Express 3.0 Partner Release Notes

Summary:

The document provides a summary of a virtual machine (VM) named Express30-partner, designed for ArcSight 7400 appliances. Key details include: 1. **System Requirements**: The VM requires approximately 7 GB of disk space when expanded and at least 4 GB RAM. It needs a 64-bit processor with Intel Virtualization Technology enabled in the BIOS. 2. **VM Configuration**: Created using VMware Workstation 7.0 and compatible with multiple versions of VMware, including ESX users needing to convert the VM. The OS is Red Hat Enterprise Linux 5.5 (64-bit), configured for NAT networking with specific IP settings. 3. **Operating System**: Runs on a 64-bit version of Red Hat Enterprise Linux and can be customized with up to 4 CPU cores. 4. **Login Details**: The default login is arcsight with the password arcsight, while the root password is also arcsight. 5. **Networking**: Configures eth0 for a static IP (172.16.100.111/24) and eth1 for DHCP, initially disabled; both use 172.16.100.2 as the gateway address and DNS server. 6. **Connectivity**: The VM can access the internet via NAT if the host has connectivity. 7. **ArcSight Integration**: Includes all default content plus specific ArcSight modules (e.g., IDView, IT Gov, SOX, PCI, ArcSight Express, NERC). It uses a new storage engine (CORR) instead of Oracle and can be accessed remotely via HTTPS://express30:8443 from outside the VM. 8. **Demo Events**: To use demo events, double-click the "Demo Connector" icon, select Replay tab, pick a scenario file, and control event rate. Remote access requires additional setup as detailed in the document. 9. **IDView Functionality**: The rule "Populate Authenticators List" becomes active when IP is 172.16.100.111; it should remain enabled if IP changes to update Account Authenticators with the new VM IP, preventing unnecessary system overhead and potential attribution inaccuracies. The document provides operational guidelines for using the VM in an ArcSight environment, including setup details, connectivity settings, and troubleshooting tips.

Details:

Express30-partner Virtual Machine Release Notes Summary: 1. **System Requirements**: The virtual machine zipfile expands to 7 GB and requires additional free disk space for the hard drive when running the VM, potentially up to 20 GB. It needs at least 4 GB RAM, with a minimum requirement of 4.5 GB RAM. The host computer must have a 64-bit processor supporting Intel Virtualization Technology, enabled in the BIOS. 2. **VM Configuration**: Created using VMware Workstation 7.0 and compatible with VMware Player 3.0, VMware Workstation 6.5-7, and VMware Server 2.0 (excluding version 1.0). ESX users need to convert the VM before use. Kudzu might reconfigure virtual hardware at startup if converted from ESX. 3. **Operating System**: Runs on Red Hat Enterprise Linux 5.5, 64-bit. The default configuration uses 4 CPU cores but can be adjusted. 4. **Login Details**: The OS login is arcsight with a password of arcsight. Root password is also arcsight. 5. **Networking**: Configured for NAT with a gateway address of 172.16.100.2 and the host VMware NAT adapter set at 172.16.100.1. VM has two adapters: eth0 with static IP 172.16.100.111/24 (gateway and DNS both 172.16.100.2), and eth1 set up for DHCP but initially disabled. Hostname is express30. 6. **Connectivity**: The VM can access the internet via NAT if the host has connectivity, though no specific hardening of the OS was mentioned. 7. **Final Note**: If altering the IP address of the VM, consider implications on IDView functionality. ArcSight Express Setup involves installing version 3.0 on a virtualized 7400 appliance, with ArcSight installed at /opt/arcsight. The demo user is "admin" with password "password". It includes all default content plus IDView (with Actors), IT Gov, SOX, PCI, ArcSight Express, and NERC content and demos. It uses the new ArcSight CORR storage engine instead of Oracle. The web Administrative Console can be accessed at https://express30:8443 from outside the VM. To flow demo events into ArcSight Express, double-click the "Demo Connector" icon, select Replay tab, pick a scenario file, and use the slider bar to control event rate. For remote access, install the console on another machine, add the host express30 to the hosts file, transfer files from /opt/arcsight/installers within the VM, unzip to the ArcSight Console install directory, and update the license key by copying it into the VM and launching the Update License Key icon in the ArcSight Services folder. IDView functionality relies on populating Account Authenticators with the correct IP address of the virtual machine for proper attribution of Actors. The document outlines a rule within a VM (Virtual Machine) called "Populate Authenticators List." This rule becomes active when the IP address of the VM remains as 172.16.100.111 and should be disabled if the IP address changes. If the IP address is changed, the rule must remain enabled to resend IDView events through a demo connector into Event Stream Manager (ESM), updating the Account Authenticators list with the new VM IP address. The purpose of this rule is to prevent excessive system overhead by evaluating every event entering the system unnecessarily and potentially lead to inaccuracies in actor attribution, which could be addressed by reviewing the Account Authenticators list if needed. It's recommended to eventually disable this rule unless there are specific operational requirements that necessitate its use.