Multiple Customers on One SmartConnector MSSP Environment

Summary:

The article "ArcSight How-To: Multiple Customers on One SmartConnector (MSSP Environment)" addresses the challenge of separating unique customer data within multi-source, multi-sink (MSSP) environments using ArcSight SmartConnectors. To achieve this, separate console resources for each customer are created with non-overlapping address spaces, and these zones are assigned to the MSSP network. Map files on the connector collecting events are configured to identify customers uniquely based on attributes like hostname or deviceAddress. The map files include key-value pairs where the key is an attribute (e.g., `deviceHostName`, `deviceAddress`) and the value is the customer URI. Examples of these configurations using `deviceHostName`, `deviceAddress`, and ranges are provided. To activate this configuration, it is recommended to restart the SmartConnector service, which will populate the `Customer URI` field with corresponding data based on the map file entries.

Details:

The article "ArcSight How-To: Multiple Customers on One SmartConnector (MSSP Environment)" discusses a challenge faced by ArcSight users operating in multi-source, multi-sink (MSSP) environments. The main issue is how to separate unique customer data received through a single ArcSight SmartConnector. The solution involves creating console resources for multiple customers with non-overlapping address spaces, assigning these zones to the common MSSP network, and configuring map files on the connector collecting events. This ensures that each customer's data is segregated effectively without interference between different customer networks. The text discusses configuring map files for a connector to identify customers uniquely based on attributes such as hostname or deviceAddress. It provides examples of how to set up these maps using `deviceHostName`, `deviceAddress`, and `deviceAddress` ranges. The map files are stored in `$ARCSIGHT_HOME/user/agent/map/map.X.properties` and include key-value pairs where the key is an attribute like `deviceHostName`, `deviceAddress`, or a range, and the value is the customer URI. For example: 1. Using `deviceHostName`: ``` event.deviceHostName, set.event.customerURI IDS-ABC, All Customers/ABC Corp IDS-XYZ, /All Customers/XYZ Corp ``` 2. Using `deviceAddress`: ``` event.deviceAddress, set.event.customerURI 192.168.242.2/, All Customers/XYZ Corp 172.168.242.2/, /All Customers/ABC Corp ``` 3. Using `deviceAddress` range: ``` range.event.deviceAddress, set.event.customerURI 192.168.1.0-192.168.1.255/, All Customers/XYZ Corp 172.16.242.0-172.16.242.255/, /All Customers/ABC Corp ``` To activate this configuration, it is recommended to restart the SmartConnector service. Once activated, each time the connector receives an event from a device address listed in the properties file, the `Customer URI` field will be populated with the corresponding data based on the map file entries.