ArcSight Express 4.0 Release Notes

Summary:

This document provides a summary of the Express40 Virtual Machine release notes, detailing its specifications, compatibility requirements, hardware demands, networking configuration, internet access capabilities, security settings, and specific setup instructions for ArcSight Express 4.0. The VM is designed to run on various VMware platforms including Workstation 7.0, Player 3.0, Workstation 6.5-7, and Server 2.0 but not Server 1.0. It requires at least an 8 GB RAM allocation for optimal performance and a 64-bit processor with Intel Virtualization Technology enabled in BIOS. The OS is Red Hat Enterprise Linux 5.5 (64-bit), featuring default user credentials arcsight/arcsight and root/arcsight. Networking uses NAT with static IP address settings, and the VM can access the internet via its host connection. No security hardening measures are applied to the virtual machine's operating system. Additional setup instructions include configuring up to 4 CPU cores as needed, setting up network configurations including an eth0 adapter for a static IP (172.16.100.111/24) and an initially disabled eth1 adapter with DHCP, and managing internet access through NAT if the host is connected.

Details:

Express40 Virtual Machine Release Notes Summary: 1. **Image Size**: The virtual machine zipfile expands to 13 GB and requires additional free disk space when running the VM, potentially growing up to 20 GB. 2. **Memory Usage**: By default, the VM is configured for 8 GB RAM; however, it can operate with a minimum of 6.5 GB RAM. 3. **Compatibility**: Compatible with VMware Workstation 7.0, Player 3.0, Workstation 6.5-7, and Server 2.0 but not Server 1.0. VMware ESX users need to convert the VM before use. 4. **Hardware Requirements**: Requires a 64-bit processor with Intel Virtualization Technology enabled in BIOS and at least 8 GB of free space on the host hard drive when running the VM. 5. **Operating System and Login**: The OS is Red Hat Enterprise Linux 5.5, 64-bit, with default login credentials as specified (arcsight/arcsight for normal user and root/arcsight). 6. **Networking Configuration**: Uses NAT with a gateway address of 172.16.100.2 and VMnet8 set to 172.16.100.1. VM has two adapters: eth0 (static IP 172.16.100.111/24) and eth1 (DHCP, initially disabled). Hostname is express30. 7. **Internet Access**: The VM can access the internet through NAT if the host has connectivity. 8. **Security**: No hardening applied to the virtual machine OS. 9. **VM Configuration**: Can be configured with 4 CPU cores, but more or fewer can be adjusted as needed. ArcSight Express Setup involves installing version 4.0 on a virtualized 7400 appliance, with all default content plus additional solutions like RepSM, AppSM, IDView (with Actors), IT Gov, SOX, PCI, ArcSight Express, and NERC. The storage engine is CORR-E instead of Oracle, eliminating the need for Oracle services. The web Administrative Console can be accessed via https://express40:8443. To ingest demo events, double-click the “Demo Connector” icon on the VM's desktop, select Replay tab, choose a scenario file, and control event rate with the slider bar. For external console access, install the Express 4.0 console on another machine, add the host express40 to its hosts file, transfer consolefiles.zip from the VM, unzip it to the ArcSight Console directory, and start using it. Updating the license key involves copying the new key into the VM and updating it via the provided icon in the ArcSight Services folder. IdentityView relies on the Active List /All Active Lists/ArcSight System/Actor Data Support/Account Authenticators being populated with entries of the VM's IP address (default 172.16.100.111), which is automatically updated by a correlation rule for IDView 2.0. The Populate Authenticators List rule is a feature enabled within a VM (Virtual Machine). When the IP address of the VM stays as 172.16.100.111, you can turn off this rule because it won't affect any operations. However, if the IP address changes, you should keep the rule on and resend IDView events through a demo connector to update the Account Authenticators list in ESM (Enterprise Security Manager) with the new VM IP. The purpose of this feature is to keep track of all authentications performed by users accessing the system. It's important because if the Actor attribution for events doesn't work correctly, you should check this list first. Additionally, over time, disabling this rule can help reduce unnecessary system load and improve efficiency.