ArcSight Smart Connectors

Student Guide

Use of this material to deliver training without prior written permission from Micro Focus is prohibited.
 SmartConnectors

Objectives

Upon successful completion of the module you will be able to recognize:

- ArcSight Connectors normalize and forward collected events from many different types of
devices to the ArcSight Manager over TCP port 8443

- Performance impact of the ArcSight Connector depends on the type of ArcSight Connector

- Usually multiple Connectors are installed on a single server

- ArcSight Connectors need not have the same release version as the ArcSight Manager

- A SmartConnector can have one Failover Destination

- Multiple Connectors can be installed on a single server or be installed and managed by the
ArcSight Management Center or Connector Appliance

- Upgrade can be managed remotely or from the local ESM Console using a Connector .aup
file

Micro Focus Education 4-1 ESM200-70

© Copyright 2019 Micro Focus

Module 4 - SmartConnectors

What is a connector?
▪ Interface to objects on network
▪ Generate event data
▪ Normalize data
▪ SmartConnectors
- Execute commands like telling a scanner to run a scan
- Lookup IP address, host names

What is normalization?
▪ Parse data to pull out values from events
▪ Populate fields in schema

Date Time Event_Name Src_IP Src_Port Tgt_IP Tgt_Port Device_Type

22-Nov-17 12:10:29 Accept 192.0.2.0 1355 192.0.2.1 80 CheckPoint
22-Nov-17 12:10:27 List 102 permitted tcp 192.0.2.0 1355 192.0.2.1 80 Cisco Router
22-Nov-17 12:10:29 WEB-IIS ISAPI printer access 192.0.2.0 1355 192.0.2.1 80 Snort

Micro Focus Education 4-2 ESM200-70

© Copyright 2019 Micro Focus

 Module 4 - SmartConnectors

What is the network model?

▪ How many phone numbers know from memory?
▪ Add contact name when entering phone number
▪ Network model represents nodes
- Assets: individual nodes, such as servers, routers, and laptops
- Asset Ranges: contiguous block of IP addresses/nodes
- Zones: contiguous block of addresses
- Networks: way differentiate private address spaces
- Customers: represent cost centers or separate BUs

SmartConnector functions
▪ Collect data from source device
▪ Filter out data not needed
▪ Parse individual events
▪ Normalize into common schema
▪ Aggregate events
▪ Categorize events
▪ Pass events to ESM Manager after processing
▪ Can issue commands to devices

Micro Focus Education 4-3 ESM200-70

© Copyright 2019 Micro Focus

Module 4 - SmartConnectors

300+ SmartConnectors Overview

CounterAct
SmartConnector

Asset Import
SmartConnector

Vulnerability ESM Console

SmartConnector SAN FRANCISCO

Firewall Events
Events
ArcSight
Smartconnector ESM Console
NEW YORK
Syslog ArcSight ESM
Manager & CORRE,
ArcSight San Francisco
Smartconnector

Database ESM Console

LONDON
ArcSight
Smartconnector

SmartConnector Functions

1. Collects
- Active - polling
- Passive - listener
2. Normalizes – parse and map raw events into Common Event Format (CEF)
- Zone Tagging – add for each IP (Zone Name)
- Categorization – add Category field values – based Device Event Class ID
- Translates Time Zones - GMT
- Map Device Severity to Agent Severity for Threat Priority Calculation
- Customer (optional) – add for each record
- Other Options – Filter, Aggregate, Turbo Mode, DSM
3. Forwards or Cache/Forwards – 70 / 30 Cache Flush
- Cache – when cannot send to a destination – one cache per destination
- Multiple Destinations – two or more in parallel
- Failover Destination – one only

Micro Focus Education 4-4 ESM200-70

© Copyright 2019 Micro Focus

 Module 4 - SmartConnectors

SmartConnectors by Task

▪ Event Log Connectors

- Retrieve security log events from devices and applications
- (Cisco Pix, Checkpoint NG (OPSEC), Cisco IDS, McAfee EPO…)
▪ Scanner Connectors
- Vulnerability data - Scanner devices
- (Nessus, foundscan, NCircle, Internet Scanner)
- Assets Import – SmartConnector and FlexConnector
- Identity Import – Identity View
- (Microsoft Active Directory …)
▪ CounterACT Connectors
- Execute commands in the device to retrieve, modify or analyze its configuration
- (Cisco Pix Shell, Checkpoint NG(SAM), Solsoft, NCM, NRM)

SmartConnector Data Sources

▪ Log Files or Folders of Log Files (Folder Follower)

- Fixed Delimited
- REGEX
▪ Database Reader (ODBC, JDBC)
- Time Based
- ID Based
- Multi-Database
▪ Syslog – listener (port) or flat file concentrator
▪ SNMP (Simple Network Management Protocol) – listener “Trap” events
▪ XML (Extensible Markup Language) – Folder Log File Reader
▪ API (Application Programming Interface) – device or application-specific API used to pull events

10

Micro Focus Education 4-5 ESM200-70

© Copyright 2019 Micro Focus

Module 4 - SmartConnectors

SmartConnector - Configuration Options

▪ *Default configuration Fields ▪ *Turbo mode - accelerates the transfer of sensor

information through SmartConnectors by choosing:
- Aggregation
1. Fastest - recommended for simpler devices like
- Filtering firewalls
- Batching 2. Faster - Manager default
- Processing 3. Complete - SmartConnector default
- Time Correction
- Caching *These will be detailed in a following module.
- Device Time Auto-correction
- Setting Special Severity Levels
- Alternate Configurations
- Time Checking
- Networking
- Payload Sampling (when available)
- Device Status Monitoring

11

SmartConnectors – Active Collection (Polling)

Connectors can also pull events from

the security devices using protocols like
RDEP, JDBC/ODBC, OPSEC, eStreamer… Events are sent to the
Destination

Third Party Smart ArcSight

Device Connector Manager

IDS, Firewall, Events are

Router, OS, normalized
Antivirus, etc…

12

Micro Focus Education 4-6 ESM200-70

© Copyright 2019 Micro Focus

 Module 4 - SmartConnectors

SmartConnectors – Passive Collection (Listener)

Connector receives
events from Events are sent to
third party device the Destination

Third Party Smart ArcSight

Device Connector Manager
IDS, Firewall,
Router, OS, Events are
Antivirus, etc… normalized

13

SmartConnector Cache Scenarios (1 and 2)

Activated for any of following conditions:
1. Destination cannot be reached

Third Party Smart ArcSight

Device Connector Manager

Cache

2. Burst of events that the destination must throttle

Third Party Smart ArcSight

Device Connector Manager

Cache Events that must

be throttled
14

Micro Focus Education 4-7 ESM200-70

© Copyright 2019 Micro Focus

Module 4 - SmartConnectors

SmartConnector Cache Scenarios (3 and 4)

3. Transport configured to cache – paused or scheduled delivery or bandwidth
4. Manager cannot process events – spike to Manager or DB

Third Party Smart ArcSight

Device Connector Manager

Cache
Cache Concepts:
– All events in cache - already filtered and/or aggregated
– One Cache per transport destination
– Cache Flush - 70% live events and 30% cached events
– Cache Overflow –
– Maximum exceeded
15
– First In First Out (FIFO) - drops 20MB of events at a time

Estimating Storage Requirements

▪ Many factors dictate your storage requirements for SmartConnectors

▪ When deploying Connectors throughout your organization, consider the following –
contact HP ArcSight Support
- How many events are generated during an average day
- Aggregation applied
- Filters applied
- Turbo Mode of the SmartConnectors

16

Micro Focus Education 4-8 ESM200-70

© Copyright 2019 Micro Focus

 Module 4 - SmartConnectors

SmartConnector Platforms

17

SmartConnectors – Installation Archive Files

Platform File
Linux ArcSight-w.x.y.nnnn.z-Connector-Linux.bin
ArcSight-w.x.y.nnnn.z-Connector-Linux64.bin
Microsoft Windows ArcSight-w.x.y.nnnn.z-Connector-Win.exe
ArcSight-w.x.y.nnnn.z-Connector-Win64.exe
Solaris ArcSight-w.x.y.nnnn.z-Connector-Solaris.bin
ArcSight-w.x.y.nnnn.z-Connector-SolarisIA.bin
AIX ArcSight-w.x.y.nnnn.z-Connector-AIX.bin
ArcSight Update Pack ArcSight-w.x.y.nnnn.z-Connectors.aup
ArcSight-w.x.y.nnnn.z-opensource.tgz
Configuration Guides SmartConnectorConfigGuides-w.x.y.nnnn.zip
Release Notes SmartConnectorReleaseNotes-w.x.y.nnnn.pdf

18

Micro Focus Education 4-9 ESM200-70

© Copyright 2019 Micro Focus

Module 4 - SmartConnectors

SmartConnector Installation Check List

❑ Type of SSL certificate

❑ Manager Host Name/IP Address/Port used
❑ ArcSight Username/Password of capable user Install
Connectors
❑ Required parameters
❑ Connector to install
❑ Connector Name – as it appears Console
❑ Connector Location – group folder in Console
❑ Device Location and Comment – not required but Best Practice
❑ Run Connector as a service or not – testing

19

SmartConnector Installation - GUI mode

▪ Run self-extracting binary – extraction and configuration continuous set of panels

- Microsoft Windows
- ArcSight-w.x.y.nnnn.z-Connector-Win.exe
- Unix/Linux with X11
- ./ArcSight-w.x.y.nnnn.z-Connector-Linux.bin

20

Micro Focus Education 4-10 ESM200-70

© Copyright 2019 Micro Focus

 Module 4 - SmartConnectors

SmartConnector Installation - Command Line/Console Mode

▪ CLI Console mode - two step process

1. Extraction – run self-extracting binary
- ./ArcSight-w.x.y.nnnn.z-Connector-Linux.bin
- ArcSight-w.x.y.nnnn.z-Connector-Win.exe –i console (forces CLI)

2. Configuration - run from ARCSIGHT_HOME>/bin runagentsetup

- ./runagentsetup.sh
- runagentsetup.bat

21

SmartConnector Installation - Silent Mode

Deploying large number of identical Connectors

▪ 1st install
- Run – extraction only – CLI or GUI mode
- ArcSight-w.x.y.nnnn.z-Connector-Win.exe
- ./ArcSight-w.x.y.nnnn.z-Connector-Linux.bin
- Run – configuration setup using recording properties file …/bin
- runagentsetup –i recorderui
▪ Subsequent multiple installs –
- Run with edited recorded properties file
- runagentsetup –i silent –f <recorded/edited properties file>

22

Micro Focus Education 4-11 ESM200-70

© Copyright 2019 Micro Focus

Module 4 - SmartConnectors

SmartConnector – ArcSight Command Scripts

Function ./arcsight connectorsetup

Manual Startup ./arcsight connectors

Status ./arcsight connectorup

Install as Windows Service ./arcsight connectorsvc -i

Modify any parameters ./runagentsetup

Analyze Logs ./arcsight agent logfu –a

SSL Certificates ./arcsight agent tempca –i

Edit SSL Trust Store ./arcsight agent keytool | keytoolgui

23

Upgrading SmartConnectors - Overview

▪ Connector upgrade file

- ArcSight-w.x.y.nnnn.z-Connectors.aup
▪ Connector Appliance/ArcSight Management Center AUP Repository
- Maintains a number of connector AUP files
- Supports multiple version upgrade/rollback capability
▪ ESM Console
- Uses secure connections
- Launch, manage, review - status of upgrades
- Copy .aup - /opt/arcsight/manager/updates
- Remotely Update - newer version
- Remotely Rollback – previous version

24

Micro Focus Education 4-12 ESM200-70

© Copyright 2019 Micro Focus

 Module 4 - SmartConnectors

Upgrade and Rollback Processes

▪ Administrative permission required

▪ Individually select and launch upgrade
▪ Upgrade, restart, and send results
- If successful, SmartConnector starts and reports
successful status
- If failed, original SmartConnector restarts with
last known good configuration and reports
failed status

25

Module Summary

In this module, you learned that:

- ArcSight Connectors normalize and forward collected events from many different types of
devices to the ArcSight Manager over TCP port 8443
- Performance impact of the ArcSight Connector depends on the type of ArcSight Connector
- Usually multiple Connectors are installed on a single server
- ArcSight Connectors need not have the same release version as the ArcSight Manager
- A SmartConnector can have one Failover Destination
- Multiple Connectors can be installed on a single server or be installed and managed by the
ArcSight Management Center or Connector Appliance
- Upgrade can be managed remotely or from the local ESM Console using a Connector .aup file

26

Micro Focus Education 4-13 ESM200-70

© Copyright 2019 Micro Focus

Module 4 - SmartConnectors

Learning Check

1. To invoke the ArcSight SmartConnector Configuration Wizard, run which command from the
Connector directory:
a. arcsight wizardsetup –w
b. arcsight setup –i
c. arcsight connector –w
d. arcsight connectorsetup –w

2. True or False. Upgrading Connectors can be accomplished through the ESM Console.

3. True or False. Connectors can be configured to have multiple destinations.

4. True or False. Connectors can have only a single Failover Destination.

5. True or False. If there is not a vendor-specific SmartConnector available, the device cannot be
connected to Arcsight ESM.

27

Learning Check

6. files provide a way to collect a set of files together and update

ArcSight resources as well as distribute parsers to SmartConnectors.
a. .zip
b. .aup
c. .lic
d. .bin

7. True or False. The AUP Master Destination flag should be set to “true” for only one
ESM destination at a time.

28

Micro Focus Education 4-14 ESM200-70

© Copyright 2019 Micro Focus

 Module 4 - SmartConnectors

Learning Check

8. Match the Connector Function to the a. ./arcsight agent keytool | keytoolgui

command:

1. Manual Startup b. ./arcsight agent logfu –a

2. Status
c. ./arcsight connectors
3. Install as Windows Service
d. ./arcsight connectorup
4. Modify any parameters

5. Analyze Logs e. ./arcsight agent tempca –I

6. SSL Certificates f. ./runagentsetup

7. Edit SSL Trust Store
g. ./arcsight connectorsvc -i

Micro Focus Education 4-15 ESM200-70

© Copyright 2019 Micro Focus

Appendix A – Lab Guide Questions and Answers
29

Module 5 Learning Check -5

9. When deploying Connectors throughout your organization, consider the following:

(select all that apply).
a. Daily generated Events
b. Applied configuration options
c. Turbo Mode setting
d. Amount of connector cache available

10. True or False. Deploying ArcSight Management Center in an ESM environment

centralizes SmartConnector upgrade, log management, and other component
configuration tasks.

30

Micro Focus Education A-16 ESM200-70

© Copyright 2019 Micro Focus