ArcSight FlexConnector Configuration

ArcSight FlexConnector ConfigurationASFCCMFOpenTextMF-ASFCC7.6<p>On completion of this course, participants should be able to:</p> <ul> <li>Install ArcSight Connector software, configure a functional FlexConnector, and test with an ESM Active Channel</li><li>Use the FlexConnector Wizard to create fixed delimited configuration files</li><li>Use the Regex Tester tool to create common and sub-message parsing and token-to-event mapping</li><li>Create a tailored Categorization file for a parent FlexConnector and test its function in an active channel</li><li>Navigate the connector configuration file hierarchy to locate, display and edit</li></ul><p>To be successful in this course, you should have the following prerequisites or knowledge:</p> <ul> <li>Successful completion of ArcSight ESM Admin and Analyst course</li><li>Successful completion of ArcSight ESM Advanced Administrator course</li><li>Working knowledge of Regular Expressions</li></ul><p>Security administrators, content authors/architects, and IT integrators, who build and install custom connectors to provide critical event data feeds to ArcSight ESM or Logger, Senior analysts for networks, security systems, enterprise applications and databases</p><h5>Module 1: Introduction to FlexConnector</h5><ul> <li>Define SmartConnectors and their functions</li><li>Follow device deployment and the event flow processing</li><li>Describe FlexConnectors types</li><li>Install a Connector</li></ul><h5>Module 2: Using ArcSight Schema</h5><ul> <li>Gather event requirements prior to developing your FlexConnector</li><li>Normalize and map events</li><li>Differentiate special cases</li><li>List the different schema groups</li></ul><h5>Module 3: Basic Configuration File and Categorization</h5><ul> <li>Locate FlexConnector files</li><li>Define the configuration procedure</li><li>Apply the four steps to create a FlexConnector configuration file <ul> <li>Parser configuration</li><li>Token declaration</li><li>Event mapping</li><li>Severity mapping</li></ul></li><li>Use the FlexConnector wizard to install a configuration file</li><li>Utilize Categorization to profile an event <ul> <li>Six criteria are used: Object, Behavior, Outcome, Technique, Device Group, and Significance</li></ul></li></ul><h5>Module 4: Regex FlexConnectors</h5><ul> <li>Install the Regex File Reader FlexConnector</li><li>Create common Regex</li><li>Define SubMessages</li><li>Use the Regex Tester Introduction into the concept of Teams</li></ul><h5>Module 5: Installing ESM Syslog Connectors with Custom Parsers</h5><ul> <li>Identify the syslog Connectors</li><li>Describe the syslog FlexConnector components</li><li>Create the syslog FlexConnector configuration file</li></ul><h5>Module 6: JSON Folder Follower Connector</h5><ul> <li>Identify the properties of basic JSON objects</li><li>Define Token and Mappings declarations for a JSON Folder Follower FlexConnector</li><li>Perform installation and testing of a JSON Folder Follower FlexConnector in console mode</li></ul><h5>Module 7: Advanced Topics</h5><ul> <li>Describe the purposes of multi-line Regex configuration parameters: <ul> <li>Concatenate lines belonging to a single event</li><li>Identify the start and/or end of each event</li></ul></li><li>Describe parser linking when two or more FlexConnector types may be needed to parse the same data</li><li>Define and create conditional mapping configurations</li><li>Illustrate the LogFu tool which reads and parses ArcSight logs and generates interactive visual presentations of them</li></ul>On completion of this course, participants should be able to: - Install ArcSight Connector software, configure a functional FlexConnector, and test with an ESM Active Channel - Use the FlexConnector Wizard to create fixed delimited configuration files - Use the Regex Tester tool to create common and sub-message parsing and token-to-event mapping - Create a tailored Categorization file for a parent FlexConnector and test its function in an active channel - Navigate the connector configuration file hierarchy to locate, display and editTo be successful in this course, you should have the following prerequisites or knowledge: - Successful completion of ArcSight ESM Admin and Analyst course - Successful completion of ArcSight ESM Advanced Administrator course - Working knowledge of Regular ExpressionsSecurity administrators, content authors/architects, and IT integrators, who build and install custom connectors to provide critical event data feeds to ArcSight ESM or Logger, Senior analysts for networks, security systems, enterprise applications and databasesModule 1: Introduction to FlexConnector - Define SmartConnectors and their functions - Follow device deployment and the event flow processing - Describe FlexConnectors types - Install a Connector Module 2: Using ArcSight Schema - Gather event requirements prior to developing your FlexConnector - Normalize and map events - Differentiate special cases - List the different schema groups Module 3: Basic Configuration File and Categorization - Locate FlexConnector files - Define the configuration procedure - Apply the four steps to create a FlexConnector configuration file - Parser configuration - Token declaration - Event mapping - Severity mapping - Use the FlexConnector wizard to install a configuration file - Utilize Categorization to profile an event - Six criteria are used: Object, Behavior, Outcome, Technique, Device Group, and Significance Module 4: Regex FlexConnectors - Install the Regex File Reader FlexConnector - Create common Regex - Define SubMessages - Use the Regex Tester Introduction into the concept of Teams Module 5: Installing ESM Syslog Connectors with Custom Parsers - Identify the syslog Connectors - Describe the syslog FlexConnector components - Create the syslog FlexConnector configuration file Module 6: JSON Folder Follower Connector - Identify the properties of basic JSON objects - Define Token and Mappings declarations for a JSON Folder Follower FlexConnector - Perform installation and testing of a JSON Folder Follower FlexConnector in console mode Module 7: Advanced Topics - Describe the purposes of multi-line Regex configuration parameters: - Concatenate lines belonging to a single event - Identify the start and/or end of each event - Describe parser linking when two or more FlexConnector types may be needed to parse the same data - Define and create conditional mapping configurations - Illustrate the LogFu tool which reads and parses ArcSight logs and generates interactive visual presentations of them3 days2400.00