Investigate 1.1 Demo Virtual Machine

Summary:

This document summarizes a demo virtual machine (VM) for ArcSight Investigate 1.1 created by Chuck Grochowski on August 11, 2017. The VM includes ArcSight Investigate, Event Broker (EB), and Vertica database version 8.0.5-1. Key changes in this version include: 1. Agent receipt and device receipt times now match in demo events due to the use of device receipt time for event timing. 2. The uncompressed VM requires a larger disk space, increasing from 25 GB to 30 GB, likely because Vertica stores more demo events in this version. Further investigation is needed to understand this increase. 3. A bug that caused pods to break after 6 hours of downtime has been resolved, allowing the removal of the workaround script vault-regen script from the VM. 4. The VM's requirements include at least 12 GB RAM and 4 CPU cores with a potential need for more resources depending on available capacity. It expands to 30 GB on disk but does not require an SSD. 5. Usage notes are provided in the description section of the VM when viewed in VMware Workstation, specifying memory and CPU requirements as well as storage expansion needs. Additionally, there is a modified demo script for ArcSight Investigate version 1.10 due to changes in the event broker and features. This script can be downloaded from the iROCK document under "ArcSight Edition." Users need Event Broker 2.02, included with the VM, to demonstrate or utilize connectors sending custom events into the database.

Details:

This document provides information about a demo virtual machine (VM) for ArcSight Investigate 1.1, created by Chuck Grochowski on August 11, 2017. The VM includes features such as ArcSight Investigate, Event Broker (EB), and Vertica database version 8.0.5-1. Key changes in this version include: 1. Agent receipt and device receipt times now match in demo events due to the use of device receipt time for event timing. 2. The uncompressed VM requires a larger disk space, increasing from 25 GB to 30 GB, likely because Vertica stores more demo events in this version. Further investigation is needed to understand this increase. 3. A bug that caused pods to break after 6 hours of downtime has been resolved, allowing the removal of the workaround script vault-regen script from the VM. 4. The VM's requirements include at least 12 GB RAM and 4 CPU cores with a potential need for more resources depending on available capacity. It expands to 30 GB on disk but does not require an SSD. 5. Usage notes are provided in the description section of the VM when viewed in VMware Workstation, specifying memory and CPU requirements as well as storage expansion needs. The document outlines that ArcSight Investigate version 1.10 includes a modified demo script due to changes in the event broker and features of Investigate. This script is available for download from the iROCK document, specifically under "ArcSight Edition." If users wish to demonstrate or utilize connectors to send custom events into the VM's database, they need to deploy Event Broker 2.02, which is included with the VM. The document states that there are changes in Investigate version and features necessitating a modified demo script. This script can be found attached as "Investigate_1.10_Demo_Script.pdf," which users can download from the specified location under ArcSight Edition on the iROCK document page. The attachment is 467.2 KB in size, and according to Jive Software's content management system, it was last modified on Aug 11, 2017, 2:49 PM. The document also mentions that there are tags associated with this content tagged as "demo virtual machine" and "investigate 1.1." Users can edit these tags if needed. The impact of the changes in version and features is mentioned to affect visibility related to ArcSight Investigate, but further details on how exactly it impacts metrics are not provided within the text snippet you've shared.