2 before upgrading to v5.0Patch 1.Verify that you have enough space (approximately 2 GB) available before you begin to install the patch.1 Upgrading ArcSight™ Express to v5.0 Patch 11Important : Obtain and note the build number on your ArcSight Express Applianceand make a note of it. In future if you need to contact ArcSight Customer Support or rollback this upgrade, you need to have your build number handy.To check the software build number on your ArcSight Express appliance, run the following from a command prompt:rpm -q arcsight-express-managerIf you see the following output:For v4.5 SP2 Patch 2:arcsight-express-manager-4.5-2.M6100then you are on v4.5 SP2 Patch 2 version of ArcSight Express. You will need to follow the upgrade path outlined in the caution on page 1 before proceeding any further .For v4.5 SP3:arcsight-express-manager-4.5-3.M6126then you are on v4.5 SP3 version of ArcSight Express. You will need to follow the upgrade path outlined in the caution on page 1 before proceeding any further .2Download the self-extracting upgrade file, aeupdate-5.0.0.xxxx.1.pl from theArcSight Customer Support web site. The xxxx in the file name stands for the build number .3If you downloaded the file(s) to a system other than the ArcSight Express appliance that you want to upgrade, move the file(s) over to the ArcSight Express appliance using the scp command. For example, from your local machine where the file(s) are located, run:scp aeupdate-5.0.0.xxxx.1.pl root@<hostname>.<domain>:/root 4You can perform the rest of the steps either directly on the ArcSight Express machineor remotely using ssh . To use ssh , open a shell window by running:ssh root@<hostname>.<domain>5Verify the integrity of the update file you have downloaded:aOpen a browser and go to the ArcSight Download Center .bClick ‘Estimated Times and Details’ link in the box from which you downloaded your executable file.c In the Download Details window, verify the MD5 Signature.6We recommend that you copy the following file to a secure location before installingthe patch.Using an ssh -X session to upgrade ArcSight Express causes errors.Instead of using ssh -X to upgrade ArcSight Express, run the upgrade in asimple ssh connection to the appliance.1 Upgrading ArcSight™ Express to v5.0 Patch 1/opt/arcsight/db.preUpgradeBackup/arcsight.dmp7Run the self-extracting upgrade file:perl aeupdate-5.0.0.xxxx.1.plThe upgrade is done in silent mode and transfers configurations, upgrades theschema, upgrades the content, and generates upgrade report for the Managerupgrade.Before the upgrade process begins, the existing software components will be backed up into the following location :z/opt/arcsight/db.preUpgradeBackup z/opt/arcsight/manager.preUpgradeBackup z /opt/arcsight/web.preUpgradeBackupThe aeupdate-5.0.0.xxxx.1.pl file extracts itself into a subdirectory within/opt/updates directory and automatically upgrades the existing RPMs.The following log files for the upgrade are placed in the /opt/updatesdirectory:z*.res - shows the result of the operation, such as success, error , or reboot z *.log - records the details of the upgrade processwhere * stands for the name of the self-extracting perl file.Before the components get upgraded, a check is performed on the database ofyour previous installation to make sure that it is ready for the upgrade and thelogs for this check are placed in the /opt/arcsight/db/logs/dbcheckdirectory.The system tables are exported as arcsight.dmp and placed in the/opt/arcsight/db.preUpgradeBackup directory.The logs for the dbcheck can be found in /opt/arcsight/db/logs/dbcheck directory. The ResourceCountV4.0.htm file contains the names of allresources. However , the names of new resources do not appear in the file.Make sure to copy any Case customizations from the *.preUpgradeBackup folders that you may have made to the Manager and Web’s<ARCSIGHT_HOME>\i18n\common\label_strings.properties and<ARCSIGHT_HOME>\i18n\common\resource_strings.propertiesfilesAny previous upgrade would have created an arcsight.dmp file (containing your base ESM installation) in the/opt/arcsight/db.preUpgradeBackup directory. If, for any reason, you have to roll back to your previous installation after or during an upgrade,ArcSight recommends that you first copy the arcsight.dmp file to asecure location. This allows you to restore your original content, if needed.The arcsight.dmp file is overwritten with all subsequent upgrades.If you do multiple upgrades, the preUpgradeBackup files getoverwritten each time you do an upgrade. For example, if you are onv4.5 SP2 and upgrade to v4.5 SP3, backup files get created for thev4.5 SP2 installation. But if you further upgrade from v4.5 SP3 tov5.0 Patch 1, the v4.5 SP2backup files get overwritten with the v4.5SP3 backup files and you lose the backup files for v4.5 SP2.Consequently, you will not be able to rollback to v4.5 SP2 versionbecause you would have lost its backup files.1 Upgrading ArcSight™ Express to v5.0 Patch 1from the backup of your previous installation. When you install the patch,configuration files are not merged from your previous installation.To confirm that the upgrade succeededYou can check the upgrade summary report and logs to find out if the Manager upgraded successfully. The upgrade summary report is applicable to the Manager only.To make sure that your upgrade completed, run:rpm -qa | grep arcsight | sortYou should see the following packages listed:arcsight-3ware-cli-x.xx.xx.xxxraidx-xarcsight-connector-5.0.2.xxxx.x-xarcsight-deltarpm-x.x-xarcsight-express-db-5.0-Mxxxxarcsight-express-manager-5.0-Mxxxxarcsight-express-web-5.0-Mxxxxarcsight-logos-x.x-xarcsight-megaraid-cli-x.xx.xx-xarcsight-oracle-10.2.0.4-Mxxxx.0arcsight-oracle-cpuxxxxxx-xxxxx.xxxxxxx.x-Mxxxx.xarcsight-oracle-cpuxxxxxx-xxxxx.xxxxxxx.x-Mxxxx.xarcsight-oracle-cpuxxxxxx-xxxxx.xxxxxxx.x-Mxxxx.xarcsight-platform-setup-x.x-xxxxxxxx_xxxxarcsight-smartmontools-x.xx-xThe x in these package names represents a number in the package’s version number .** Depending on the number of Oracle CPUs that are installed on your system, you may see multiple oracle cpu packages, one package per CPU installed.You have upgraded to ArcSight Express v5.0 Patch 1.Make sure to upgrade your existing Console. See “Upgrading the Console” on page 5.Handling Upgrade FailuresThe ArcSight Express upgrade involves upgrading the event schema to v5.0. Your upgrade process could fail either before the event schema upgrade takes place or it could happen either during or after the event schema upgrade has completed. If your upgrade failsbefore the event schema upgrade, then ArcSight Customer Support can help you roll back to the previous version of ESM that was on your machine before you started the upgrade. If the upgrade fails after the event schema has been upgraded, you will not be able to rollback to the previous version. Therefore, if you run into issues when upgrading, regardlessAn incomplete or aborted upgrade will show some of the packages with the upgraded version number , but others will have the original (pre-upgrade) version number-- depending upon where the component upgrade halted.Make sure that you have obtained the new license file from ArcSight Customer Support and updated your appliance with it.1 Upgrading ArcSight™ Express to v5.0 Patch 1of when the upgrade failed, ArcSight recommends that you contact ArcSight Customer Support to help you decide on the next course of action. File an ArcSight Customer Support ticket and provide the installation logs.Upgrading the ConsoleTo upgrade the Console to v5.0 Patch 1, you must first upgrade the Console to v5.0 GA, then apply the v5.0 GA Patch 1.Upgrading the Console to v5.0 GAYour ArcSight Console should be installed on a machine other than the ArcSight Express. Make sure to perform the steps below on the machine on which you have ArcSight Console installed.Perform the following steps to upgrade one of your ArcSight Console:1Stop ArcSight Console if it is running.2If you downloaded the v5.0 GA Console installation file to a different machine, transfer it to your Console machine.3Run the installation file. 4Step through the Installation Wizard screens. Specifically, enter values as describedbelow for the following Wizard screens:Choose Installation Folder —Enter an ARCSIGHT_HOME path for v4.5 SP2/SP3that is different from where the existing Console is installed.Choose Shortcut Folder (on Windows)/Choose Link Folder (onUNIX)—Specify or select where the ArcSight Console icon will be created; forexample, in an existing Program Files Group or on the Desktop on Windows.Pre-Installation Summary—Review the settings and click Next .After you have stepped through the Installation Wizard, it automatically starts the Configuration Wizard.5The Console installation program detects a previous installation and provides you anoption to copy your existing settings to the new Console. Settings such as connection information including the Manager host name and port number , and authenticationinformation including authentication type.Do NOT install v5.0 GA Console in the same location as the existingConsole.Installing in a different location prevents the installation program fromoverwriting your existing configuration, thus enabling you to migrate settings from it.1 Upgrading ArcSight™ Express to v5.0 Patch 1Copying existing settings is optional.6You will be prompted to enter the location of your previous Console installation:7Running Console in FIPS mode is not supported in this release. In the following screen,make sure that Run console in default mode is selected and click Next :8See the ArcSight ESM Installation and Configuration Guide for details on the remaining screens for installing a Console using the installation wizard.9Start the ArcSight Console.A What’s new Quick Start screen is displayed automatically. This screen summarizes the new features in ESM v5.0.10After you have upgraded a Console to v5.0 Patch 1, if no event viewers appear initiallyin the Console, select the All Active Channels/ArcSightSystem/Core/Live channel to view real-time events.Applying the v5.0 Patch 1Refer to the ArcSight ESM Release Notes for instructions on how to apply v5.0 Patch 1.Copyright © 2010 ArcSight, Inc. All rights reserved. Make sure that you point to the current directory of the previous Consoleinstallation. For example, C:\arcsight\console\st Updated:10/20/10Keywords:upgrade, database, manager, web1Upgrading ArcSight™ Express to v5.0 Patch 1 ArcSight, the ArcSight logo, ArcSight TRM, ArcSight NCM, ArcSight Enterprise Security Alliance, ArcSight Enterprise Security Alliance logo, ArcSight Interactive Discovery, ArcSight Pattern Discovery, ArcSight Logger, FlexConnector, SmartConnector, SmartStorage and CounterACT are trademarks of ArcSight, Inc. All other brands, products and company names used herein may be trademarks of their respective owners.Follow this link to see a complete statement of ArcSight's copyrights, trademarks, and acknowledgements: /company/copyright/The network information used in the examples in this document (including IP addresses and hostnames) is for illustration purposes only.This document is ArcSight Confidential.This technical note contains confidential information proprietary to ArcSight, Inc. Any party accepting this document agrees to hold its contents confidential, except for the purposes for which it was intended.1Upgrading ArcSight™ Express to v5.0 Patch 1。

Micro Focus Security ArcSight ESM for AWS Software Version:7.0.0.1Setup GuideDocument Release Date:October5,2018Software Release Date:October5,2018Legal NoticesWarrantyThe only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”)are set forth in the express warranty statements accompanying such products and services.Nothing herein should be construed asconstituting an additional warranty.Micro Focus shall not be liable for technical or editorial errors or omissions contained herein.The information contained herein is subject to change without notice.Restricted Rights LegendConfidential computer software.Except as specifically indicated otherwise,a valid license from Micro Focus is required for possession,use or copying.Consistent with FAR 12.211and 12.212,Commercial Computer Software,Computer Software Documentation,and Technical Data for Commercial Items are licensed to the ernment under vendor's standard commercial license.Copyright Notice©Copyright 2018 Micro Focus or one of its affiliates.TrademarkNoticesAdobe™is a trademark of Adobe Systems Incorporated.Microsoft®and Windows®are U.S.registered trademarks of Microsoft Corporation.UNIX®is a registered trademark of The Open Group.Support PhoneA list of phone numbers is available on the Technical Support Page: https:///support-contact-information Support Web Sitehttps:///ArcSight Product Documentation https:///t5/ArcSight-Product-Documentation/ct-p/productdocsContact InformationSetup GuideContentsESM on Amazon Web Services4 How to launch Micro Focus ArcSight ESM on AWS4 How to Configure ESM5 Limitations of Cloud Deployment5 Acronyms6Send Documentation Feedback7ESM on Amazon Web ServicesMicro Focus ArcSight ESM is available as an Amazon Machine Image(AMI)on AWS Marketplace.It contains an operating system with ESM pre-installed.You can launch an instance of this AMI to create a virtual machine(EC2instance)on AWS cloud.How to launch Micro Focus ArcSight ESM on AWS This procedure assumes you have obtained your Amazon Web Services account credentials.1.Go to AWS Marketplace(https:///marketplace)and login with your AWS accountcredentials.2.In the AWS Marketplace section search for ESM.3.Click the Select button.4.On the next screen,In the Filter by Drop-Downs,select Memory optimized and All generations.5.Select the desired instance size.We recommend r4.2xlarge.6.Click Next:Configure Instance Details.You may customize the instance for your environment onthe Instance Details screen.No additional modifications are necessary for ESM to run out of the box7.Click Next:Add Storage.There is no need to modify any setting on the Add Storage screen.If youdecide to change the size of the secondary storage(EBS volume),in order to increase capacity, follow the Amazon procedure to extend the EBS volume once the instance is launched.Refer to the AWS User's Guide topic on expanding the storage space of an EBS volume on Linux.8.Click Next:tag Instance.9.Click Add Tag,for Key field enter"Name",in the Value field enter an instance descriptive name.10.Click Next:Configure Security Group.11.Configure the security group.Add custom rules if required for your environment.12.Open port22(SSH)and8443(ArcSight Command Center).13.Click on Reviewand Launch.This gives you a screen that shows you the configuration selectionsyou made.Review them.You can click on Previous to go back,or Launch.14.After you click Launch,then on the next screen create a new key pair or use an existing one andclick on Download Key Pair.Simply follow the instructions on screen.Make sure you download the key pair.It is used for connecting to the instance remotely.Note:If using an existing key pair,it should also be used for the same AMI type.15.After downloading the key pair,click Launch Instances.The ArcSight ESM Elastic Compute Cloud(EC2)instance should be ready in few minutes.You can monitor the progress by visiting the EC2dashboard and clicking the Instances link on the left panel. Once the instance is in running state,you can continue with the configuration of ArcSight ESM.How to Configure ESMMake sure you have the following two things available:l ArcSight License file:The setup requires that you supply the path to this file.l Public hostname of the instance(which resolves to the public IP address or Elastic IP address of the instance):You can find the public hostname of the instance data from Public DNS(IPv4.)l To maintain the same hostname use an elastic IP address.l To obtain an elastic IP address,click Elastic IPs under NETWORK&SECURITY on the left panel.Click Allocate NewAddress and write down the IP address created.Associate the elastic IP address with the instance you just created.For more information,please see the AWS User's Guide.Use the following steps to configure ESM:1.Connect to the EC2console using the key file downloaded during instance creation.There aredifferent ways of connecting to EC2instances.Refer to the AWS User's Guide topic on connecting to your Linux instance.2.Once you are connected to the EC2instance,ArcSight ESM configuration setup startsautomatically.3.Type in the time zone information and press Enter.The ESM First Boot Wizard starts.Refer to theESM Installation Guide,"Chapter2:Installing on an Appliance."When prompted about the“Manager Host name”,enter the public hostname of the instance you obtained at the beginning of this procedure.Do not use IP address.Limitations of Cloud DeploymentThe following features are not supported for a cloud deployment.l ESM High Availability Modulel FIPSl Auto-Import of Connectors does not work.Export Certificate from Destination on AWS Instance:arcsight keytool-store managerkeys-exportcerts-file<certificate> Import Certificate into agent:arcsight keytool-store clientcerts-importcert-file<certfile>AcronymsAMI Amazon Machine Image-An operating system image with the Micro Focus ArcSight product preinstalled on it and ready to deploy on a virtual machine(an"instance").AWS Amazon Web Services-The general term for Amazons cloud offering of virtual machine images,virtual private clouds and their Elastic Compute Cloud platform.EBS Elastic Block Storage-An Amazon block storage device that can be attached to Amazon EC2instances.They can be formatted with a file system and mounted.Volumes can be up to1TB.EC2Elastic Compute Cloud-The mainstay of Amazon's cloud-computing platform.It consists of Elastic Compute Units.ECU Elastic Compute Unit-An Amazon virtual machine with a set CPU capacity.They are sort of rubbery.If you drop one,it wil bounce.VPC Virtual Private Cloud-A logically isolated section of the AWS Cloud where AWS resources can be launched in a virtual predefined network.Send Documentation FeedbackIf you have comments about this document,you can contact the documentation team by email.If an email client is configured on this computer,click the link above and an email window opens with the following information in the subject line:Feedbackon Setup Guide(ESM for AWS7.0.0.1)Just add your feedback to the email and click send.If no email client is available,copy the information above to a new message in a web mail client,and send your feedback to***************************.We appreciate your feedback!。

Legal Notice© Copyright 2020 Micro Focus or one of its affiliates.The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth inthe express warranty statements accompanying such products and services. Nothing herein should be construed asconstituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions containedherein. The information contained herein is subject to change without notice.For additional information, such as certification-related notices and trademarks, see https:///about/legal/.2About These Technical RequirementsMicro Focus recommends the fully tested and certified platforms described in this document. However, customers running on other platforms or with untested configurations will be supported until the point Micro Focus determines that the root cause is the uncertified platform or configuration. Issues that can be reproduced on the certified platforms will be prioritized and fixed according to standard defect-handling policies.♦Chapter1, “Software Requirements,” on page7♦Chapter2, “Hardware Requirements,” on page9♦Chapter3, “Network File System,” on page11♦Chapter4, “Ports Used,” on page13For more information about support polices, see Support Policies.For information about installation, see the Administrator Guide for Identity Intelligence. Additional DocumentationThe ArcSight Fusion documentation library includes the following resources:♦Administrator Guide to Fusion, which provides information about deploying, configuring, and maintaining this product♦User Guide to Fusion, which is embedded in the product to provide both contextual Help and conceptual information♦Release Notes for ArcSight Enterprise Security ManagerFor the most recent version of the system requirements and other ArcSight Fusion documentation resources, visit the documentation for ArcSight Fusion.Contact InformationWe want to hear your comments and suggestions about this book and the other documentation included with this product. You can use the comment on this topic link at the bottom of each page of the online documentation, or send an email to *************************************.For specific product issues, contact Micro Focus Customer Care at https:/// support-and-services/.About These Technical Requirements34About These Technical RequirementsContentsAbout These Technical Requirements 31Software Requirements7 Minimum Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72Hardware Requirements9 System Sizing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 Disk Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93Network File System11 Required File Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 Minimum Directory Sizes for the NFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114Ports Used13 CDF Management Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 CDF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 Kubernetes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 NFS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15Contents561Software Requirements 7Software RequirementsThis section lists the minimum software needed to install and run ArcSight Fusion 1.0. Fusion can coexist with ArcSight Investigate, NetIQ Identity Intelligence, and their required components.Minimum Software RequirementsCategoryMinimum Requirement Operating systems A minimal installation of one of the following:♦Red Hat Enterprise Linux 8.1 (x86, x64)♦Red Hat Enterprise Linux 7.7 or later (x86, x64)♦CentOS 8.1 (x86, x64)File systems One of the following:♦EXT3♦EXT4 (recommended)♦Logical Volume Manager (LVM)♦XFSData CollectionSee Release Notes for ArcSight Enterprise Security Manager Browser ♦Google Chrome♦Mozilla FirefoxNOTE: Browsers should not use a proxy to access CDF ports 5443 or 3000applications because this might result in inaccessible web pages.Micro Focus ArcSightEnterprise SecurityManager7.2.1Micro Focus ArcSightInterset Standard Edition 6.08Software Requirements2Hardware Requirements 9Hardware RequirementsThese guidelines apply to the requirements for deploying Fusion to a single node. You might have other components deployed to that node, such as ESM, which have additional requirements. The hardware requirements are based on dedicated resources allocations. In virtual environments, where there is a risk of over-subscription of the physical hardware, ensure that the Fusion system meets these hardware requirements to avoid installation and functionality issues.If you install Fusion on the same node as ESM, you should keep some unused resource capacity on the node. For more information, see “Installing Fusion and ESM on the Same Node” in the Administrator Guide for ArcSight Fusion .♦“System Sizing” on page 9♦“Disk Space” on page 9System SizingThis section provides guidance for node requirements.Disk SpaceThis section lists the minimum disk space needed to run Fusion. In some environments, you might deploy Fusion with Micro Focus ArcSight Investigate , which has additional disk space requirements.CategoryRequirement Worker nodes1vCores (per node)8RAM (per node)32 GBPartitionDisk Space /opt200 GB swap16 GB /home 50 GB10Hardware Requirements3Network File System 11Network File SystemFusion supports several options for a network file system (NFS).♦“Required File Systems” on page 11♦“Minimum Directory Sizes for the NFS” on page 11Required File SystemsMinimum Directory Sizes for the NFSThe following table lists the minimum required size for each of the NFS installation directories.CategoryMinimum Requirement NFS Types ♦Amazon EFS♦HPE 3PAR File Persona♦Linux-based NFS♦NetAppNFS Server Versions ♦NFSv4♦NFSv3DirectoryMinimum Size {NFS_ROOT_DIRECTORY}/itom_vol130 GB {NFS_ROOT_DIRECTORY}/itom_vol/dbDepends, but start with 10 GB {NFS_ROOT_DIRECTORY}/itom_vol/db_backupDepends, but start with 10 GB {NFS_ROOT_DIRECTORY}/itom_vol/loggingDepends, but start with 40 GB {NFS_ROOT_DIRECTORY}/arcsight 10 GB12Network File System4Ports Used 13Ports UsedFusion uses specific firewall ports. Therefore, ensure that these ports are available.♦“CDF Management Portal” on page 13♦“CDF” on page 13♦“Kubernetes” on page 14♦“NFS” on page 15CDF Management PortalAll ports use TCP protocol.CDFAll ports use TCP protocol.PortsNode Description 3000 Master Used only for accessing the CDF Management portal during CDF installation froma web browser.Web clients must be able to access this port during the installation of CDF. Afterinstallation, web clients use port 5443 to access the CDF Management portal.5443Master Used for accessing the CDF Management portal post CDF deployment from aweb browser.Web clients must be able to access this port for administration and managementof CDF.5444Master Used for accessing the CDF Management portal post CDF deployment from aweb browser, when using two-way (mutual) SSL authentication.Web clients must be able to access this port for administration and management of CDF, when using two-way (mutual) SSL authentication.PortsNode Description 8200Master Used by the itom-vault service which provides a secured configurationstore. All cluster nodes should be able to access this port for the client connection.8201Master Used by the itom-vault service which provides a secured configurationstore.All cluster nodes should be able to access this port for peer memberconnections.KubernetesAll ports use TCP protocol, unless otherwise noted.Ports Node Description2380Master Used by the etcd component which provides a distributed configurationdatabase.All the master nodes should be able to access this port for the etcd clustercommunication.4001Master Used by the etcd component which provides a distributed configurationdatabase.All cluster nodes should be able to access this port for the client connection.5000Master Used by kube-registry component which handles the management ofcontainer image delivery.All cluster nodes should be able to access this port to communicate with thelocal container registry.7443Master(Conditional) Used by the Kubernetes API server when you perform one of thefollowing methods of installation:♦Use the provided scripts♦Install manually and on the same node as ESMAll cluster nodes should be able to access this port for internal communication.8443Master(Conditional) Used by the Kubernetes API server when you manually install andthe installation is not on the same node as ESM.All cluster nodes should be able to access this port for internal communication.8472All nodes Uses UDP protocolUsed by the Flannel service component which manages the internal clusternetworking.All cluster nodes should be able to access this port for internal communication.10250All nodes Used by the Kubelet service which functions as a local node agent that watchespod specifications through the Kubernetes API server.All cluster nodes should be able to access this port for internal communicationsand worker node Kubelet API for exec and logs.14Ports UsedPorts Used 15NFSAll ports use TCP protocol.10251 All nodesUsed by Kube-scheduler component that watches for any new pod with no assigned node and assigns a node to the pod.All cluster nodes should be able to access this port for internal communication.10252 All nodes Used by kube-controller-manager component that runs controllerprocesses which regulate the state of the cluster.All the cluster nodes should be able to access this port for internal communication.10256All nodes Used by the Kube-proxy component, which is a network proxy that runs oneach node, for exposing the services on each node.All the cluster nodes should be able to access this port for internal communication.PortsNode Description 111NFS server Used by portmapper service.All cluster nodes should be able to access this port.2049NFS server Used by nfsd daemon.All the cluster nodes should be able to access this port.NOTE: This port must be open even during a single-node deployment.20048NFS server Used by mountd daemon.All the cluster nodes should be able to access this port.16Ports Used。

Micro Focus Security ArcSight ESMSoftware Version:7.0Patch2ESM Support MatrixDocument Release Date:February22,2019Software Release Date:February22,2019Legal NoticesWarrantyThe only warranties for products and services of Micro Focus and its affiliates and licensors(“Micro Focus”)are set forth in the express warranty statements accompanying such products and services.Nothing herein should be construed as constituting an additional warranty.Micro Focus shall not be liable for technical or editorial errors or omissions contained herein.The information contained herein is subject to change without notice.Restricted Rights LegendConfidential computer software.Except as specifically indicated otherwise,a valid license from Micro Focus is required for possession,use or copying.Consistent with FAR12.211and12.212,Commercial Computer Software,Computer Software Documentation,and Technical Data for Commercial Items are licensed to the ernment under vendor's standard commercial license.Copyright Notice©Copyright2019 Micro Focus or one of its affiliates.TrademarkNoticesAdobe™is a trademark of Adobe Systems Incorporated.Microsoft®and Windows®are U.S.registered trademarks of Microsoft Corporation.UNIX®is a registered trademark of The Open Group.SupportContact InformationPhone A list of phone numbers is available on the Technical SupportPage: https:///support-contact-information Support Web Site https:///ArcSight Product Documentation https:///t5/ArcSight-Product-Documentation/ct-p/productdocsContentsArcSight Enterprise Security Management(ESM)Support Matrix4 Definitions4 End of Product Support Notices4 ESM7.0Patch15 ArcSight Console7.0Patch17 ESM7.0Patch1Support of Other ArcSight Products/Components7 ESM7.0Patch1Support for ActivClient9 ESM7.0Patch1Support for90Meter SCM10 ESM7.0Patch1Support-Third Party10 ESM6.11.011 ArcSight Console6.11.013 ESM6.11.0Support of Other ArcSight Products/Components13 ESM6.11.0Support for ActivClient15 ESM6.11.0Support for90Meter SCM15 ESM6.9.1c16 ArcSight Console6.9.1c17 ESM6.9.1c Support of Other ArcSight Products/Components18 ESM6.9.1c Support for ActivClient19 ESM6.9.1c Support for90Meter SCM20 ESM6.8c20 ArcSight Console6.8c21 ESM6.8c Support of Other ArcSight Products/Components22 ESM6.8c Patch3Support for ActivClient22 ESM5.623 ArcSight Console5.623 ESM5.6Support for Oracle Database24 Send Documentation Feedback25ArcSight Enterprise Security Management (ESM)Support MatrixThis document describes current platform support for ArcSight Enterprise Security Management(ESM) and its components.The components include:l ArcSight Managerl ArcSight Consolel Correlation Optimized Retrieval and Retention Engine(CORRE)(ESM6.8or later)l ArcSight Database(based on Oracle;ESM5.6)l ArcSight Command Center(ESM6.8and later)l ArcSight Web(ESM5.6and6.8)DefinitionsThis document uses the following terms.End of Product Support NoticesRefer to this site for updated information on end-of-life schedules for all ArcSight products,including ESM:ArcSight product life cycle informationESM7.0Patch1GA date January25,2019(ESM7.0P2)August10,2018(ESM7.0P1)April27,2018(ESM7.0) Latest patch2OS for software version Fresh install GA ESM7.0:l RHEL/CentOS7.3l RHEL/CentOS6.97.0Patch1:l RHEL/CentOS7.4l RHEL/CentOS6.97.0Patch2:l RHEL/CentOS7.5l RHEL/CentOS7.4l RHEL/CentOS7.3l RHEL/CentOS6.9Distributed Correlation cluster coherence:All server-side services mustl Be on the same OS versionl In the same timezonel Have the same network preference:IPv6,Dual,or IPv4Support upgrade from611,611P1,611P2,6.11P3,7.0and7.0P1to7.0P2: l RHEL/CentOS6.8to RHEL/CentOS6.9l RHEL/CentOS7.3to RHEL/CentOS7.4with P1l RHEL/CentOS7.3to RHEL/CentOS7.5with P2Upgrade path from l ESM6.11.0,with or without Patch1,Patch2or Patch3l ESM Appliance(B7600Gen9):SW upgrade from ESM6.11,with or without patch1,patch2or patch3l ESM Express(B7500Gen8):SW Upgrade from ESM6.11,with or without patch1l ESM Express(B7600Gen9):SW Upgrade from ESM6.11,with or without patch1Appliance model/OS Appliance:l Gen9for fresh install and upgrade l Gen8for upgradeOS,G9:l Fresh install on RHEL7.4l Upgrade to RHEL7.4OS,G8:l Upgrade to RHEL6.9Forwarding Connector 7.9.0.8087.0(7.0P1)7.7.0.8046.0(7.0)The ArcSight Forwarding Connector can be installed on any of the OS platforms supported by the ESM Manager with which it is released.Browser l Edge on Windows10,IE11l The latest version of Chrome on Windowsl Firefox ESR52.9.0(64-bit)on Mac OS10.12Sierra,RHEL/CentOS,and Windowsl Safari12.x on Mac OS10.0.2SierraFIPS140-2Notes:l For FIPS and Suite B also see the ESM Installation Guide section,"Installing ESM in FIPS Mode."l See ArcSight Console7.0Patch1,for related information regarding Windows10.Suite B128-bit and192-bitNote:For FIPS and Suite B also see the ESM Installation Guide section,"Installing ESM in FIPSMode."Common accesscard(CAC)Yes90Meter See"ESM7.0Patch1Support for90Meter SCM"on page 10.ArcSight Console7.0Patch1Operating Systeml RHEL Workstation/CentOS6.9and RHEL Workstation CentOS7.4,64-bit(ESM7.0P1)l Windows Server2016,64-bitl Windows Server2012R2,64-bitl Windows8.1,64-bitl Windows10,64-bit7.0Patch2:RHEL Workstation/CentOS6.9and RHEL Workstation CentOS7.5,64-bitl macOS Sierra(10.12),64-bitFIPS mode is not supported for Mac Console.ESM7.0Patch1Support of Other ArcSightProducts/ComponentsFor related information,see also the Solutions Support Matrix for Compliance Insight Packages and other external solutions that work with specific ESM releases.Distributed(Peer)Searchesl ESM7.0Patch1l Logger6.4and6.5The only search that supports IPv6connectivity and data is among ESM7.0Patch2and6.11.0peers.Web Services Layer APIl Core Services1.2l Manager-Client Services1.1Active Directory(Actor)Model Import ConnectorConnector version7.9.0.8085.0(7.0p1,7.0p2)7.7.0.8047.0(7.0)OS7.0:l Microsoft Windows Server2008R2,64-bitl Microsoft Windows Server2012R2,64-bitl RHEL6.9or7.3,64-bit7.0Patch1:RHEL7.4or CentOS7.47.0Patch2:RHEL7.4or CentOS7.4Asset Model Import FlexConnectorConnector version7.9.0.8086.0(7.0p1,7.0p2)7.7.0.8048.0(7.0)OS7.0:l Microsoft Windows Server2008R2,64-bitl Microsoft Windows Server2012R2,64-bitl RHEL6.9or7.3,64-bit7.0Patch1:RHEL7.4or CentOS7.47.0Patch2:RHEL7.4or CentOS7.4ESM7.0High Availability ModuleSoftware l Install on RHEL 7.4l Upgrade to RHEL 7.5G9B7600appliance l Fresh install:RHEL7.3with Spectre/Meltdown patchesl Upgrade from ESM6.11.0,with or without Patch1and Patch2,with Spectre/Meltdown patches7.0Patch1:Upgrade to RHEL7.4with Spectre/Meltdown patches7.0Patch2:Upgrade to RHEL7.4Upgrade to RHEL7.5ArcSight Data Platform Event BrokerSee the latest ArcSight Data Platform Support Matrix in the Micro Focus Community. ArcSight InvestigateSee the latest ArcSight Investigate Deployment Guide.ESM7.0Patch1Support for ActivClientESM7.0Patch1Support for90Meter SCMESM7.0Patch1Support-Third PartyHadoopHadoop version2.8is supported.ServiceNow®IT Service Management(ITSM)Jakarta[Rest-API version2]is supported.ESM6.11.0For related information,see also the Solutions Support Matrix for Compliance Insight Packages and other external solutions that work with specific ESM releases.GA date September30,2018Latest patch3Upgrade path from l ESM6.9.1c,with or without patch1,2,3or4software version l ESM Appliance(B7600Gen9):SW upgrade from ESM6.9.1c l ESM Express(B7500Gen8):SW Upgrade from ESM6.9.1c l ESM Express(B7600Gen9):SW Upgrade from ESM6.9.1cAppliance model/OS Appliance:l Gen9for fresh install and upgrade l Gen8for upgradeOS,G9:l Fresh install on RHEL7.3l With Patch2,upgrade to RHEL7.4 l With Patch3,upgrade to RHEL7.5 OS,G8:l Upgrade to RHEL6.8l With Patch1,upgrade to RHEL6.9OS for software version Fresh install:l RHEL/CentOS6.8l RHEL/CentOS7.36.11.0Patch3:RHEL7.5or CentOS7.56.11.0Patch2:RHEL7.4or CentOS7.46.11.0Patch1:RHEL6.9or CentOS6.9Upgrade from6.9.1:l RHEL/CentOS6.7to RHEL/CentOS6.8 l RHEL/CentOS7.1to RHEL/CentOS7.3 Upgrade from6.9.1P1,P2,P3or P4:l RHEL/CentOS6.7to RHEL/CentOS6.8 l RHEL/CentOS7.1,7.2to RHEL/CentOS7.3Forwarding Connector 7.5.0.7986.0The ArcSight Forwarding Connector can be installed on any of the OS platforms supported by the ESM Manager with which it is released.Browser l Edge on Windows,IE11l The latest version of Chrome on Windowsl Firefox52.9.0(64-bit)ESR on RHEL,CentOS,or Windowsl Safari11.X,on macOS SierraFIPS140-2Note:For FIPS and Suite B also see the ESM Installation Guide section,"Installing ESM in FIPSMode."Suite B128-&192-bitNote:For FIPS and Suite B also see the ESM Installation Guide section,"Installing ESM in FIPSMode."Common accesscard(CAC)Yes90Meter See"ESM6.11.0Support for90Meter SCM"on page 15.ArcSight Console6.11.0Operating Systeml RHEL Workstation/CentOS7.5;64-bit;JRE8,64-bit with P3l RHEL Workstation/CentOS7.4;64-bit;JRE8,64-bit with P2l RHEL Workstation/CentOS6.9,64-bit;JRE8,64-bit with P1l RHEL Workstation/CentOS6.8,64-bit;JRE8,64-bitl RHEL Workstation/CentOS7.3,64-bit;JRE8,64-bitl RHEL Workstation/CentOS7.4;64-bit;JRE8,64-bit with P2l Windows Server2012R2,64-bit;JRE8,32-bitl Windows8.1,64-bit;JRE8,32-bitl Windows10,64-bit;JRE8,32-bitl macOS Sierra10.12,64-bit;JRE864-bitJVMl32-bitl64-bit on LinuxESM6.11.0Support of Other ArcSight Products/Components Distributed(Peer)Searchesl ESM6.8c,6.9.1c,and6.11.0l Logger6.2Patch1,6.3The only search that supports IPv6connectivity and data is among ESM6.11.0peers.Web Services Layer APIl Core Services1.2l Manager-Client Services1.1Active Directory(Actor)Model Import ConnectorConnector version7.5.0.7988.0OS l Microsoft Windows Server2008R2,64-bitl Microsoft Windows Server2012R2,64-bitl RHEL6.8or7.3,64-bitAsset Model Import FlexConnectorConnector version7.5.0.7987.0OS l Microsoft Windows Server2008R2,64-bitl Microsoft Windows Server2012R2,64-bitl RHEL6.8or7.3,64-bitESM6.11.0High Availability ModuleSoftware l Install on RHEL/CentOS6.8l Install on RHEL/CentOS7.3l Upgrade from RHEL/CentOS7.1to7.3l Upgrade to RHEL/CentOS6.7to6.8G9B7600appliance l Fresh install:RHEL7.3l Upgrade to RHEL7.3(with or without ESM6.9.1P1,P2,or P3)6.11.0Patch2:RHEL7.46.11.0Patch3RHEL7.5ArcSight Data Platform Event BrokerSee the latest ArcSight Data Platform Support Matrix in the Micro Focus Community.ArcSight InvestigateSee the latest ArcSight Investigate Deployment Guide. ESM6.11.0Support for ActivClientESM6.11.0Support for90Meter SCM ESM6.11.0ESM6.11.0,continuedESM6.9.1cFor related information,see also the Solutions Support Matrix for Compliance Insight Packages and other external solutions that work with specific ESM releases.GA date July15,2017Latest patch4Upgrade path from l ESM6.8c,ESM6.5c SP1(with latest patch),but not from SuSE Linux l AE4.0P1B7500+RHEL6.xl ESM Express:from6.9.0cAppliance model/OS Appliance:l Gen9for fresh install and upgrade l Gen8for upgradeOS:l Install on RHEL7.1l Upgrade to RHEL7.2(with P1)l Upgrade to RHEL6.8(with P2) OS,G9:l RHEL7.3(with P4)OS,G8:l RHEL6.9(with P4)OS for software version l P4:RHEL6.7,6.8,6.9,7.1,7.2,7.3 CentOS6.7,6.8,6.9,7.1,7.2,7.3l P3:RHEL6.7,6.8,7.1,or7.2 CentOS6.7,6.8,7.1,or7.2l P2:RHEL6.7,6.8,7.1,or7.2 CentOS6.7,6.8,7.1,or7.2l P1:RHEL6.7,7.1,or7.2 CentOS6.7,7.1,or7.2l GA:RHEL6.7or7.1 CentOS6.7or7.1Forwarding Connector 7.1.7.7602.0The ArcSight Forwarding Connector can be installed on any of the OS platforms supported by the ESM Manager with which it is released.Browser l IE11on Windowsl Safari8.x on Mac OSXl Firefox38ESR(Linux,Windows,Mac OSX)l The latest version of Chrome on WindowsFIPS YesNote:For FIPS and Suite B also see the ESM Installation Guide section,"Installing ESM in FIPSMode."Suite B YesNote:For FIPS and Suite B also see the ESM Installation Guide section,"Installing ESM in FIPSMode."Common accesscard(CAC)Yes90Meter YesSee"ESM6.9.1c Support for90Meter SCM"on page 20.ArcSight Console6.9.1cOperating Systeml RHEL Workstation/CentOS6.8,64-bit with P2or laterl RHEL Workstation/CentOS6.7,64-bitl RHEL Workstation/CentOS7.1,64-bitl RHEL Workstation/CentOS7.2,64bit with P1or laterl Windows Server2012R2,64-bitl Windows7and8.1,64-bitl Mac OS X10.10,64-bit(except FIPS)JVMl32-bitl64-bitESM6.9.1c Support of Other ArcSight Products/ComponentsActive Directory(Actor)Model Import ConnectorConnector version7.1.7.7605.0OS l Microsoft Windows Server2008R2,64-bitl Microsoft Windows Server2012R2,64-bitl RHEL6.6,64-bitl RHEL7.1,64-bitAsset Model Import FlexConnectorConnector version7.1.7.7604.0OS Microsoft Windows Server2008R2,64-bitMicrosoft Windows Server2012R2,64-bitRHEL6.6,64-bitRHEL7.1,64-bitESM6.9.1c High Availability ModuleSoftware RHEL7.1,CentOS7.1(and RHEL and CentOS6.7if upgrading)With P1,you can upgrade the OS(and HA)to RHEL or CentOS7.2With P2,RHEL/CentOS6.8if upgraded from ESM6.8cWith P2,you can upgrade the OS(and HA)to RHEL or CentOS7.2ESM6.9.1c Support for ActivClient ESM6.9.1c Patch2and Patch3ESM6.9.1c Patch1ESM6.9.1cESM6.9.1c,continuedESM6.9.1c Support for90Meter SCMESM6.8cFor related information,see also the Solutions Support Matrix for Compliance Insight Packages and other external solutions that work with specific ESM releases.GA date September28,2016Latest patch4Upgrade path from l ESM6.0c to ESM6.8cl ESM6.5c SP1to ESM6.8cl Resource migration from ESM5.x.(see Release Notes for details) l E7400(upgrade only)OS l P4:RHEL6.8and CentOS6.8l P3:RHEL6.6,6.7,and CentOS6.7l P2:RHEL6.6l RHEL6.4&6.5,CentOS6.5,and SuSE Enterprise Linux11SP3,64‐bitForwarding Connector 7.0.7.7286.0The ArcSight Forwarding Connector can be installed on any of the OS platforms supported by the ESM Manager with which it is released.Browser l IE11on Windowsl Safari7.06on Mac OSXl Firefox31ESR(Linux,Windows,Mac OSX)l Chrome(latest)on WindowsFIPS NoSuite B NoCAC YesArcSight Console6.8cGeneral availability release date:September28,2016Patch:4Operating Systeml RHEL or CentOS6.8Workstation,64-bit(starting with P4) l RHEL6.7Workstation,64-bit(starting with P3)l RHEL6.6Workstation,64-bit(starting with P2)l RHEL6.4&6.5Workstation,64-bitl CentOS6.7,64-bit(starting with P3)l CentOS6.5,64-bitl SuSE11SP3,64-bitl Windows Server2012R2,64-bitl Windows Server2012,64-bitl Windows7,8,8.164-bitl Mac OS X10.7,64-bit(not supported for P1or later)l Mac OS X10.9,64-bit(supported for P1or later) Console on Mac does not support FIPS.JVMl32-bitESM6.8c Support of Other ArcSight Products/Components ESM Web Services Layer API1.0API1.0Asset Model Import Connector Connector version:7.1.2.7395.0OS:l Microsoft Windows Server2008R2,64-bitl Microsoft Windows Server2012R2,64-bitl Red Hat Enterprise Linux(RHEL)6.6,64-bitl Red Hat Enterprise Linux(RHEL)7.0,64-bitRisk Insight1.0RHEL6.5Risk Insight1.2RHEL6.5and RHEL6.6for ESM6.8c P2ESM Event Data Transfer Tool1.2Apache Hadoop2.7.2ESM High Availability Module1.0l P3:RHEL6.6,6.7and CentOS6.7l P2:RHEL6.5,6.6and CentOS6.5l RHEL6.5,CentOS6.5ESM6.8c Patch3Support for ActivClientActivClient is certified on ESM6.8c Patch3only.ESM5.6For related information,see also the Solutions Support Matrix for Compliance Insight Packages and other external solutions that work with specific ESM releases.GA date September10,2015Latest patch NoneUpgrade PathfromESM5.5P2to ESM5.6ApplianceModel/OSNoneOS,software version l RHEL6.6,7.0,and7.164-bitl Windows Server2012R264-bitl Windows Server2008R2SP1,64-bit l SuSE Linux11SP3Ent.Server,64-bitForwarding Connector 7.1.3.7495.0The ArcSight Forwarding Connector can be installed on any of the OS platforms supported by the ESM Manager with which it is released.Browser l IE9.10,11l Firefox31.1.6ESR(linux,Windows,Mac OS X)l Safari7.0.6l Chrome(latest)FIPS YesSuite B YesCAC YesArcSight Console5.6Operating Systeml RHEL Workstation7.1(not Korean/TC/SC/JP locales) l RHEL Workstation6.6l CentOS7.1(not Korean/TC/SC/JP locales)l CentOS6.6l Windows Server2012R2l Windows Client7SP1,64-bitl Windows Client8.1,64-bitl Mac OSX10.9,64-bit(except FIPS)JVMl32-bitESM5.6Support for Oracle Database Oracle Database version:Oracle11.2.0.4OS/Platforml RHEL6.6,7.0,and7.164-bitl SuSE Linux11SP3Ent.Server,64-bitl Windows Server2012R264-bitl Windows Server2008R2SP1,64-bitSend Documentation FeedbackIf you have comments about this document,you can contact the documentation team by email.If an email client is configured on this computer,click the link above and an email window opens with the following information in the subject line:Feedbackon ESM Support Matrix(ESM7.0Patch2)Just add your feedback to the email and click send.If no email client is available,copy the information above to a new message in a web mail client,and send your feedback to***************************.We appreciate your feedback!。

Configuration Guide ArcSight™ Logger Forwarding Connector forHP Network Node Manager iJune, 2012SmartConnector TM Guide for ArcSight™ Logger Forwarding Connector for HP Network Node Manager iCopyright © 2012 Hewlett-Packard Development Company, L.P.Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.Follow this link to see a complete statement of copyrights and acknowledgements: /copyrightnoticeThe network information used in the examples in this document (including IP addresses and hostnames) is for illustration purposes only.This document is confidential.Revision HistoryRelease Notes template version: 2.1.0Contact InformationDate ProductVersionDescription 06/30/2012 5.2.1.6206.0Added support for HP NNMi 9.20. Added support for selected Cisco Router sub-messages.11/15/20115.1.7.6081.0Added support for JRE 1.6.0_26.06/15/2011First release of Logger Forwarding Connector for HP NNMidocumentation.Phone1-866-535-3285 (North America)+44 (0)870 141 7487 (EMEA)Support Web Site Protect 724 Community https://ContentsConfiguration Guide for Logger Forwarding Connector for HP NNMi (5)About ArcSight Logger and HP NNMi (5)Sending Events From Logger to NNMi (6)Installing the Connector (6)Logger Forwarders (9)Creating a Forwarder to Forward Events (10)Appendix A: Supported Cisco Router Sub-Messages (11)Cisco Router Sub-messages (11)Confidential34ConfidentialConfidential 5Configuration Guide for Logger Forwarding Connector for HP NNMi This guide provides information on installing and configuring the Logger Forwarding Connector for NNMi. This Logger Forwarding Connector software supports Logger versions5.1 and 5.2, and NNMi 9.20.See Appendix A‚ Supported Cisco Router Sub-Messages‚ on page 11 for details on supported Cisco Router sub-messages.About ArcSight Logger and HP NNMiArcSight Logger is a log management solution that is optimized for extremely high event throughput, efficient long-term storage, and rapid data analysis. Logger receives and stores events; supports search, retrieval, and reporting; and can forward selected events.The ArcSight Logger Forwarding Connector allows you to send these event logs from Logger to the HP Network Node Manager (HP NNMi).HP Network Node Manager (NNMi) provides continual network discovery using unified fault, availability, and performance monitoring. HP NNMi enables network management teams to detect, locate, and diagnose faults and performance degradations of the network quickly, analyze the business and service impact of outages, and increase network staff efficiency and productivity.Using the ArcSight Logger Forwarding Connector and the HP/ARC NNMi install, network staff can view syslog messages from Logger in the NNMi console.“About ArcSight Logger and HP NNMi” on page 5“Sending Events From Logger to NNMi” on page 6“Installing the Connector” on page 6“Logger Forwarders” on page9You must upgrade to HP NNMi 9.20 to be able to use the current Logger Forwarding Connector for HP NNMi. If you have a previous version of HP NNMi installed, the current Logger Forwarding Connector for HP NNMi will not function.Configuration Guide for Logger Forwarding Connector for NNMi6ConfidentialSending Events From Logger to NNMiArcSight Logger sends events to the Logger Forwarding Connector using CEF Syslog, which then forwards the events to NNMi via SNMP . A Logger forwarder must be created to send these events. For instructions on how to create a forwarder to send the events, see “Creating a Forwarder to Forward Events” on page 10.Installing the ConnectorBefore you install the connector , make sure that the ArcSight products with which theconnectors will communicate have already been installed correctly (the ArcSight Logger , for example) and you have assigned appropriate privileges.1Download the HP ArcSight executable for your operating system from My Updates on the HP SSO site.2Start the ArcSight Installer by running the executable.Follow the installation wizard through the following folder selection tasks andinstallation of the core connector software:IntroductionChoose Install FolderChoose Install SetChoose Shortcut FolderPre-Installation SummaryInstalling...3The following destination window is displayed; click Nextto continue.Configuration Guide for Logger Forwarding Connector for NNMiConfidential 74Fill in the parameter information required for connector configuration, then click Next .ParameterDescription HostEnter the Host name or IP address of the NNMi device.Port Enter the port to be used by the adaptor to forwardevents. The default port is 162. To determine if thetrap port monitored by NNMi is other than the default,use the NNMi command:$NnmInstallDir/bin/nnmtrapconfig.ovpl-showPropSee the HP Network Node Manager i SoftwareDeployment Reference Guide , ArcSight Loggerchapter for details on HP NNMI and ArcSight Loggerintegration.VersionAccept the default value of SNMP_VERSION_2. SNMP_VERSION_3 is not available at this time.Read Community(v2)Enter the SNMP Read Community name.Write Community(v2Enter the SNMP Write Community name.AuthenticationUsername(v3)For use with SNMP v3; not available at this time.Authentication Password(v3)Security Level(v3)Authentication Scheme(v3)Privacy Password(v3)Context Engine Id(v3)Context name(v3)Configuration Guide for Logger Forwarding Connector for NNMi8Confidential5Click Logger to NNMi , then click Next .6Enter the Logger information, then click Next .ParameterDescription Network Port 514 or another port that matches the Receiver (the port to which the forwarding connector sends events)IP AddressIP or host name of the Logger Protocol UDP or Raw TCPNote : Whichever protocol you choose, it must matchthat of the forwarder type chosen during LoggerForwarder configuration.Configuration Guide for Logger Forwarding Connector for NNMiConfidential 97Enter a name for the connector and provide other information identifying theconnector's use in your environment. Click Next .8Read the installation summary and click Next . If the summary is incorrect, click Previous to make changes.9When the connector completes its configuration, click Next . The Wizard now promptsyou to choose whether you want to run the connector as a process or as a service.If you choose to run the connector as a service, the Wizard prompts you to define service parameters for the connector .10After making your selections, click Next . The Wizard displays a dialog confirming theconnector's setup and service configuration.11Click Finish .12Click Done .Logger ForwardersLogger Forwarders allow you to send all events, or events which match a particular filter , to another destination, in this instance to the HP NNMi Logger Forwarding Connector . For more detailed information on Logger Forwarders, see the HP ArcSight LoggerAdministrator’s Guide .Logger forwarding uses several forwarder types, but the Logger Forwarding Connector operates with UDP and TCP forwarder types only.⏹UDP Forwarders forward events as User Datagram Protocol messages, such as Syslog format datagrams.⏹TCP Forwardersforward events as Transmission Control Protocol messages.You cannot configure a Logger Forwarder to send data to a destination onthe same system.Configuration Guide for Logger Forwarding Connector for NNMi10Confidential Creating a Forwarder to Forward EventsIn order to successfully forward events from Logger to NNMi, a forwarder must be created. To do so, complete the following steps within the ArcSight Logger web application.1Click Configuration from the top-level menu bar .2Click Event Input/Output in the left panel.3Click the Forwarder tab, then click Add . The Add Forwarder page appears.4Enter a name for the new forwarder and choose either “UDP Forwarder” or “TCPForwarder”.5Click Next .6The Edit Forwarder page appears. 7Within the Query field, create a query to filter the events sent to NNMi, or leave the default, NONE , to send all events. 8Continue to fill in the remaining parameters, ensuring that the Ip/Host field containsthe correct Logger Forwarding Connector IP address and that the Port number matches that of the connector .9ClickSave . The following page appears.10New forwarders are initially disabled, so click the disabled icon () to enable the new forwarder. The forwarder is now enabled.For more detailed information on Logger forwarders, see the ArcSight LoggerAdministrator’s Guide.Whichever forwarder type you choose, it must match that of theSmartConnector protocol and port chosen during installation.To create a specific filter for NNMi , refer to the NNMi Deployment ReferenceGuide .Wait a few minutes after enabling a forwarder before disabling it. Likewise,wait before enabling a forwarder that has just been disabled. Backgroundtasks initiated by enabling or disabling a forwarder can produce unexpectedresults if they are interrupted.Appendix A Supported Cisco Router Sub-MessagesThis appendix lists Cisco Router sub-messages for which additional mappings are provided.The Cisco Router Syslog SmartConnector parser supports mappings of mnemonic,networkTopologyType, networkTopologyValue for SNMP traps for NNMi for theCisco Router and supports the subset of sub-messages listed in this appendix. Cisco Router Sub-messagesThese are the Cisco Router sub-messages for which the mappings are provided:⏹BGP-5-ADJCHANGE⏹CDP-4-DUPLEX_MISMATCH⏹DTP-3-NONTRUNKPORTFAIL⏹DTP-3-TRUNKPORTFAIL⏹DTP-5-NONTRUNKPORTON⏹DTP-5-TRUNKPORTCHG⏹DTP-5-TRUNKPORTON⏹FR-5-DLCICHANGE⏹LINEPROTO-5-UPDOWN⏹LINK-3-UPDOWN⏹STANDBY-3-DUPADDR⏹LINK-4-ERROR⏹PAGP-5-PORTFROMSTP⏹PAGP-5-PORTTOSTP⏹PORT_SECURITY-2-PSECURE_VIOLATION_VLAN⏹SNMP-5-MODULETRAP⏹SPANTREE-5-PORTLISTEN⏹SPANTREE-5-ROOTCHANGE⏹SPANTREE-6-PORTFWD⏹SPANTREE-6-PORTLISTEN⏹STACKMGR-6-MASTER_ELECTED⏹STACKMGR-6-MASTER_READY⏹STACKMGR-6-STACK_LINK_CHANGE⏹STANDBY-6-STATECHANGEConfidential Forwarding Connector Release Notes11A Supported Cisco Router Sub-Messages⏹SYS-3-MOD_CFGMISMATCH1⏹SYS-3-MOD_CFGMISMATCH2⏹SYS-3-MOD_CFGMISMATCH3⏹SYS-3-MOD_CFGMISMATCH4⏹SYS-3-PKTBUFBAD⏹SYS-3-PORT_COLL⏹SYS-3-PORT_COLLDIS⏹SYS-3-PORT_IN_ERRORS⏹SYS-3-PORT_RUNTS⏹SYS-4-SYS_LCPERR4⏹SYS-5-MOD_INSERT⏹SYS-5-MOD_OK⏹SYS-5-MOD_REMOVE⏹SYS-5-MOD_RESET⏹SYS-5-RELOAD⏹SYS-5-RESTART⏹SYS-5-SYS_LCPERR512Forwarding Connector Release Notes Confidential。

HPE Security ArcSight Model Import Connector for RepSM PlusSoftware Version:7.3.0.7954.0Configuration GuideNovember7,2016Legal NoticesWarrantyThe only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services.Nothing herein should be construed as constituting an additional warranty.Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.The information contained herein is subject to change without notice.The network information used in the examples in this document (including IP addresses and hostnames)is for illustration purposes only.HPE Security ArcSight products are highly flexible and function as you configure them.The accessibility,integrity,and confidentiality of your data is your responsibility.Implement a comprehensive security strategy and follow good security practices.This document is confidential.Restricted Rights LegendConfidential computer software.Valid license from Hewlett Packard Enterprise required for possession,use or copying.Consistent with FAR 12.211and 12.212,Commercial Computer Software,Computer Software Documentation,and Technical Data for Commercial Items are licensed to the ernment under vendor's standard commercial license.Copyright Notice©Copyright 2016Hewlett Packard Enterprise Development,LPFollow this link to see a complete statement of copyrights and acknowledgements:https:///docs/DOC-13026Support Phone A list of phone numbers is available on the HPE Security ArcSight Technical SupportPage: https:///documents/10180/14684/esp-support-contact-listSupport Web Sitehttps:// Protect 724Community https://Contact InformationConfiguration GuideContentsModel Import Connector for RepSM Plus4 Features and Functional Summary4 Installing the Connector5 Model Import Connector Installation5 Running Connectors7 Connector Upgrade8 Administrative Tasks-RepSM Plus Configuration Using the ArcSight Console8 Setting up the Model Import User in ESM8 Starting and Stopping Data Import9 Optional-Reloading RepSM Plus Data9 Optional-Optimization of Data Transfer Using a Timer9 Send Documentation Feedback11Model Import Connector for RepSM PlusThis guide describes installing the Model Import Connector for HPE Security ArcSight Reputation Security Monitor Plus(RepSM Plus)and configuring the device for data collection.The HPE RepSM Plus solution uses internet reputation data to provide a list of known bad or harmful domains of IP addresses to provide context to security events.The Model Import Connector for RepSM Plus is a component of RepSM Plus which retrieves reputation data from the RepSM Plus threat intelligence service,processes this data,and forwards it to ArcSight ESM.The threat intelligence includes reputation information about internet nodes which are known to exhibit bad behavior.The ill reputed nodes are identified by their network address or Domain Name System (DNS)name.This data is used by the accompanying RepSM Plus content package to detect malware infected machines,zero day attacks,and dangerous browsing.The user can also use the data to implement custom ESM solutions.For further details on this solution,see the HPE Reputation Security Monitor Solution Guide.Features and Functional SummaryThe Model Import Connector for RepSM Plus retrieves the reputation data and forwards it to ESM.This connector supports one ESM destination.The connector only sends the delta information from the last retrieved data to the ESM.These entries are:l IPv4addressesl Host and domain namesFor each entry these reputation attributes are retrieved:l Reputation Scorel Exploit TypeThe initial import happens when the connector is started for the first time and the initial import command is issued from the ESM console.Following the initial load of the entries,the connector checks for updates,by default,every two hours.With the data from this query,the connector will process the deltas to add or delete the entries or update the threat scores as required and sends this information to the ESM.Installing the ConnectorBefore installing the connector,verify that ESM(the product with which the connector will communicate)and Console have already been installed correctly.It is recommended that the connector not be installed on the same machine as ESM.Also,be sure the following are available:l Additional2GB memory if the connector is run in standalone mode.l Local administrator access to the machine on which the connector will be installed.l The machine,on which the connector will be installed,has external access over the Internet to any system over port443and connectivity to the ESM machine over port8443(default)or the configured port if the default was not used.l ESM IP address,port,administrator user name,and password.Model Import Connector InstallationThis section provides instructions on how to install the Model Import Connector for RepSM Plus.To install the Model Import Connector for RepSM Plus:1.Download the Model Import Connector for RepSM Plus installation executable using the linkprovided in the e-mail sent to you by HPE.2.Start the connector installer by running the executable.Follow the installation wizard through the following folder selection tasks and installation of the core connector software:l Introductionl Choose Install Folderl Choose Shortcut Folderl Pre-Installation Summaryl Installing...3.Select Add a Connector.4.Model Import Connector for RepSM Plus is already selected.Click Next.5.Enter the required parameters to configure the connector,then click Next.6.ArcSight Manager(encrypted)is selected.Click Next.7.Enter destination parameters,including the host and port information,and click Next.8.Enter a Name for the connector and provide other information identifying the connector's use inyour environment.Click Next.9.Select whether to import a certificate.10.Review the Add connector Summary and click Next.If the summary is incorrect,click Previous tomake changes.11.The wizard now prompts you to choose whether you want to run the connector as a stand-aloneprocess or as a service.Choose either Install as a service or Leave as a standalone application.Click Next.12.To close the installation wizard,choose Exit and click Next.There are further installation stepsafter you close the wizard.Be sure to continue with the subsequent installation steps.13.If the connector is run in standalone mode,the default heap size is256MB.For proper operation ofthe connector,HPE recommends that you modify the heap size setting to2GB.There is no need to modify memory if the connector is run as a service;if the connector is configured to run as a service, the heap size is set to2GB by default.Increase the memory for the connector by doing the following(in the following examplecommands,ARCSIGHT_HOME represents the name of the directory where the connector isinstalled):l For Linux-create the following shell script and be sure it is executable:~/ARCSIGHT_HOME/current/user/agent/setmem.shwith the following content:ARCSIGHT_MEMORY_OPTIONS="-Xms1024m-Xmx2048m"l For Windows-create the following batch file:$ARCSIGHT_HOME\current\user\agent\setmem.batwith the following content:SET ARCSIGHT_MEMORY_OPTIONS="-Xms1024m-Xmx2048m"Be sure to use regular double quote characters in the file content in either the shell script or the batch file.14.Verify that the connector is running.You can check the ArcSight Console Navigator in theResources tab,under Connectors.If the connector is running,you will see<connector_name> (running)listed.See"Running Connectors"below.15.Set up the Model Import user in ESM.See"Setting up the Model Import User in ESM"on the nextpage.16.Start the data import.See"Starting and Stopping Data Import"on page 9. Running ConnectorsConnectors can be installed and run in standalone mode,on Windows platforms as a Windows service, or on UNIX platforms as a UNIX daemon,depending upon the platform supported.On Windows platforms,connectors also can be run using shortcuts and optional Start menu entries.If installed standalone,the connector must be started manually,and is not automatically active when a host is restarted.If installed as a service or daemon,the connector runs automatically when the host is restarted.For information about connectors running as services or daemons,see the ArcSight SmartConnector User's Guide,Chapter3,Installing SmartConnectors,in the section“Running SmartConnectors”.For connectors installed standalone,to run all installed connectors on a particular host,open a command window,go to$ARCSIGHT_HOME\current\bin and run:./arcsight agentsTo view the connector log,read the file:For Windows-$ARCSIGHT_HOME\current\logs\agent.logFor Linux-~/ARCSIGHT_HOME/current/logs/agent.logTo stop all connectors,enter Ctrl+C in the command window.Connector UpgradeTo upgrade the Model Import Connector for RepSM Plus,you must uninstall the current version of the connector and then install the latest version.For information about uninstalling connectors,see the ArcSight SmartConnector User's Guide.Administrative Tasks-RepSM Plus Configuration Using the ArcSight ConsoleThere are mandatory and optional administrative tasks."Setting up the Model Import User in ESM" below and"Starting and Stopping Data Import"on the next page are mandatory steps for connector installation,and are mentioned as part of the installation procedure.See"Installing the Connector"on page 5for details.You might also find that you need to perform these tasks outside of the context of the installation procedure.The tasks"Optional-Reloading RepSM Plus Data"on the next page and"Optional-Optimization of Data Transfer Using a Timer"on the next page can be performed as needed.Setting up the Model Import User in ESMAfter installing,configuring,and starting the connector,from the ArcSight Console set the Model Import User for the connector(this must be a user with Console administrative privileges).Setting the user links the user to the assets,and that user is then treated as the“creator”of the assets.The connector is then run on that user’s behalf.1.From the ArcSight Console,go to the Navigator panel and choose the Resources tab.2.Under Resources,choose the Connectors resource.3.Under All Connectors,navigate to your Model Import Connector for RepSM Plus.4.Right click on the connector and select Configure.5.On the Inspect/Edit panel,choose the Connector tab.6.Under the Connector tab,go to Model Import User and select a user from the Administratorsgroup.7.Click OK.Starting and Stopping Data ImportBy default the connector’s data import capability is not started.You must start the import manually in the ArcSight Console.To start and stop import for the Model Import Connector for RepSM Plus:1.Select the Model Import Connector for RepSM Plus and right-click.2.Select Send Command>Model Import Connector>Start or Stop.Optional-Reloading RepSM Plus DataTo reload RepSM Plus data:1.If active,stop the connector.2.Remove all files at:Linux-~/ARCSIGHT_HOME/current/user/agent/agentdataWindows-$\ARCSIGHT_HOME\current\user\agent\agentdata3.Remove all folders and XML files(if any)at:Linux-~/ARCSIGHT_HOME/current/user/agent/mic/repsmWindows-$\ARCSIGHT_HOME\current\user\agent\mic\repsm4.At the ArcSight Console,clear all entries in the Malicious Domains and Malicious IP AddressesActive Lists.For each Active List:a.Under Reputation Security Monitor,select the Malicious Domains and/or the Malicious IPAddresses Active List and right-click.b.Select Clear Entries.5.Restart the connector.Optional-Optimization of Data Transfer Using a TimerThe time interval between archives sent by the connector to ESM can be controlled by the buildmodeldelay property.The default value is1minute.To increase or decrease this time interval,you can add the buildmodeldelay property to the file agent.properties(located at$ARCSIGHT_HOME\current\user\agent).The property buildmodeldelay is expressed in milliseconds.For example,the following property sets the time interval to10seconds:ponent[35].buildmodeldelay=10000Send Documentation FeedbackIf you have comments about this document,you can contact the documentation team by email.If an email client is configured on this system,click the link above and an email window opens with the following information in the subject line:Feedback on Configuration Guide(Model Import Connector for RepSM Plus7.3.0.7954.0)Just add your feedback to the email and click send.If no email client is available,copy the information above to a new message in a web mail client,and send your feedback to***************.We appreciate your feedback!HPE Model Import Connector for RepSM Plus7.3.0.7954.0Page11of11。

HPE Security ArcSight ConnectorsSmartConnector for QoSient ARGUS (Legacy) Configuration GuideFebruary 15, 2017Configuration GuideSmartConnector for QoSient ARGUS (Legacy)February 15, 2017Copyright © 2003 – 2017 Hewlett Packard Enterprise Development LPWarrantyThe only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise Development LP shall not be liable for technical or editorial omissions contained herein. The information contained herein is subject to change without notice. The network information used in the examples in this document (including IP addresses and hostnames) is for illustration purposes only. Hewlett Packard Enterprise Development LP products are highly flexible and function as you configure them. The accessibility, integrity, and confidentiality of your data is your responsibility. Implement a comprehensive security strategy and follow good security practices. This document is confidential.Restricted Rights LegendConfidential computer software. Valid license from Hewlett Packard Enterprise Development LP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.Follow this link to see a complete statement of Hewlett Packard Enterprise Development LP copyrights, trademarks and acknowledgements:https:///docs/DOC-13026.Revision HistoryDate Description02/15/2017 Marked connector as legacy.11/30/2016 Updated installation procedure for setting preferred IP address mode.05/15/2012 Added new installation procedure.03/30/2011 Added note that connector should be installed on same machine as Argus client.05/26/2010 Added configuration parameter for the ra.conf file.02/11/2010 Added support for FIPS Suite B and CEF File transport.06/30/2009 Global update to installation procedure for FIPS support.Configuration Guide SmartConnector for QoSient ARGUS (Legacy)This guide provides information for installing the SmartConnector for QoSient ARGUS (Audit Record Generation and Utilization System) and configuring the device for event collection. ThisSmartConnector is supported for installation on Linux platforms. QoSient ARGUS versions 2 and 3 are supported.Product OverviewQoSient ARGUS is a fixed-model, real-time, flow monitor designed to track and report on the status and performance of all network transactions seen in a data network traffic stream. Argus provides acommon data format for reporting flow metrics on a per transaction basis. It monitors network traffic while maintaining connection state information. Argus can be used to analyze and report on thecontents of packet capture files or it can run as a continuous monitor, examining data from a liveinterface and generating an audit log of all the network activity seen in the packet stream.The SmartConnector invokes an ra command, which reads Argus data from an Argus server andimports the events generated by Argus into the ArcSight ESM System.For complete information about compiling, installing, configuring, and running Argus, see/argus/.ConfigurationIf you are configuring the connector for Argus version 3.x:1Open the Argus configuration file ra.conf and add the following properties to the file:RA_TIME_FORMAT="%y-%m-%d %T"RA_FIELD_DELIMITER=','2Save and close the file.Install the SmartConnectorThe following sections provide instructions for installing and configuring your selected SmartConnector.The connector must be installed on the same machine as the Argus client; it will not work properly wheninstalled remotely.Prepare to Install ConnectorBefore you install any SmartConnectors, make sure that the ArcSight products with which theconnectors will communicate have already been installed correctly (such as ArcSight ESM or ArcSight Logger).For complete product information, read the Administrator's Guide as well as the Installation andConfiguration guide for your ArcSight product before installing a new SmartConnector. If you areSmartConnector for QoSient ARGUS (Legacy)adding a connector to the ArcSight Management Center, see the ArcSight Management CenterAdministrator's Guide for instructions, and start the installation procedure at "Set Global Parameters (optional)" or "Select Connector and Add Parameter Information."Before installing the SmartConnector, be sure the following are available:⏹Local access to the machine where the SmartConnector is to be installed⏹Administrator passwordsInstall Core SoftwareUnless specified otherwise at the beginning of this guide, this SmartConnector can be installed on all ArcSight supported platforms; for the complete list, see the SmartConnector Product and Platform Support document, available from the HPE SSO and Protect 724 sites.1Download the SmartConnector executable for your operating system from the HPE SSO site.2Start the SmartConnector installation and configuration wizard by running the executable.Follow the wizard through the following folder selection tasks and installation of the core connector software:IntroductionChoose Install FolderChoose Shortcut FolderPre-Installation SummaryInstalling...3When the installation of SmartConnector core component software is finished, the following window is displayed:Configuration Guide Set Global Parameters (optional)If you choose to perform any of the operations shown in the following table, do so before adding your connector. After installing core software, you can set the following parameters:Global Parameter SettingSet FIPS mode Set to 'Enable' to enable FIPS compliant mode. To enable FIPS Suite B Mode, see theSmartConnector User Guide under "Modifying Connector Parameters" for instructions.Initially, this value is set to 'Disable'.Set Remote Management Set to 'Enable' to enable remote management from ArcSight Management Center. When queried by the remote management device, the values you specify here for enabling remote management and the port number will be used. Initially, this value is set to 'Disable'.Remote management listener port The remote management device will listen to the port specified in this field. The default port number is 9001.Preferred IP Version If both IPv4 and IPv6 IP addresses are available for the local host (the machine onwhich the connector is installed), you can choose which version is preferred.Otherwise, you will see only one selection. When both values are present, the initialsetting is IPv4.After making your selections, click Next. A summary screen is displayed. Review the summary of your selections and click Next. Click Continue to return to the "Add a Connector" window. Continue the installation procedure with "Select Connector and Add Parameter Information."Select Connector and Add Parameter Information1Select Add a Connector and click Next. If applicable, you can enable FIPS mode and enable remote management later in the wizard after SmartConnector configuration.2Select QoSient ARGUS and click Next.3Enter the required SmartConnector parameters to configure the SmartConnector, then click Next.SmartConnector for QoSient ARGUS (Legacy)ParameterDescriptionArgus VersionSelect the product version from the drop-down list. Version 2.x is selected by default.Full path to Argus executable 'ra'Enter the full path to the location of the 'ra' executable. The default value is '/usr/bin'.Full path to Argus configuration file 'ra.conf' Enter the full path to the location of the 'ra.conf' file. The default value is '/etc'. This parameter is required only when you have selected Argus version 3.x. Argus Server Enter the host name or IP address of the Argus Server. Note that 'localhost' cannot be used as the server if traffic is received from a remote Argus Server. Argus PortEnter the port number to be used for SmartConnector communications with Argus. The default value is '561'.Cisco NetFlow Server Enter the host name or IP address of the Cisco NetFlow Server. Cisco NetFlow PortEnter the port number to be used for Cisco NetFlow communications. The default value is '9995'.During connector installation in interactive mode, if you cannot enter null values or blank values for the parameters, you can leave the values in their default state so that the connector will ignore them. The connector will ignore the values for the Argus Server, Argus Port, Cisco NetFlowServer, and Cisco NetFlow Port parameters if they contain the prefix '<' and suffix '>'. Also, for the command line options used for the Argus versions 2 and 3 ra command, see "Device Event Mapping to Arcsight Data Fields."Select a Destination1The next window asks for the destination type; select a destination and click Next . For information about the destinations listed, see the ArcSight SmartConnector User Guide .Configuration Guide2Enter values for the destination. For the ArcSight Manager destination, the values you enter for User and Password should be the same ArcSight user name and password you created during the ArcSight Manager installation. Click Next.3Enter a name for the SmartConnector and provide other information identifying the connector's use in your environment. Click Next. The connector starts the registration process.4If you have selected ArcSight Manager as the destination, the certificate import window for the ArcSight Manager is displayed. Select Import the certificate to the connector from destinationand click Next. (If you select Do not import the certificate to connector from destination, theconnector installation will end.) The certificate is imported and the Add connector Summarywindow is displayed.Complete Installation and Configuration1Review the Add Connector Summary and click Next. If the summary is incorrect, click Previous to make changes.2The wizard now prompts you to choose whether you want to run the SmartConnector as a stand-alone process or as a service. If you choose to run the connector as a stand-alone process, select Leave as a standalone application, click Next, and continue with step 5.3If you chose to run the connector as a service, with Install as a service selected, click Next. The wizard prompts you to define service parameters. Enter values for Service Internal Name andService Display Name and select Yes or No for Start the service automatically. The InstallService Summary window is displayed when you click Next.4Click Next on the summary window.5To complete the installation, choose Exit and Click Next.For some SmartConnectors, a system restart is required before the configuration settings you made take effect. If a System Restart window is displayed, read the information and initiate the system restart operation.Save any work on your computer or desktop and shut down any other running applications (including theArcSight Console, if it is running), then shut down the system.For instructions about upgrading the connector or modifying parameters, see the SmartConnector User Guide.Run the SmartConnectorSmartConnectors can be installed and run in stand-alone mode, on Windows platforms as a Windows service, or on UNIX platforms as a UNIX daemon, depending upon the platform supported. OnWindows platforms, SmartConnectors also can be run using shortcuts and optional Start menu entries.If the connector is installed in stand-alone mode, it must be started manually and is not automatically active when a host is restarted. If installed as a service or daemon, the connector runs automatically when the host is restarted. For information about connectors running as services or daemons, see the ArcSight SmartConnector User Guide.SmartConnector for QoSient ARGUS (Legacy)To run all SmartConnectors installed in stand-alone mode on a particular host, open a commandwindow, go to $ARCSIGHT_HOME\current\bin and run: arcsight connectorsTo view the SmartConnector log, read the file $ARCSIGHT_HOME\current\logs\agent.log; to stop all SmartConnectors, enter Ctrl+C in the command window.Device Event Mapping to ArcSight FieldsFor version 2, the following command line options for the ra executable are used:ra -S <Argus Server>:<Argus Port> -C <Cisco NetFlow Server>:<CiscoNetFlow Port> -n -s lasttime dur ind proto mac saddr sport dir dstiddaddr dport bytes pkts statusFor version 3, the following command line options for the ra executable are used:ra -F <Argus Configuration File Path>/ra.conf -S <Argus Server>:<ArgusPort> -C <Cisco NetFlow Server>:<Cisco NetFlow Port> -n -s stime ltimedur flgs proto smac dmac saddr sport dir daddr dport sbytes dbytes spkts dpkts stateQosient Argus v3 Mappings to ArcSight ESM FieldsArcSight ESM Field Device-Specific FieldBytes In Source BytesBytes Out Destination BytesDestination Address Destination AddressDestination Mac Address Destination Mac AddressDestination Port Destination PortDevice Action StateDevice Custom Number 1 Source PacketsDevice Custom Number 2 Destination PacketsDevice Custom String 1 FlagDevice Custom String 2 DirectionDevice Custom String 3 DurationDevice Custom String 4 Destination Mac AddressDevice Custom String 5 Source AddressDevice Custom String 6 Destination AddressDevice Product 'Argus'Device Receipt Time End TimeDevice Vendor 'QoSient'Device Version '3.x'End Time End TimeSource Address Source AddressSource Mac Address Source Mac AddressSource Port Source PortStart Time Start TimeConfiguration GuideArcSight ESM Field Device-Specific FieldTransport Protocol ProtocolQosient Argus v2 Mappings to ArcSight ESM FieldsArcSight ESM Field Device-Specific FieldApplication Protocol Application ProtocolBytes In Bytes InBytes Out Bytes OutDestination Address Destination AddressDestination Mac Address Dest MacDestination Port Destination PortDevice Action StatusDevice Custom Number 1 Packets InDevice Custom Number 2 Packets OutDevice Custom Number 3 DurationDevice Custom String 1 FlagDevice Custom String 2 DirectionDevice Custom String 4 Destination Mac AddressDevice Event Class Id FlagDevice Product 'Argus'Device Receipt Time Detect TimeDevice Vendor 'QoSient'Device Version '2.x'End Time Detect TimeSource Address Source AddressSource Mac Address Source MacSource Port Source PortTransport Protocol Protocol。