ArcSight FlexConnector Configuration V(ILT)

ArcSight FlexConnector Configuration provides you with an overview of the ArcSight SmartConnectors components and explains the ArcSight ESM Schema. It teaches you how to construct and manipulate FlexConnector configuration and property files and use various parsing methods including fixed delimited, regular expressions, syslog, and JSON. Examples from standard connectors are used to illustrate device-specific methodologies. Advanced configuration options such as multi-line Regex, parser linking and conditional mapping are also covered. Software version used in labs: ESM 7.3, FlexConnector 8.008408.

Obsah školení

Introduction to FlexConnector

 Define SmartConnectors and their functions
 Follow device deployment and the event flow processing
 Describe FlexConnectors types
 Install a Connector

Using the ArcSight Schema

 Gather event requirements prior to developing your FlexConnector
 Normalize and map events
 Differentiate special cases
 List the different schema groups

Basic Configuration File and Categorization

 Locate FlexConnector files
 Define the configuration procedure
 Apply the four steps to create a FlexConnector configuration file
o Parser configuration
o Token declaration
o Event mapping
o Severity mapping
 Use the FlexConnector wizard to install a configuration file
 Utilize Categorization to profile an event
o Six criteria are used: Object, Behavior, Outcome,Technique, Device Group, and Significance

Regex FlexConnectors

 Install the Regex File Reader FlexConnector
 Create common Regex
 Define SubMessages
 Use the Regex Tester

Installing ESM Syslog Connectors with Custom Parsers

 Identify the syslog Connectors
 Describe the syslog FlexConnector components
 Create the syslog FlexConnector configuration file

JSON Folder Follower Connector

 Identify the properties of basic JSON objects
 Define Token and Mappings declarations for a JSON Folder
Follower FlexConnector
 Perform installation and testing of a JSON Folder Follower FlexConnector in console mode

Advanced Topics

 Describe the purposes of multi-line Regex configuration parameters:
o Concatenate lines belonging to a single event
o Identify the start and/or end of each event
 Describe parser linking when two or more FlexConnector
types may be needed to parse the same data
 Define and create conditional mapping configurations
 Illustrate the LogFu tool which reads and parses ArcSight logs and generates interactive visual presentations of them