Demo Creation Best Practices ESM & Express

Summary:

The document outlines best practices for creating demonstrations using ESM (Event Stream Management) and Express tools, providing a structured approach with scripts, training materials, use cases, and more. Key elements include content replication, demo creation process, use of specific tools, general guidelines, and detailed procedures for managing various aspects like Replay Connector, Archived Reports, Cases and Notifications, Data Monitors, and archive settings. Additionally, it emphasizes the importance of updating operating systems, performing virus scans, optimizing VM size, ensuring proper network settings, maintaining system performance, and program management during image creation for a comprehensive deliverable setup.

Details:

The provided text outlines best practices for creating demonstrations (demos) using two tools: ESM (Event Stream Management) & Express. These are part of a series titled "Demo Creation Best Practices" which includes various resources such as scripts, training materials, use cases, and more to help in the process of demonstrating these tools effectively. The document is structured around several key elements: 1. **Content Replication Script for Unix**: This script is used to replicate content from one system to another, similar to what might be needed when setting up a demo environment using ESM & Express. The script involves managing assets, asset categories, rules, and actors carefully, ensuring that modifications do not disrupt other demos. 2. **Demo Creation Process**: The process includes steps like identifying resources (rules, dashboards) that support the scenario, matching events to existing scenarios or creating new ones by modifying field values in Excel, and using tools like Arcsight Agent CSVConvert to create event files for simulations. 3. **Use of Tools**: Specifically mentions "ESM & Express" as part of the demo creation process, implying these are key components that need to be set up correctly for a successful demonstration. 4. **General Guidelines**: Provides general instructions about setting up both the Console and Replay Connector on Solaris systems, which is essential for replicating environments used in demonstrations. This document serves as a guide or manual for creating effective demos using specific tools like ESM & Express, emphasizing careful preparation and attention to detail to ensure smooth execution and realism of the demonstration scenarios. This document outlines several steps and tips for improving the performance of a hard drive, specifically mentioning the use of a replay connector and updating its release if possible. It also provides instructions on network configurations such as removing local networks and adding ArcNet networks with specific URIs. For IdentityView settings, it suggests enabling uppercase user names and configuring them to be "Enabled (orig to ID)". Regarding agent properties, there is guidance to ensure that the connector does not continuously replay event files by setting agents<0>

.continuous=false. The document also covers aspects of exporting events from the Console, including handling messages about skipped alerts and creating custom field sets for export. Lastly, it instructs on using specific commands like "arcsight agent csvconvert" to convert exported CSV files into .events format, which is important for event modification and analysis in the ArcSight system. This summary outlines several procedures related to using a Replay Connector on a host laptop, managing Archived Reports, handling Cases and Notifications, backing up and exporting content from the Manager, and configuring Data Monitors. For using a Replay Connector, it is recommended to remain consistent in using the same version of the Connector for both creating and replaying .events files due to differences in event schema between versions. If different versions are used, issues like serializer errors may occur. The destination directory for the created .events file cannot be specified and will always be placed in "replayagent". Regarding Archived Reports, if the "Save Output" option is not selected, reports default to an expiration of 1 day. It advises editing report names and aliases to remove data and time information from the generated report name. In managing Cases and Notifications, before publishing a final VM, all related Cases and Notifications should be deleted. This includes checking under the \All Cases\ArcSight Solutions tree for any such cases. When backing up or exporting content from the Manager, it is advised to export in smaller chunks by resource type (e.g., creating separate packages for Reports and Rules) to avoid including unwanted resources due to default package resource dependency options. Regarding Trends, all should be disabled before installing a new patch or service pack. After such updates, check if any previously disabled trends are re-enabled, or require further enabling and disabling if they have been put into an odd state. Data Monitors should also be set to run for 2 hours when needed. Consistency is key in creating content, so it is advised to place it in the same directory off the \ArcNet Group as other content created previously. Finally, event files and attachments are mentioned but no specific actions are outlined for them beyond their attachment to events or notifications. This summary outlines the process for archiving and cleaning up ArcSight partitions, including deleting unnecessary cases, notifications, packages, connectors, and performing database cleanup. The steps include setting properties to disable event time correction in both Manager and Connector agents, running an installation events script, and adjusting archive settings as needed throughout the process. It concludes with finalizing the image for distribution by returning to standard archive settings and cleaning up old partitions through scheduled tasks. The provided text outlines various steps and recommendations for creating an image that includes detailed deliverables such as Image, Release Notes, MD5 Checksums, Script, Screenshots, PowerPoint with Script Flow, JPEGs, Reports, Event Files, Viewlet, Performance tips, and Attachments. It emphasizes the importance of updating operating systems, performing virus scans, optimizing VM size using VMware tools, ensuring proper network settings, and maintaining system performance through tasks like defragmenting drives and adjusting paging file sizes. The text also highlights essential program management during image creation to optimize resources. The text appears to be a user interface for managing and interacting with content related to "i.R.O.C.K. powered by Jive SBS" version 4.0.11, which is likely a community software platform used for communication or collaboration within an organization. Some of the features listed are: 1. **Stop email notifications**: This allows users to manage their email notification settings related to this software, potentially turning off or adjusting emails regarding updates, comments, or other interactions on the platform. 2. **Send as email**: Users can choose to send certain content directly as an email, which might be useful for sharing specific information with others outside of the platform. 3. **View print preview**: This option enables users to view a printable version of the content before printing it out, which is convenient for preparing documents or presentations offline. 4. **Bookmark this**: Users can bookmark content they find valuable or relevant for future reference, making it easier to access without searching each time. 5. **Bookmarked By (4)**: Indicates that four users have bookmarked the current content item, suggesting its usefulness or relevance among those who use the platform. 6. **View: Everyone / Connections / Only Notes / Previous / Next / More Like This**: These options allow for adjusting the visibility of the content and browsing related items within the platform. "Everyone" might mean that all users can view it, while "Connections" could be specific to a user's network or connections on the platform. "Only Notes" suggests focusing only on comments or notes about the item, and "Previous / Next / More Like This" are standard navigation tools for browsing through related content options. The text also mentions that more information is being retrieved from Steven Maxwell's profile, which could be further details or interactions related to the platform by this user.