Professional Documents
Culture Documents
Deployment
Prepared by:
Moutaz Abdelgawad
Security Solutions Architect - MEA
ArcSight Demo Environment Deployment
Author Contact
Moutaz Abdelgawad
Security Solutions Architect - MEA
moutaz.abdel-gawad@microfocus.com
Moutaz
1.0 January 17th, 2021 Initial Version
Abdelgawad
Moutaz
1.1 January 17th,2021 Correction in SOAR allowed IP
Abdelgawad
Page 2 of 128
Table of Contents
1 Introduction ...................................................................................................................... 4
2 Solution Requirements..................................................................................................... 5
2.1 Software Download .................................................................................................. 5
2.1.1 Partner.............................................................................................................. 5
2.1.2 Customer .......................................................................................................... 7
2.2 License Download .................................................................................................. 11
2.3 Hardware Requirements......................................................................................... 11
2.4 Other Requirements ............................................................................................... 12
3 ArcSight ESM (Detect) ................................................................................................... 14
3.1 Linux Installation .................................................................................................... 14
3.2 ArcSight ESM Installation ....................................................................................... 23
3.3 ArcSight ESM Console Installation ......................................................................... 39
4 ArcSight Platform (Single Node) .................................................................................... 47
4.1 Linux Installation .................................................................................................... 47
4.2 ArcSight Platform Preparations .............................................................................. 48
4.3 ArcSight Platform Installation ................................................................................. 52
4.4 ArcSight Intelligence Configuration ......................................................................... 70
4.5 ArcSight Fusion ...................................................................................................... 71
4.6 ArcSight Transformation Hub ................................................................................. 80
4.7 Send Test Events to ArcSight ................................................................................. 83
4.8 Send Test Events to ArcSight Intelligence .............................................................. 87
4.9 ArcSight SOAR ...................................................................................................... 93
5 Troubleshooting ........................................................................................................... 125
5.1 Chrony is not Synchronized .................................................................................. 125
5.2 POD-CIDR network overlap ................................................................................. 125
5.3 Error Bad Message 431 ....................................................................................... 126
5.4 Troubleshooting Commands ................................................................................ 126
6 APPENDIX .................................................................................................................. 128
Page 3 of 128
1 Introduction
This following document have full details step by step of deploying ArcSight demo environment where
this can be used for practicing ArcSight installation and configuration, also to be used to deploy ArcSight
environment for POC purposes.
Document updates will be done to include further information and sections with time in upcoming
version.
Page 4 of 128
2 Solution Requirements
2.1 Software Download
If you are a partner or a customer where need to deploy ArcSight Demo environment, the first
requirement for preparation is to download software binaries needed for installation
2.1.1 Partner
- Only authorized partners have access to the Eval/Demo portal. If a partner does not have
access and attempts to access the site, if you don’t have access to the partner portal, please
contact MicroFocus Channel manager where he can provide you this access or send an email to
(software.partner@microfocus.com)
- Authorized partners will have access and will only see licenses which they are contractually
permitted to download
- Select the link Evaluation & Demo License Download Portal to be transferred to the portal
Page 5 of 128
- Select the required software to be downloaded from the following ArcSight software to
download 3 options where make sure to download the latest version from the list for any
software you need
a) Data Platform
- Security ArcSight SmartConnectors Parser (Includes connector parser updates)
- Security ArcSight SmartConnectors Framework (Includes connector framework software)
- Security ArcSight Logger Software (Includes ArcSight Logger software)
- Security ArcSight Data Platform Software (Includes ArcSight Logger – Transformation hub – ArcSight
platform installer metadata – CDF )
Page 6 of 128
b) Security Analytics
- Micro Focus Security ArcSight User Behavior Analytics Software (Includes ArcSight Intelligence,
formerly ArcSight Interset)
- ArcSight Recon Standard Edition (Includes ArcSight Recon)
c) SIEM
- Security ArcSight Enterprise Security Manager Software (Includes ArcSight ESM – Fusion – Layered
analytics - SOAR)
- Security ArcSight Reputation Security Monitor Plus Connector and Content
- Enter quantity required for any desired software
- Provide partner information
- Read and accept software license terms
- Click Next button
2.1.2 Customer
Customer will receive the electronic license as email from MicroFocus directly to the customer contact
placed in the order, License and software can be activated and download using the link in the email
(Access your software) similar to the below print screen
Customer will be required to register using the work email on MicroFocus portal
https://entitlement.microfocus.com/
After login to the portal, customer can request access to the entitlement number received or the order
number, Manage Access
Page 7 of 128
Then, search using the entitlement number/SAID number or order number received with order
information
Page 8 of 128
After having access to the oder or entitlement you can search for it as follow
Then to manage entitlement and activate the software needed, go to Manage Entitlements
Page 9 of 128
Then select the software that need to be activated with the quantity needed using Activate then
Download software that been activated
Page 10 of 128
Specify the host that you will activate the license on and the software version needed
To know the different ArcSight software and its location in the products available, see the partner
previous section
Page 11 of 128
environments as a
correlation engine
ArcSight Logger 8 Cores 16 G 300 G RHEL/CentOS Not mandatory -
7.8 – 8.1 Needed only if
there is specific
requirements for
event retention
and log
management
ArcMC 4 Cores 8G 250 G RHEL/CentOS Not mandatory –
7.8 – 8.1 Needed only if
there is
requirements to
monitor
connectors
operation and
event collection
ArcSight Platform 16 Cores 128 G 750 G RHEL/CentOS Recommended to
(ArcSight Fusion – (The more (The 7.8 show features of
ArcSight SOAR – is better more is unified interface –
ArcSight THub – for better SOAR – UEBA
ArcSight Intelligence performa for
– ArcSight Recon – nce) perform
CDF Master – ance)
ArcSight DB)
Page 12 of 128
Page 13 of 128
Page 14 of 128
Page 15 of 128
The partitions will be created, However we need to change the sizes and add new partitions
Page 16 of 128
Define storage space for each partition as follow (/home 15G - /var 20G - /boot 512M – swap 8G - / to
have the remaining space)
Page 17 of 128
Accept changes
In network configuration, with type Manual, configure the IP address – Gateway – DNS - Hostname
Page 18 of 128
Disable KDUMP – Set Time/Date/Time zone – Software selection (Server with GUI)
Page 19 of 128
Configure a new user (eg. arcsight), mark it as administrator, require password, set the password
Page 20 of 128
Page 21 of 128
Make sure the server is reachable and accecaple, Now the server is ready for ArcSight ESM installation
Page 22 of 128
Page 23 of 128
You can confirm packages installed using the following commands, versions does not make difference
Disable firewall services or set it based on need, revise documentation if you need to specify only the
required ports to be open on ArcSight ESM server
# systemctl stop firewalls
# systemctl disable firewalld
Copy the ArcSight installer file (ArcSightESMSuite-7.x.x.tar) to ESM server, as an example you can copy
it to /tmp directory
Untar the install file: # tar xvf ArcSightESMSuite-7.4.0.2463.0.tar
Under Tools directory (one of the decompressed file) run command: # /tmp/Tools/prepare_system.sh
Page 24 of 128
After machine reboot, check the output of the following command to be the same: # ulimit -a
Page 25 of 128
Page 26 of 128
Page 27 of 128
Page 28 of 128
Page 29 of 128
After installation finish, Launch the First boot by running the command:
# /opt/arcsight/manager/bin/arcsight firstbootsetup –boxster –soft
Note that we can run this command to run as a GUI installation like the below steps. Or we can run it in
console command line by adding (-i console) to the command
Page 30 of 128
Page 31 of 128
Page 32 of 128
Set error notification email and email where these error emails will be sourced from
Page 33 of 128
Page 34 of 128
Set ESM hostname, admin username and password which will be used for ESM login
Set GEID with any number, as an example 1, this need to be unique in the ArcSight components setup
where it will be used to have unique global event ID in all ArcSight setup
Page 35 of 128
For now we can ignore THub integration and have it later if we need
Also Recon integration can be ignored now and be configured later when Recon is up
Page 36 of 128
Select Security Threat Monitoring & Threat Intelligence Platform where these packages includes a lot of
use cases out of the box and includes MITRE ATTACK framework content
Page 37 of 128
Now, ArcSight ESM should be installed, configure ArcSight services with command:
# /opt/arcsight/manager/bin/setup_services.sh
Page 38 of 128
Check arcsight ESM services to make sure all services are available, you can use either of the following
commands:
# /etc/init.d/arcsight_services status
# service arcsight_services status
Install ArcSight ESM Console using the installer file for the machine operating system (Windows – Linux
- …)
Page 39 of 128
Page 40 of 128
Start installation
Page 41 of 128
Specify the hostname of the ESM server and use port TCP/8443, note that hostname need to be
resolved using DNS or to be added to local hosts file
Page 42 of 128
Page 43 of 128
Select console to be installed for this user only or all users on this machine
Page 44 of 128
After installation finished, start ArcSight Console from start menu or desktop
Use the administrator username and password provided during installation
Page 45 of 128
Console is opened where this means ESM is running and connection is OK from Console to ESM
You can also open ArcSight ESM ACC GUI interface using url: https://esm:8443
Replace (esm) with your used ESM hostname
Page 46 of 128
Page 47 of 128
o hostname
srg
o hostname -s
srg
o hostname -f
srg.moutazlab.local
o hostname -d
moutazlab.local
o nslookup srg.moutazlab.local
Server: 172.16.100.118
Page 48 of 128
Address: 172.16.100.118#53
Name: srg.moutazlab.local
Address: 172.16.100.111
o nslookup srg
Server: 172.16.100.118
Address: 172.16.100.118#53
Name: srg.moutazlab.local
Address: 172.16.100.111
o nslookup 172.16.100.111
Server: 172.16.100.118
Address: 172.16.100.118#53
111.100.16.172.in-addr.arpa name = srg.moutazlab.local.
Add the group (arcsight) with id 1999 with command: # groupadd –g 1999 arcsight
Change the (arcsight) user id to be 1999 using the command: # usermod –u 1999 arcsight
Page 49 of 128
Confirm the user (arcsight) belong to group (arcsight) with ids 1999-1999 with command:
# cat /etc/passwd | grep arcsight
Create a directory where to copy the required binary and image files, for example: /tmp/arcsight-
installers
# mkdir /tmp/arcsight-installers
Copy all required installer files and images to that directory, then Change ownership for this directory
and all files to arcsight user
# chown arcsight /tmp/arcsight-installers
# chown arcsight /tmp/arcsight-installers/*
Confirm the following files are there in this directory, based on which components you need to install
Page 50 of 128
Page 51 of 128
suite:
Page 52 of 128
database:
type: new
ssl-enabled: false
ssl-client-auth-enabled: false
hardware:
cpu: 8
memory: 32
disk: 200
nodes:
- hostname: srg.moutazlab.local
username: root
Page 53 of 128
pod-cidr: 10.0.0.0/16 ------ required only in case the ip address assignment of the machine is in subnet
172.16.0.0/16
service-cidr: 10.30.78.0/24 ----- required only in case the ip address assignment of the machine is in
subnet 172.17.17.0/24
- hostname: srg.moutazlab.local ---- change it to the hostname used for the ArcSight platform machine
products: [transformationhub, fusion, intelligence, recon, soar, esm, layered-analytics] ----- the
products required to be installed are defined here
interset-hdfs-namenode: srg.moutazlab.local ----- change it to your used hostname
interset-root-user: moutaz@moutazlab.com ----- change it to your required email
Page 54 of 128
It will automatically run, you will find Setting node prerequisites succeeded, clarify that everything is
fine till now
Page 55 of 128
Page 56 of 128
Page 57 of 128
Page 58 of 128
The first run script part will finish and NFS is successfully installer on (arcsight platform hostname)
Page 59 of 128
Page 60 of 128
Page 61 of 128
Page 62 of 128
Set the admin user password for CDF, consider the password requirements, Note down the password
entered
Page 63 of 128
You will receive notification that installation done, if there are errors, install script will exit with errors.
Give it some time (based on server specs) to have pods running.
Check the pods running using either of the following commands:
# kubectl get pods –A
# kubectl get pods –all-namespaces
You should find everything running or completed
Except for interest-api, seachmanager-api and searchmanager-engine, it is OK for now
Page 64 of 128
Wait for the pods to be running or completed as above, then run post installation script as follow,
ignore interest-api, searchmanager-api,seachmanager-engine for now
# /tmp/arcsight-installers/cdf-2020.08.00153-20.11.0.5/arcsight-install –c /opt/install-config-
moutaz.yaml –cmd preinstall
Considering the yaml file is in /opt directory and yaml file name install-config-moutaz.yaml
Confirm with y
Page 65 of 128
Page 66 of 128
Page 67 of 128
Define the different labels needed to be run on this node, type labels: transformationhub:yes,
fusion:yes, intelligence:yes, recon:yes, soar:yes, esm:yes, layered-analytics:yes, zk:yes, kafka:yes, th-
platform:yes, th-processing:yes, interest-datanode:yes, interest-namenode:yes, interest-spark:yes
Now, you can install the different solution licenses, you can get the evaluation or final licenses from the
entitlement portal, Go to Application>Licenses in CDF admin portal
Page 68 of 128
Page 69 of 128
Edit the following file /etc/Hadoop/conf/core-site.xml and confirm the port used similar to the
command output
Also edit the /etc/Hadoop/conf/hdfs-site.xml file as below
Then, login with the email and password, Note that Fusion login is the email
Page 71 of 128
Page 72 of 128
Following steps is to configure user in ArcSight ESM and import them to Fusion, also to configure
ArcSight ESM login single sign on with Fusion to have seemless access to ArcSight ESM ACC from Fusion
Create a user from ArcSight Console under users section, for example if needed to be administrator
user, create it under Administrators group, you need to specify the same email and Externam User ID as
the same email that will be used in Fusion to have correct SSO
You can also create another user, You have to provide Email and Externam User ID to be the same that
will be used in Fusion.
Page 73 of 128
Specifiy ESM hostname, Use port 8443, specify the admin user and password to connect to ESM, select
which roles will be assigned to the imported users
Page 74 of 128
Now on ArcSight ESM machine, you need to reconfigure it to use SSO where to have seemless access to
ArcSight ESM ACC from Fusion, on ESM machine:
# /opt/arcsight/manager/bin/arcsight managersetup –i console
Also you can use the GUI configuration by removing –i console from the above command
Page 75 of 128
Accept defaults or existing configuration, Untill the point of authentication method, change it to (OSP
Client Only Authentication)
Set OSP server as the Hostname of the ArcSight platform machine and port 8443
Set Tenent name: default
Page 76 of 128
Now, on the ArcSight Platform interface, click the the three dots beside the deployment node, and
Reconfigure
Page 77 of 128
Page 78 of 128
Now, login to ArcSight Fusion again (https://arcsight-platform/mgmt) and check if access to ESM
Command center is running as single sign on without providing password again or not
Page 79 of 128
Under transformation hub section, configure CEF-to-Avro to 1 and Group 1 routing streem processor
instances to 1
If you have ArcSight management center (ArcMC) in your environment, you can manage and monitor
THub with ArcMC.
In ArcMC interface: Administration>Security>SSL Server Certificate ---- View Certificate
Page 80 of 128
Under ArcSight platform> Reconfigure> Transformation Hub section, scroll down to the Management
Center Configuration part
Type ArcMC username and password, ArcMC Hostname, paste the ArcMC certificate
Page 81 of 128
Set the Hostname of the ArcSight platrom hostname that has THub component, set port to 32080,
Cluster port to 443, provide the admin user and password of the ArcSight platform, Finally paste the
certificate that you got from cdf-updateRE.sh
Now you should see the transformation hub in the Topology view and deployment view
Page 82 of 128
Modify connector
Page 83 of 128
Add destination
Page 84 of 128
Page 85 of 128
After finishing configuration, you can run the connector to start sending events using command:
# /opt/arcsight/connector/reply/current/bin/arcsight agents
Then, select the event file that you need to send to the ArcSight deployment
Page 86 of 128
Now, you can see events under (Search) in ArcSight Fusion interface where this uses ArcSight Recon for
event searching
Page 87 of 128
Page 88 of 128
Page 89 of 128
Send events to Transformation hub similar to steps to send events to transformation hub in Test
connector, the same THub port 9092 will be used as destination for all events from all connectors
agents[0].startatend=false
Page 90 of 128
Under Intelligence section change “Analytics Data Retention Period” from 90 to 360, as the sample
events are old time events, then Save
By default, analytics job will run at 2AM every day. To manually start the analytics job, do following:
cd /opt/arcsight-nfs/arcsight-volume/interset/analytics
rm *.mk
rm blackhawk_down
For example:
kubectl -n arcsight-installer-m4dbl logs -f interset-analytics-5f745b5866-pt9pb -c interset-analytics
Note: use “kubectl get pods –A” to find out the name for namespace and pod.
The analytics process will run until logs from the upper command will repeat the following:
Analytics for TID 0 was completed. Will run again tommorrow
It is after 02:00:00, continuing
Page 91 of 128
Login to ArcSight Platform and Select (Entities at Risk) to access ArcSight Intelligence
Page 92 of 128
Log out from ArcSight platform interface and login again and open (Entities at Risk), Now you should
start to see analytics results
Page 93 of 128
Page 94 of 128
Page 95 of 128
Select Filter Resource and select the created Filter which match the correlated events
Page 96 of 128
Create new web user on ArcSight ESM which will be used by SOAR to ESM integration
Page 97 of 128
Create new Active List where will specify the correlated event names that need to be forwarded to
ArcSight SOAR
Page 98 of 128
Change TTL values to be 0 where to have the entries perminant, then select the Field (Name)
Create a pre-persistance rule that will specify forwarding parameters in the forwarded events
Page 99 of 128
Set condition to match Type=Correlation, in the created activelist, Old File Hash is NULL
Now you should see the created Rule under the Real Time Rules
Now install forwarding connector (Supper Connector), create a directory and install the Forwarding
connector after changing it to be excutable
# chmod +x ArcSight-9.0.0.8323.0-SuperConnector64-Linux64.bin
Destination ip to be the hostname that have SOAR (ArcSight platform hostname in case of single node
install), and port to be 32200
Protocol: Raw TCP
Now access Respond under ArcSight Fusion interface, then Configuration> Create Credential
As internal Credential, set the username and password created on ArcSight ESM for SOAR integration
Note down that ip addresses of the following command where will be used in the next configuration:
# kubectl get pods –A –o wide | grep nginx
# ip a | grep cni0
# kubectl get service --all-namespaces | grep soar
Select type (Micro Focus ArcSight ESM), address to be (https://esm:8443) where esm is the hostname
of ArcSight ESM, ket to be 12345678, allowed ip addresses: ESM IP – the two ip addresses of the
previous steps (nginx – cni0)
Select credential previously created, select Trust invalid SSL certificate. Then Test
Now, you can add entries in the previously created Active List to include which Correlated events that
you need to forward to SOAR
Under SOAR, Playbook> rule name filter> create alert source rule name
You can create Alert source for each correlated event, source to be ArcSight ESM, Ignore mode: create
alerts, SOAR will automatically create Alert Source rule for the received incidents
You can create Threat intelligence integration between SOAR and Virus Total, you need first to register
in virus total website using link: https://www.virustotal.com
The after login to your account, check the API key that will be used for the integration
Configuration>Integration>Create Integration, give it a name, select type (Virus Total) then address to
be https://www.virustotal.com, select the created credential
Now, you can use the Virus Total integration under Incident investigation or Playbook, as an example:
Enrish> launch enrichment plugin> threat intelligence> Virus Total
Edit Statuses to include the new created status (False Positive - Resolved)
To integrate SOAR with Active directory to initiate action on Active directory, you need to create a user
on AD
Now you can start creating the first Workflow playbook, Go to Playbooks>create Workflow Playbook
Give the playbook step a name, New> Alert Source Rule Name
Matches regular expression, then paste the same name of the correlated event received in SOAR
You can put action to Lock AD user from the active directory integration, select to have this action
perminant or rollback after a specific time
Below playbook will set the incident to Critical, assign it to specific SOC analyst, Lock the active
directory account of the offender, then close the case as resolved
The last step is that you can add the SOAR widget where to have multiple widgets in ArcSight Fusion
Dashboard, Copy soar-widgets tar file to directory /opt/arcsight-nfs/arcsight-volume/fusion/widget-
store/
The, in Fusion Dashboard page, you can add new Dashboard or edit any one of the existing
Add widget
5 Troubleshooting
Below some cases that you may face during the installation:
- To troubleshoot specific pod, you need to replate soar-web-app-svc with the pod you need to
check and replace arcsight-installer-91bin with the name of the instance that show in the first
column in kubectl get pods –A command
# kubectl describe pod soar-web-app-svc -n arcsight-installer-91bin
- To get the logs of ArcSight intelligence analytics running, replace arcsight-installer-91bin with
your nodename, replace interset-analytics-765c58cc4f-psfxs with the analytics pod name
# kubectl -n arcsight-installer-91bin logs -f interset-analytics-765c58cc4f-psfxs -c interset-analytics
6 APPENDIX
1- How to setup DNS server on CentOS linux machine
Support Case
procedures
6- Training Content
SOAR training is available in Training link: https://microfocus-
external.sabacloud.com/Saba/Web_spf/NA2PRD0006/common/leclassview/dowbt-0000009843
7- Documentation
All documentation are available in page:
https://www.microfocus.com/documentation/arcsight/