ArcSight Demo Environment Deployment-Ver1.1

ArcSight Demo Environment
Deployment
Prepared by:
Moutaz Abdelgawad
Security Solutions Architect - MEA
ArcSight Demo Environment Deployment
Contacts and Document Version History
Author Contact
Moutaz Abdelgawad
Security Solutions Architect - MEA
moutaz.abdel-gawad@microfocus.com
Document Version History
Version Date Author Comments
Moutaz
1.0 January 17th, 2021 Initial Version
Abdelgawad
Moutaz
1.1 January 17th,2021 Correction in SOAR allowed IP
Abdelgawad
Page 2 of 128
© Copyright 2021 Micro Focus International

Table of Contents
1 Introduction ...................................................................................................................... 4
2 Solution Requirements..................................................................................................... 5
2.1 Software Download .................................................................................................. 5
2.1.1 Partner.............................................................................................................. 5
2.1.2 Customer .......................................................................................................... 7
2.2 License Download .................................................................................................. 11
2.3 Hardware Requirements......................................................................................... 11
2.4 Other Requirements ............................................................................................... 12
3 ArcSight ESM (Detect) ................................................................................................... 14
3.1 Linux Installation .................................................................................................... 14
3.2 ArcSight ESM Installation ....................................................................................... 23
3.3 ArcSight ESM Console Installation ......................................................................... 39
4 ArcSight Platform (Single Node) .................................................................................... 47
4.1 Linux Installation .................................................................................................... 47
4.2 ArcSight Platform Preparations .............................................................................. 48
4.3 ArcSight Platform Installation ................................................................................. 52
4.4 ArcSight Intelligence Configuration ......................................................................... 70
4.5 ArcSight Fusion ...................................................................................................... 71
4.6 ArcSight Transformation Hub ................................................................................. 80
4.7 Send Test Events to ArcSight ................................................................................. 83
4.8 Send Test Events to ArcSight Intelligence .............................................................. 87
4.9 ArcSight SOAR ...................................................................................................... 93
5 Troubleshooting ........................................................................................................... 125
5.1 Chrony is not Synchronized .................................................................................. 125
5.2 POD-CIDR network overlap ................................................................................. 125
5.3 Error Bad Message 431 ....................................................................................... 126
5.4 Troubleshooting Commands ................................................................................ 126
6 APPENDIX .................................................................................................................. 128
Page 3 of 128

1 Introduction
This following document have full details step by step of deploying ArcSight demo environment where
this can be used for practicing ArcSight installation and configuration, also to be used to deploy ArcSight
environment for POC purposes.
Document updates will be done to include further information and sections with time in upcoming
version.
Page 4 of 128

2 Solution Requirements
2.1 Software Download
If you are a partner or a customer where need to deploy ArcSight Demo environment, the first
requirement for preparation is to download software binaries needed for installation
2.1.1 Partner
- Only authorized partners have access to the Eval/Demo portal. If a partner does not have
access and attempts to access the site, if you don’t have access to the partner portal, please
contact MicroFocus Channel manager where he can provide you this access or send an email to
(software.partner@microfocus.com)
- Authorized partners will have access and will only see licenses which they are contractually
permitted to download
- Visit partner software portal: https://softwarepartner.microfocus.com and sign in with your

software passport
- Select Knowledge tab
- Select Eval/Demo Licenses
- Select the link Evaluation & Demo License Download Portal to be transferred to the portal
- Select Software Evaluation/Demo Licenses
Page 5 of 128

- Select the required software to be downloaded from the following ArcSight software to
download 3 options where make sure to download the latest version from the list for any
software you need
a) Data Platform
- Security ArcSight SmartConnectors Parser (Includes connector parser updates)
- Security ArcSight SmartConnectors Framework (Includes connector framework software)
- Security ArcSight Logger Software (Includes ArcSight Logger software)
- Security ArcSight Data Platform Software (Includes ArcSight Logger – Transformation hub – ArcSight
platform installer metadata – CDF )
Page 6 of 128

- Security ArcSight Management Center Software
b) Security Analytics
- Micro Focus Security ArcSight User Behavior Analytics Software (Includes ArcSight Intelligence,
formerly ArcSight Interset)
- ArcSight Recon Standard Edition (Includes ArcSight Recon)
c) SIEM
- Security ArcSight Enterprise Security Manager Software (Includes ArcSight ESM – Fusion – Layered
analytics - SOAR)
- Security ArcSight Reputation Security Monitor Plus Connector and Content
- Enter quantity required for any desired software
- Provide partner information
- Read and accept software license terms
- Click Next button
2.1.2 Customer
Customer will receive the electronic license as email from MicroFocus directly to the customer contact
placed in the order, License and software can be activated and download using the link in the email
(Access your software) similar to the below print screen
Customer will be required to register using the work email on MicroFocus portal
https://entitlement.microfocus.com/
After login to the portal, customer can request access to the entitlement number received or the order
number, Manage Access
Page 7 of 128

Then, Request Access
Then, search using the entitlement number/SAID number or order number received with order
information
Page 8 of 128

After having access to the oder or entitlement you can search for it as follow
Then search using the entitlement number or order number
Then to manage entitlement and activate the software needed, go to Manage Entitlements
Page 9 of 128

Then select the software that need to be activated with the quantity needed using Activate then
Download software that been activated
Page 10 of 128

Specify the host that you will activate the license on and the software version needed
To know the different ArcSight software and its location in the products available, see the partner
previous section
2.2 License Download

After activating software from the entitlement portal as instructions in the previous section, you will
receive email about the license activation and license attached or to access it in the portal
2.3 Hardware Requirements

The hardware sizing needed is dependent on the required ArcSight components that need to be
installed where it depends about the license entitlement and the required capabilities that need to be
in the demo in the case of POC or demo
Below is the minimum requirements for every component where it can be different based on each case.
- Mandatory column specify if it is mandatory or not
- Check the documentation for the updated versions requirements
- All components can be deployed on Virtual environment or physical servers
- Requrirements can be different based on POC use cases and scope of integrations
Component CPU RAM Disk OS Manadatory level
Connector server 4 Cores 8G 100 G Windows Mandatory for any
Server 2016- environment
2019 Or
RHEL Or
Centos
ArcSight ESM 8 Cores 16 G 400 G RHEL/CentOS Mandatory for
7.8 – 8.1 majority of
Page 11 of 128

environments as a
correlation engine
ArcSight Logger 8 Cores 16 G 300 G RHEL/CentOS Not mandatory -
7.8 – 8.1 Needed only if
there is specific
requirements for
event retention
and log
management
ArcMC 4 Cores 8G 250 G RHEL/CentOS Not mandatory –
7.8 – 8.1 Needed only if
there is
requirements to
monitor
connectors
operation and
event collection
ArcSight Platform 16 Cores 128 G 750 G RHEL/CentOS Recommended to
(ArcSight Fusion – (The more (The 7.8 show features of
ArcSight SOAR – is better more is unified interface –
ArcSight THub – for better SOAR – UEBA
ArcSight Intelligence performa for
– ArcSight Recon – nce) perform
CDF Master – ance)
ArcSight DB)
2.4 Other Requirements

Requirement Available/Configured
IP Address assignment for nodes
Hostname for the nodes
DNS record for the nodes in case having ArcSight platform node
Reverse DNS record for the nodes in case having ArcSight platform
Linux to be installed based on instruction and disk partition for each
component
Root account and password for each node
SSH access to the different Linux machines or Remote desktop to the
windows machine
SFTP/SCP connection from administrator machine to the different
machines to copy the software binaries
Internet connectivity for the machines to download missing
packages
Download binary files needed for installation and available to be
copied to the machines
License activation and availability
Page 12 of 128

Firewall connectivity based on Firewall requirements in Appendix

Tools to be available on administrator machine (SSH client –
SFTP/SCP tool)
Example are: WinSCP – MobaXterm
(https://mobaxterm.mobatek.net/download.html)
Event sources configuration requirements for event collection

Different event sources administrator point of contact
Page 13 of 128

3 ArcSight ESM (Detect)

3.1 Linux Installation
The first step of deploying the ArcSight ESM is to install Linux CentOs operating system on the server or
virtual machine assigned for ArcSight ESM (Detect)
On virtual environment download the CentOS IOS file and upload it to the Datastore of the virtual host,
and configure machine to boot from this IOS file
Consider the supported operating system version to be user, revise the supported operating system
version in the ArcSight documentation (ESM Technical Requirements)
Following link for the Technical requirements for ESM 7.4:
https://www.microfocus.com/documentation/arcsight/arcsight-esm-
7.4/ESM_TechReq_HTML5/#ESM%20Support%20Matrix/ESM_7_0.htm%3FTocPath%3DMicro%2520Fo
cus%2520ArcSight%2520Enterprise%2520Security%2520Management%2520Technical%2520Requirem
ents%7C_____2
Download the IOS file from the following link or any other mirror list:
http://mirrors.oit.uci.edu/centos/8.2.2004/isos/x86_64/
After booting from ISO, Install CentOS Linux 8
Page 14 of 128

Select Language and Country
Select Custom Storage Configuration
Page 15 of 128

Choose LVM partitioning schema, Click to cerate them automatically
The partitions will be created, However we need to change the sizes and add new partitions
Page 16 of 128

Click + and add new partition /var, set it to 20G
Define storage space for each partition as follow (/home 15G - /var 20G - /boot 512M – swap 8G - / to
have the remaining space)
Page 17 of 128

Accept changes
In network configuration, with type Manual, configure the IP address – Gateway – DNS - Hostname
Page 18 of 128

Disable KDUMP – Set Time/Date/Time zone – Software selection (Server with GUI)
Configure the root password
Page 19 of 128

Configure a new user (eg. arcsight), mark it as administrator, require password, set the password
Page 20 of 128

Installation will take time to finish then Reboot
After reboot you need to accept License
Page 21 of 128

Make sure the server is reachable and accecaple, Now the server is ready for ArcSight ESM installation
Page 22 of 128

3.2 ArcSight ESM Installation

The following process is to install ArcSight ESM (Detect) application on the CentOS operating system
Install packages (zip – libaio - ncurses-compat-libs - tzdata) using command:
# yum install zip
# yum install libaio
# yum install ncurses-compat-libs
# yum install tzdata
Page 23 of 128

You can confirm packages installed using the following commands, versions does not make difference
Disable firewall services or set it based on need, revise documentation if you need to specify only the
required ports to be open on ArcSight ESM server
# systemctl stop firewalls
# systemctl disable firewalld
Copy the ArcSight installer file (ArcSightESMSuite-7.x.x.tar) to ESM server, as an example you can copy
it to /tmp directory
Untar the install file: # tar xvf ArcSightESMSuite-7.4.0.2463.0.tar
Under Tools directory (one of the decompressed file) run command: # /tmp/Tools/prepare_system.sh
Page 24 of 128

Reboot will be required
After machine reboot, check the output of the following command to be the same: # ulimit -a
Change ownership of the directory (ESMComponents) and (ArcSightESMSuite.bin) to arcsight user

# chown –R arcsight ESMComponents/
# chown Arcsight ArcSightESMSuite.bin
Page 25 of 128

Change file ArcSightESMSuite.bin to be excutable

# chmod +x ArcSightESMSuite.bin
Start installation by command: # /tmp/ArcSightESMSuite.bin –I console
Page 26 of 128

Page 27 of 128

Page 28 of 128

Page 29 of 128

After installation finish, Launch the First boot by running the command:
# /opt/arcsight/manager/bin/arcsight firstbootsetup –boxster –soft
Note that we can run this command to run as a GUI installation like the below steps. Or we can run it in
console command line by adding (-i console) to the command
Page 30 of 128

In this deployment we will deploy ESM in compact mode
Page 31 of 128

Set the CORR-Engine password
Leave default configuration or change it based on request
Page 32 of 128

Set error notification email and email where these error emails will be sourced from
Provide the license file
Page 33 of 128

Page 34 of 128

Set ESM hostname, admin username and password which will be used for ESM login
Set GEID with any number, as an example 1, this need to be unique in the ArcSight components setup
where it will be used to have unique global event ID in all ArcSight setup
Page 35 of 128

For now we can ignore THub integration and have it later if we need
Also Recon integration can be ignored now and be configured later when Recon is up
Page 36 of 128

Select Security Threat Monitoring & Threat Intelligence Platform where these packages includes a lot of
use cases out of the box and includes MITRE ATTACK framework content
Page 37 of 128

Installation will start
Now, ArcSight ESM should be installed, configure ArcSight services with command:
# /opt/arcsight/manager/bin/setup_services.sh
Page 38 of 128

Check arcsight ESM services to make sure all services are available, you can use either of the following
commands:
# /etc/init.d/arcsight_services status
# service arcsight_services status
3.3 ArcSight ESM Console Installation

ArcSight ESM console will be needed for ESM configuration, However for the analyst work they can use
the ArcSight command center ACC web access only
Install ArcSight ESM Console using the installer file for the machine operating system (Windows – Linux
- …)
Page 39 of 128

Select the directory where to install the ArcSight Console
Page 40 of 128

Start installation
Page 41 of 128

Specify the hostname of the ESM server and use port TCP/8443, note that hostname need to be
resolved using DNS or to be added to local hosts file
Page 42 of 128

Use direct connection or proxy in case there is a proxy to browse through
Select password based authentication
Page 43 of 128

Select console to be installed for this user only or all users on this machine
Page 44 of 128

After installation finished, start ArcSight Console from start menu or desktop
Use the administrator username and password provided during installation
Page 45 of 128

Console is opened where this means ESM is running and connection is OK from Console to ESM
You can also open ArcSight ESM ACC GUI interface using url: https://esm:8443
Replace (esm) with your used ESM hostname
Page 46 of 128

4 ArcSight Platform (Single Node)

Below installation steps to install ArcSight Platform, the different components can be installed on multi
Master – Multi Worker deployment, However for simplicity and demo purposes we will install all
components on one node (Single Node) installation
This node will host:
 ArcSight Container Deployment Framework (CDF) Master
 ArcSight Fusion (ArcSight Unified Interface)
 ArcSight Recon (Threat Hunting)
 ArcSight Intelligence (Analytics and UEBA)
 ArcSight SOAR
 ArcSight Transformation Hub
 ArcSight Database (Big data unified storage)
4.1 Linux Installation

Use the same steps used in installation of CentOS for ArcSight ESM section to install Linux CentOS for
ArcSight platform machine
Always check the supported operating system requirements for ArcSight Platform, in our case where 1
server will host all components, ArcSight Database supports maximum CentOS 7.8, it is critical NOT to
install CentOS 7.9 or 8 or 8.1 or 8.2
Use the following link to download CentOS ISO version 7.8:
http://isoredirect.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-Everything-2003.iso
In disk partitioning step, follow the following:
/ home : 50 G
/boot: 1024 M
/var: 20 G
Swap: 32 G
/: 640 G
Total space to be 750 Gb where it can be less but better to consider 750 Gb this not to have limited
space for the demo environment or limited space for updates to the platform later
Page 47 of 128

4.2 ArcSight Platform Preparations

Make sure that the hostname of the ArcSight platform is resolved from DNS and also make sure to have
the reverse DNS lookup for the IP
Note that this is MANDATORY, you can’t use local hosts file on the server itself, Check how to setup
Bind DNS server in Appendix, or you can run it on Windows DNS server
You need to make sure before installation that of the following results:
Considering the below hostname is srg.moutazlab.local, with IP 172.16.100.111 and DNS server is
172.16.100.118
o hostname
srg
o hostname -s
srg
o hostname -f
srg.moutazlab.local
o hostname -d
moutazlab.local
o nslookup srg.moutazlab.local
Server: 172.16.100.118
Page 48 of 128

Address: 172.16.100.118#53
Name: srg.moutazlab.local
Address: 172.16.100.111
o nslookup srg
Server: 172.16.100.118
Address: 172.16.100.118#53
Name: srg.moutazlab.local
Address: 172.16.100.111
o nslookup 172.16.100.111
Server: 172.16.100.118
Address: 172.16.100.118#53
111.100.16.172.in-addr.arpa name = srg.moutazlab.local.
Add the following line to the file /etc/sysctl.conf

vm.max_map_count=262144
Enable rpcbind and nfs-server with the following commands:

# systemctl enable rpcbind
# systemctl start rpcbind
# systemctl enable nfs-server
# systemctl start nfs-server
Add the group (arcsight) with id 1999 with command: # groupadd –g 1999 arcsight
Change the (arcsight) user id to be 1999 using the command: # usermod –u 1999 arcsight
Page 49 of 128

Confirm the user (arcsight) belong to group (arcsight) with ids 1999-1999 with command:
# cat /etc/passwd | grep arcsight
Create a directory where to copy the required binary and image files, for example: /tmp/arcsight-
installers
# mkdir /tmp/arcsight-installers
Copy all required installer files and images to that directory, then Change ownership for this directory
and all files to arcsight user
# chown arcsight /tmp/arcsight-installers
# chown arcsight /tmp/arcsight-installers/*
Confirm the following files are there in this directory, based on which components you need to install
File Required for

Cdf-x.x.zip The main installer for CDF, required for all
installations
Arcsight-installer-metadata-x.tar Metadata, required for all installations
Esm-x.tar Required for ESM command center pod
Fusion-x.tar Required for Fusion
Intelligence-x.tar Required for ArcSight Intelligence (Interset)
Layered-analytics-x.tar Required for Fusion widgets
Recon-x.tac Required for Recon
Transformationhub-x.tar Required for transformation hub
Soar-x.tar Required for SOAR pod
Unzip the file cdf-x.zip using command:

# unzip cdf-2020.08.00153-20.11.0.5.zip
Page 50 of 128

Move metadata file to directory /tmp/arcsight-installers/cdf-2020.08.00153-

20.11.0.5/arcsight/metadata
# mv/tmp/arcsight-installers/arcsight-installer-metadata-20.11.0.16.tar /tmp/arcsight-installers/cdf-
2020.08.00153-20.11.0.5/arcsight/metadata/
Move the image files to directory /tmp/arcsight-installers/cdf-2020.08.00153-

20.11.0.5/arcsight/images
# mv/tmp/arcsight-installers/esm-7.4.0.16.tar /tmp/arcsight-installers/cdf-2020.08.00153-
20.11.0.5/arcsight/images/
# mv/tmp/arcsight-installers/fusion-1.2.0.16.tar /tmp/arcsight-installers/cdf-2020.08.00153-
# mv/tmp/arcsight-installers/intelligence-6.2.0.16.tar /tmp/arcsight-installers/cdf-2020.08.00153-
# mv/tmp/arcsight-installers/layered-analytics-1.1.0.16.tar /tmp/arcsight-installers/cdf-2020.08.00153-
# mv/tmp/arcsight-installers/recon-1.1.0.16.tar /tmp/arcsight-installers/cdf-2020.08.00153-
# mv/tmp/arcsight-installers/transformationhub-3.4.0.16.tar /tmp/arcsight-installers/cdf-
2020.08.00153-20.11.0.5/arcsight/images/
Install chrony package using command:

# yum install chrony
# systemctl start chronyd
# systemctl enable chronyd
Confirm leap status is Normal using command: # chronyc tracking
Page 51 of 128

4.3 ArcSight Platform Installation

In the following steps start the installation of ArcSight platform, we will use the automatic installation
using script where we are required only to configure yaml configuration file that includes all
requirements and configuration, then run the installation script, the installation is done through pre-
installation, installation then post-installation.
Yaml file is added in the Appendix part, however below illustration of the yaml file to be used to install
all components on one single node including ArcSight DB.
cluster:
default-node-size: medium
allow-worker-on-master: true
pod-cidr: 10.0.0.0/16
service-cidr: 10.30.78.0/24
master-nodes:
- hostname: srg.moutazlab.local
username: root
labels: [zk, kafka, th-processing, th-platform, fusion,
interset, interset-spark, interset-datanode, interset-namenode]
suite:
Page 52 of 128

products: [transformationhub, fusion, intelligence, recon, soar,

esm, layered-analytics]
config-params:
th-schema-registry-count: 1
th-schema-registry-min-kafka-count: 1
transform-processor-replicas: 1
routing-processor1-replicas: 0
th-kafka-count: 1
th-zookeeper-count: 1
th-init-kafkaOffsetsTopicReplicationFactor: 1
th-init-topicReplicationFactor: 1
# th-init-kafkaRetentionBytesForVertica: Will automatically be
calculated by the install tool for this single node scenario
# th-init-kafkaRetentionBytes: Will automatically be calculated
by the install tool for this single node scenario
th-init-noOfTopicPartitions: 6
th-kafka-allow-plaintext: true
th-init-client-auth: true
interset-elasticsearch-data-instances: 1
interset-logstash-instances: 1
interset-hdfs-namenode: srg.moutazlab.local
interset-root-user: moutaz@moutazlab.com
interset-h2-password: changeme
interset-h2-keystore-password: changeit
interset-elasticsearch-index-shards-count: 1
interset-logstash-event-buffering: persisted
recon-enable: true
database:
type: new
ssl-enabled: false
ssl-client-auth-enabled: false
hardware:
cpu: 8
memory: 32
disk: 200
nodes:
- hostname: srg.moutazlab.local
username: root
Page 53 of 128

pod-cidr: 10.0.0.0/16 ------ required only in case the ip address assignment of the machine is in subnet
172.16.0.0/16
service-cidr: 10.30.78.0/24 ----- required only in case the ip address assignment of the machine is in
subnet 172.17.17.0/24
- hostname: srg.moutazlab.local ---- change it to the hostname used for the ArcSight platform machine
products: [transformationhub, fusion, intelligence, recon, soar, esm, layered-analytics] ----- the
products required to be installed are defined here
interset-hdfs-namenode: srg.moutazlab.local ----- change it to your used hostname
interset-root-user: moutaz@moutazlab.com ----- change it to your required email
Start installation by running preinstall using the command:

# /tmp/arcsight-installers/cdf-2020.08.00153-20.11.0.5/arcsight-install –c /opt/install-config-
moutaz.yaml –cmd preinstall
Considering the yaml file is in /opt directory and yaml file name install-config-moutaz.yaml
Try to log the SSH session, in case any errors show for troubleshooting
Page 54 of 128

It will automatically run, you will find Setting node prerequisites succeeded, clarify that everything is
fine till now
Page 55 of 128

Page 56 of 128

Page 57 of 128

Page 58 of 128

The first run script part will finish and NFS is successfully installer on (arcsight platform hostname)
If it finished successfully without errors, start the next phase of installation

moutaz.yaml –cmd install
Accept agreement and provide the DB admin passwords, Note them down where will be needed to
connect to DB
Page 59 of 128

Page 60 of 128

Page 61 of 128

Script runs automatically, Just accept the agreement
Page 62 of 128

Set the admin user password for CDF, consider the password requirements, Note down the password
entered
Page 63 of 128

You will receive notification that installation done, if there are errors, install script will exit with errors.
Give it some time (based on server specs) to have pods running.
Check the pods running using either of the following commands:
# kubectl get pods –A
# kubectl get pods –all-namespaces
You should find everything running or completed
Except for interest-api, seachmanager-api and searchmanager-engine, it is OK for now
Page 64 of 128

Wait for the pods to be running or completed as above, then run post installation script as follow,
ignore interest-api, searchmanager-api,seachmanager-engine for now
moutaz.yaml –cmd preinstall
Confirm with y
Page 65 of 128

You will receive message (Post-install finished)

This means installation done successfully.
Page 66 of 128

Now, login to Arcsight platform: https://arcsight_platform_hostname:5443

Use user admin and password provided during installation
When you login you will find the node as follow
Page 67 of 128

Define the different labels needed to be run on this node, type labels: transformationhub:yes,
fusion:yes, intelligence:yes, recon:yes, soar:yes, esm:yes, layered-analytics:yes, zk:yes, kafka:yes, th-
platform:yes, th-processing:yes, interest-datanode:yes, interest-namenode:yes, interest-spark:yes
Now, you can install the different solution licenses, you can get the evaluation or final licenses from the
entitlement portal, Go to Application>Licenses in CDF admin portal
Page 68 of 128

Add the different license files one after one
You can see the license usage
Page 69 of 128

4.4 ArcSight Intelligence Configuration

You need to configure port connection for ArcSight intelligence, check the ports as follow:
# export NS=$(kubectl get namespaces |grep arcsight|cut -d ' ' -f1)
# kubectl -n $NS get svc |grep hdfs-namenode
You will find out two ports
Edit the following file /etc/Hadoop/conf/core-site.xml and confirm the port used similar to the
command output
Also edit the /etc/Hadoop/conf/hdfs-site.xml file as below
Confirm ArcSight intelligence schema as follow:

- Change to directory: # cd /opt/vertica/bin/
- Change to user dbadmin and use the password provided in installation: # su dbadmin
Page 70 of 128

- Login to vertica SQL: # vsql

- SELECT VERIFY_HADOOP_CONF_DIR();
- SELECT node_name, node_address, export_address FROM nodes;
You should see similar to the output below (Validation Success)
4.5 ArcSight Fusion

Now, Login to ArcSight Fusion (https://arcsight-platform/mgmt) for the first time to set the password,
use the same email used in the YAML file for interest DB
Use your arcsight-platform hostname
Then, login with the email and password, Note that Fusion login is the email
Page 71 of 128

Page 72 of 128

Following steps is to configure user in ArcSight ESM and import them to Fusion, also to configure
ArcSight ESM login single sign on with Fusion to have seemless access to ArcSight ESM ACC from Fusion
Create a user from ArcSight Console under users section, for example if needed to be administrator
user, create it under Administrators group, you need to specify the same email and Externam User ID as
the same email that will be used in Fusion to have correct SSO
You can also create another user, You have to provide Email and Externam User ID to be the same that
will be used in Fusion.
Page 73 of 128

Now in Fusion interface, Import Users
Specifiy ESM hostname, Use port 8443, specify the admin user and password to connect to ESM, select
which roles will be assigned to the imported users
Page 74 of 128

You will see the imported users to Fusion
Now on ArcSight ESM machine, you need to reconfigure it to use SSO where to have seemless access to
ArcSight ESM ACC from Fusion, on ESM machine:
# /opt/arcsight/manager/bin/arcsight managersetup –i console
Also you can use the GUI configuration by removing –i console from the above command
Page 75 of 128

Accept defaults or existing configuration, Untill the point of authentication method, change it to (OSP
Client Only Authentication)
Set OSP server as the Hostname of the ArcSight platform machine and port 8443
Set Tenent name: default
After ESM configuration end, you need to restart manager service

# service arcsight_services stop
Page 76 of 128

# service arcsight_service start

Make sure that all services are now available using command: # service arcsight_services status
Now, on the ArcSight Platform interface, click the the three dots beside the deployment node, and
Reconfigure
Go to FUSION section, scroll down
Page 77 of 128

Configure ESM part with ESM hostname and port 8443
Restart Kubernetes services

# /opt/arcsight/kubernetes/bin/kube-stop.sh
Page 78 of 128

The start it: # # /opt/arcsight/kubernetes/bin/kube-start.sh

Also check that all pods are running or completed: # kubectl get pods -A
Now, login to ArcSight Fusion again (https://arcsight-platform/mgmt) and check if access to ESM
Command center is running as single sign on without providing password again or not
Page 79 of 128

4.6 ArcSight Transformation Hub

ArcSight Tranfromation Hub (THub) is one of the installed components on the single node platform
where it is required for Arcsight Recon and ArcSight Intelligence, it should be running after installation,
and this can be clarified from # kubectl get pods –A
In Arcsight platform CDF interface, Reconfigure the deployment
Under transformation hub section, configure CEF-to-Avro to 1 and Group 1 routing streem processor
instances to 1
If you have ArcSight management center (ArcMC) in your environment, you can manage and monitor
THub with ArcMC.
In ArcMC interface: Administration>Security>SSL Server Certificate ---- View Certificate
Page 80 of 128

Under ArcSight platform> Reconfigure> Transformation Hub section, scroll down to the Management
Center Configuration part
Type ArcMC username and password, ArcMC Hostname, paste the ArcMC certificate
In ArcSight platform server, export the certificate using command:

# /opt/arcsight/kubernetes/scripts/cdf-updateRE.sh
Copy certificate from ----BEGIN CERTIFICATE----- to ----END CERTIFICATE----
Page 81 of 128

In ArcMC interface: Node Management>Host>Add Host
Set the Hostname of the ArcSight platrom hostname that has THub component, set port to 32080,
Cluster port to 443, provide the admin user and password of the ArcSight platform, Finally paste the
certificate that you got from cdf-updateRE.sh
Now you should see the transformation hub in the Topology view and deployment view
Page 82 of 128

4.7 Send Test Events to ArcSight

Install ArcSight connector on any machine or on ArcSight ESM server for demo purposes.
Select type: Test Alert
Considering installation of the connector in directory /opt/arcsight/connector, Copy the sample event
files (*.events) to the connector directory /opt/arcsight/connector/reply/current
Sample events in the Appendix section.
You can configure connector to send events to ArcSight ESM, also to send events to Transformation hub
as follow:
# /opt/arcsight/connector/reply/current/bin/runagentsetup.sh
Modify connector
Page 83 of 128

Add, modify, or remove destination
Add destination
Page 84 of 128

Select Transformation Hub
Configure THub hostname (hostname:0992), send events to topic th-cef
Page 85 of 128

After finishing configuration, you can run the connector to start sending events using command:
# /opt/arcsight/connector/reply/current/bin/arcsight agents
Then, select the event file that you need to send to the ArcSight deployment
Page 86 of 128

Now, you can see events under (Search) in ArcSight Fusion interface where this uses ArcSight Recon for
event searching
4.8 Send Test Events to ArcSight Intelligence

Because ArcSight intelligence depends on analytics behavior, there are two sets of sample events for
Active directory and Proxy, you can use to demonstrate ArcSight Intelligence
We will use two ArcSight Flex connectors to send AD – Proxy sample events to ArcSight intelligence
Appendix includes the parser files of AD – Proxy flex connectors
Please contact any one of Presales team to share with you sample logs of AD-Proxy
Start installing the ArcSight connector
Page 87 of 128

Select any directory or /opt/arcsight/connector/AD
Set connector paramaters
Page 88 of 128

Determine connector type to be (ArcSight FlexConnector File)
Specify the log file location in the server

Set the configuration file name as the name of the parser configuration file
Copy the parser file (in the appendix) to connector directory:
/opt/arcsight/connector/AD/current/user/agent/flexagent
Page 89 of 128

Send events to Transformation hub similar to steps to send events to transformation hub in Test
connector, the same THub port 9092 will be used as destination for all events from all connectors
After finishing installation of the flex connector, Modify the

/opt/arcsight/connector/AD/current/user/agent/agent.properties file with following parameter where
to change the following value from true to false:
agents[0].startatend=false
Then, run the connector using the command:

/opt/arcsight/connector/AD/current/bin/arcsight connectors
Repeat the same steps for another flex connector for proxy events
After running the flex connectors, by default the ArcSight intelligence run the analytics engine at 2 am
every day, you can triger the analytics engine to run now be the following:
A) Open the CDF Management Portal
Choose “Reconfigure” the deployment
Page 90 of 128

Under Intelligence section change “Analytics Data Retention Period” from 90 to 360, as the sample
events are old time events, then Save
By default, analytics job will run at 2AM every day. To manually start the analytics job, do following:
On ArcSight Platform node:
cd /opt/arcsight-nfs/arcsight-volume/interset/analytics
rm *.mk
rm blackhawk_down
Then analytics process will start, To monitor Analytics Process:
kubectl -n ArcSight_Namespace logs -f InterSet_Analytcis_Pod_Name -c interset-analytics
For example:
kubectl -n arcsight-installer-m4dbl logs -f interset-analytics-5f745b5866-pt9pb -c interset-analytics
Note: use “kubectl get pods –A” to find out the name for namespace and pod.
The analytics process will run until logs from the upper command will repeat the following:
Analytics for TID 0 was completed. Will run again tommorrow
It is after 02:00:00, continuing
Page 91 of 128

Login to ArcSight Platform and Select (Entities at Risk) to access ArcSight Intelligence
Select Default Tenent (0) and select Attach User
Type the username email, then Attach User
Page 92 of 128

Log out from ArcSight platform interface and login again and open (Entities at Risk), Now you should
start to see analytics results
4.9 ArcSight SOAR

The first step to configure ArcSight SOAR is to configure forwarding for correlated events from ArcSight
ESM to ArcSight SOAR.
Create a forwarding user on ArcSight ESM, user type to be (Forwarding Connector), create this used
under Forwarding Connector Group after creating this group under Custom User Group
Page 93 of 128

Create a new Filter
Specify the filter to match Type = Correlation
Page 94 of 128

Configure Forwarding Connector Group>Edit Access Control
Page 95 of 128

Select Filter Resource and select the created Filter which match the correlated events
Page 96 of 128

Create new web user on ArcSight ESM which will be used by SOAR to ESM integration
Page 97 of 128

Create new Active List where will specify the correlated event names that need to be forwarded to
ArcSight SOAR
Page 98 of 128

Change TTL values to be 0 where to have the entries perminant, then select the Field (Name)
Create a pre-persistance rule that will specify forwarding parameters in the forwarded events
Page 99 of 128

Set condition to match Type=Correlation, in the created activelist, Old File Hash is NULL
Configure action on Every Event, Set Event Field
Page 100 of 128

Set Old File ID to be 12345678
Page 101 of 128

Deploy the created Rule in Real time to be effective live
Page 102 of 128

Now you should see the created Rule under the Real Time Rules
Now install forwarding connector (Supper Connector), create a directory and install the Forwarding
connector after changing it to be excutable
# chmod +x ArcSight-9.0.0.8323.0-SuperConnector64-Linux64.bin
Page 103 of 128

Page 104 of 128

Page 105 of 128

Select Type to be ArcSight Forwarding Connector
Define source to be ArcSight ESM hostname and port 8443
Page 106 of 128

Import ESM certificate
Set destination type CEF Syslog
Page 107 of 128

Destination ip to be the hostname that have SOAR (ArcSight platform hostname in case of single node
install), and port to be 32200
Protocol: Raw TCP
Now access Respond under ArcSight Fusion interface, then Configuration> Create Credential
Page 108 of 128

As internal Credential, set the username and password created on ArcSight ESM for SOAR integration
Note down that ip addresses of the following command where will be used in the next configuration:
# kubectl get pods –A –o wide | grep nginx
# ip a | grep cni0
# kubectl get service --all-namespaces | grep soar
Page 109 of 128

In SOAR, Configuration> Alert Source> create alert source configuration
Select type (Micro Focus ArcSight ESM), address to be (https://esm:8443) where esm is the hostname
of ArcSight ESM, ket to be 12345678, allowed ip addresses: ESM IP – the two ip addresses of the
previous steps (nginx – cni0)
Page 110 of 128

Select credential previously created, select Trust invalid SSL certificate. Then Test
Result should be tested successfully
Page 111 of 128

Under Configuration>Parameters, Edit ArcSightListenerEnable & ArcSightAutoEnrichEnable

Click the Value to enable
Page 112 of 128

Now, you can add entries in the previously created Active List to include which Correlated events that
you need to forward to SOAR
Under SOAR, Playbook> rule name filter> create alert source rule name
You can create Alert source for each correlated event, source to be ArcSight ESM, Ignore mode: create
alerts, SOAR will automatically create Alert Source rule for the received incidents
Page 113 of 128

You can create Threat intelligence integration between SOAR and Virus Total, you need first to register
in virus total website using link: https://www.virustotal.com
The after login to your account, check the API key that will be used for the integration
Under SOAR, Configuration>Credential>Create Credential, Type internal Credential, give it a name,

paste Virus total API key
Page 114 of 128

Configuration>Integration>Create Integration, give it a name, select type (Virus Total) then address to
be https://www.virustotal.com, select the created credential
Test integration, you should find it online
Now, you can use the Virus Total integration under Incident investigation or Playbook, as an example:
Enrish> launch enrichment plugin> threat intelligence> Virus Total
Create new incident status, Configuration> Incidents>Statuses>Create Status
Page 115 of 128

Create new status (False Positive)
Create also another status (Resolved)
Edit incidents types: Configuration>Incidents>Types> edit incident
Page 116 of 128

Edit Statuses to include the new created status (False Positive - Resolved)
In Configuration>Parameters> Change RESTAPISessionTimeout to be 3600
Page 117 of 128

To integrate SOAR with Active directory to initiate action on Active directory, you need to create a user
on AD
Page 118 of 128

Add this user to group (Account Operators)
Page 119 of 128

Create new credential for Active directory, Configuration>Credential>New credential

Specify it to be Internal Credential, give it a name, specify domain user created and its password
Create AD integration under Configuration>Integration>New integration, then specify type to be

Microsoft Active Directory, set the Domain ip, select the credential created, mark Trust invalid
certificate.
You need to change the LDAP configuration as per the example
Note that to have this integration done, AD should support SSL LDAP where connection on port
TCP/636, you can use the following link to guide the infrastructure team to enable this:
https://pdhewaju.com.np/2016/04/08/installation-and-configuration-of-active-directory-certificate-
services/
https://pdhewaju.com.np/2017/03/02/configuring-secure-ldap-connection-server-2016/
Page 120 of 128

Then, Test AD connection
Now you can start creating the first Workflow playbook, Go to Playbooks>create Workflow Playbook
On Workflow Playbook Editor> Start from here
Page 121 of 128

Give the playbook step a name, New> Alert Source Rule Name
Matches regular expression, then paste the same name of the correlated event received in SOAR
Page 122 of 128

You can put action to Lock AD user from the active directory integration, select to have this action
perminant or rollback after a specific time
Below playbook will set the incident to Critical, assign it to specific SOC analyst, Lock the active
directory account of the offender, then close the case as resolved
After creating the playbook it need to be Enabled
The last step is that you can add the SOAR widget where to have multiple widgets in ArcSight Fusion
Dashboard, Copy soar-widgets tar file to directory /opt/arcsight-nfs/arcsight-volume/fusion/widget-
store/
Page 123 of 128

Decompress the tar file with command: # tar xvf soar-widgets-1.2.0.2.tar
The, in Fusion Dashboard page, you can add new Dashboard or edit any one of the existing
Add widget
Select any of SOAR widgets like Top Playbooks Excuted
Page 124 of 128

5 Troubleshooting
Below some cases that you may face during the installation:
5.1 Chrony is not Synchronized

Always make sure that Chronyc tracking is normal, this affect the time synchronization and this has
affect on SSO access to the different components of ArcSight, specially when try to access ESM ACC
from Fusion.
Make sure it is enabled and running and normal state like below, if not able to synchronize, make sure
that your machine can resolve centos servers domain from the DNS used
5.2 POD-CIDR network overlap

If the installation fails as below where one of the failed steps is the PODS_CIDR overlap, this means that
you use subnet 172.16.0.0/16 for your ArcSight platform and you are not specifying PODS_CIDR in the
YAML file configuration.
You need to specify a different subnet for POD-CIDR and SERVICE-CIDR as in the example in the ArcSight
Platform Installation section
Page 125 of 128

5.3 Error Bad Message 431

If you faced the below error when trying to open Fusion or any tab in Fusion, try to clear cache and
Cookies of the browser
Bad Message 431

reason: Request Header Fields Too Large
5.4 Troubleshooting Commands

- To know the status of pods, all should be in running or Completed state
# kubectl get pods –A
- To know the IP and port used for services

# kubectl get service –all-namespaces
- To troubleshoot specific pod, you need to replate soar-web-app-svc with the pod you need to
check and replace arcsight-installer-91bin with the name of the instance that show in the first
column in kubectl get pods –A command
# kubectl describe pod soar-web-app-svc -n arcsight-installer-91bin
Page 126 of 128

- To get the logs of ArcSight intelligence analytics running, replace arcsight-installer-91bin with
your nodename, replace interset-analytics-765c58cc4f-psfxs with the analytics pod name
# kubectl -n arcsight-installer-91bin logs -f interset-analytics-765c58cc4f-psfxs -c interset-analytics
- To graceful shutdown the ArcSight platform

# /opt/arcsight/kubernetes/bin/kube-stop.sh
# /opt/arcsight/kubernetes/bin/kubelet-umount-action.sh
Wait to have all pods stopped from command # /opt/arcsight/kubernetes/bin/kube-status.sh and
command # mount | grep nfs not to have any nfs mount
# /opt/arcsight-database/kafka_scheduler stop
# /opt/arcsight-database/db_installer stop
Check DB is stopped using # /opt/arcsight-database/db_installer status
Then it will be ready to shutdown
- To run the ArcSight platform

# /opt/arcsight-database/db_installer start
# /opt/arcsight-database/kafka_scheduler start
Check DB is running using # /opt/arcsight-database/db_installer status
Start pods using command:
# /opt/arcsight/kubernetes/bin/kube-start.sh
Check all pods running using command:
# /opt/arcsight/kubernetes/bin/kube-start.sh
Page 127 of 128

6 APPENDIX
1- How to setup DNS server on CentOS linux machine
Setting up BIND for

ArcSight Platform 20.11.pdf
2- Single node all components YAML file
3- ArcSight sample events
Save the file then change it to .rar extension
4- ArcSight intelligence Flex connector parser files
5- MicroFocus Support and open cases procedure.
Support Case
procedures
6- Training Content
SOAR training is available in Training link: https://microfocus-
external.sabacloud.com/Saba/Web_spf/NA2PRD0006/common/leclassview/dowbt-0000009843
7- Documentation
All documentation are available in page:
https://www.microfocus.com/documentation/arcsight/
Page 128 of 128

ArcSight Demo Environment Deployment-Ver1.1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ArcSight Demo Environment Deployment-Ver1.1

Uploaded by

Copyright:

Available Formats

ArcSight Demo Environment

Contacts and Document Version History

Document Version History

Version Date Author Comments

© Copyright 2021 Micro Focus International

© Copyright 2021 Micro Focus International

© Copyright 2021 Micro Focus International

- Visit partner software portal: https://softwarepartner.microfocus.com and sign in with your

- Select Knowledge tab

- Select Eval/Demo Licenses

- Select Software Evaluation/Demo Licenses

© Copyright 2021 Micro Focus International

© Copyright 2021 Micro Focus International

- Security ArcSight Management Center Software

© Copyright 2021 Micro Focus International

Then, Request Access

© Copyright 2021 Micro Focus International

Then search using the entitlement number or order number

© Copyright 2021 Micro Focus International

© Copyright 2021 Micro Focus International

2.2 License Download

2.3 Hardware Requirements

© Copyright 2021 Micro Focus International

2.4 Other Requirements

© Copyright 2021 Micro Focus International

Firewall connectivity based on Firewall requirements in Appendix

Event sources configuration requirements for event collection

© Copyright 2021 Micro Focus International

3 ArcSight ESM (Detect)

© Copyright 2021 Micro Focus International

Select Language and Country

Select Custom Storage Configuration

© Copyright 2021 Micro Focus International

Choose LVM partitioning schema, Click to cerate them automatically

© Copyright 2021 Micro Focus International

Click + and add new partition /var, set it to 20G

© Copyright 2021 Micro Focus International

© Copyright 2021 Micro Focus International

Configure the root password

© Copyright 2021 Micro Focus International

© Copyright 2021 Micro Focus International

Installation will take time to finish then Reboot

After reboot you need to accept License

© Copyright 2021 Micro Focus International

© Copyright 2021 Micro Focus International

3.2 ArcSight ESM Installation

© Copyright 2021 Micro Focus International

© Copyright 2021 Micro Focus International

Reboot will be required

Change ownership of the directory (ESMComponents) and (ArcSightESMSuite.bin) to arcsight user

© Copyright 2021 Micro Focus International

Change file ArcSightESMSuite.bin to be excutable

Start installation by command: # /tmp/ArcSightESMSuite.bin –I console

© Copyright 2021 Micro Focus International

© Copyright 2021 Micro Focus International

© Copyright 2021 Micro Focus International

© Copyright 2021 Micro Focus International

© Copyright 2021 Micro Focus International

In this deployment we will deploy ESM in compact mode

© Copyright 2021 Micro Focus International

Set the CORR-Engine password

Leave default configuration or change it based on request

© Copyright 2021 Micro Focus International

Provide the license file