RepSMModelImportConn Config Guide

Summary:

The "Configuration Guide for Model Import Connector for RepSM" is a document designed to assist IT security professionals in installing and configuring the HP ArcSight Model Import Connector for Reputation Security Monitor (RepSM). This connector retrieves reputation data from the RepSM threat intelligence service, processes it, and forwards it to either HP ArcSight Enterprise Security Manager (ESM) or HP ArcSight Express. The guide covers key points such as purpose, features, supported platforms, installation steps, and revision history. The document outlines detailed steps for installing the connector, including obtaining a license activation key, downloading the appropriate installer based on the operating system, running the installer, configuring parameters like service activation key and update frequency, and entering manager credentials to complete the installation process. It also provides information on heap size, batching configuration, timer optimization, memory settings, user setup, and optional optimizations for changing event archive sizes. The guide includes troubleshooting tips such as viewing log files and stopping all connectors using specific commands based on the platform (Windows or Linux). Additionally, it covers managing agent logs by identifying their location, removing unnecessary log files to optimize storage space, and clearing entries related to malicious domains and IP addresses in the ArcSight Console. This comprehensive document is essential for effectively deploying and managing connectors in an organization's security infrastructure to improve threat detection accuracy and reduce false positives using reputation data.

Details:

The "Configuration Guide for Model Import Connector for RepSM" is a document provided by Hewlett-Packard (HP) which outlines the steps for installing and configuring the HP ArcSight Model Import Connector for Reputation Security Monitor (RepSM). This connector is used to retrieve reputation data from the RepSM threat intelligence service powered by HP DVLabs, process it, and forward it to either HP ArcSight Enterprise Security Manager (ESM) or HP ArcSight Express. **Key Points:** 1. **Purpose**: The guide serves as a manual for installing the HP ArcSight Model Import Connector for Reputation Security Monitor (RepSM), facilitating data collection from the threat intelligence service and forwarding it to ESM or Express for enhanced security analysis. 2. **Features and Functional Summary**: It highlights that the connector retrieves reputation data from the RepSM service, processes it, and sends it to either HP ArcSight Enterprise Security Manager (ESM) or HP ArcSight Express. The connector supports one ESM destination at a time. 3. **Supported Platforms and Prerequisites**: The document specifies supported platforms for the connector installation and lists prerequisites such as having an active RepSM subscription with access to the threat intelligence service, appropriate permissions configured in ESM, and basic system requirements like Java Runtime Environment (JRE) version 7 or later. 4. **Installation and Configuration Steps**: It includes detailed steps for installing the connector, setting up a model import user in ESM, and optimizing data transfer using a timer if necessary. The guide also covers how to reload RepSM data after installation or updates. 5. **Revision History**: Noted that the document is confidential and provides a link at the end of the document to view copyrights and acknowledgements. This configuration guide is intended for IT security professionals who are responsible for deploying and managing connectors in their organization's security infrastructure, ensuring effective use of reputation data to improve threat detection accuracy and reduce false positives. The Model Import Connector for Reputation Security Monitor (RepSM) is designed to import IP addresses and host/domain names into HP ArcSight Event Management System (ESM). It retrieves reputation attributes such as Reputation Score and Threat Type from the initial load of entries, processing deltas for additions, deletions, and updates. The connector checks for data every two hours by default, sending warnings or messages to ESM as HP ArcSight events and reporting the number of processed updates. Supported platforms include Microsoft Windows Server 2003 R2 (64-bit), 2008 R2 (64-bit), and Red Hat Enterprise Linux (RHEL) 5.x AS (64-bit). Prerequisites include a Reputation Security Monitor Service (RepSM) subscription, license activation key, HP ArcSight ESM 5.2 or later releases installed correctly on separate machines if possible, local access to the installation machine, and internet connectivity with port 443 for external communication and port 8443 (or configured alternative) for ESM communications. The connector can be installed by following specific steps outlined in the configuration guide, which involve obtaining a license activation key from HP SSO, downloading the appropriate installer based on the operating system, running the installer, configuring parameters such as service activation key and update frequency, and entering manager credentials to complete installation. This document provides a comprehensive guide for setting up and configuring the Model Import Connector for RepSM, an HP ArcSight SmartConnector designed to facilitate data import from RepSM (Real-time Performance and Statistics Monitor) into ESM (Extended Security Manager). The connector can be configured in various modes such as standalone or service depending on the platform. Key aspects of configuration include:

• **Heap Size**: Default is set at 256MB, which should be increased to a minimum of 2GB and up to 4-6GB based on available memory.

• **Batching Configuration**: For RepSM entries, the batch size can be controlled using `maxeventsbeforebuild` property in `agent.properties`. The default is set for totals of 2500 events but can be adjusted as needed.

• **Timer Optimization**: Elapsed time between batches for data transfer to ESM can be controlled with a timer (`buildmodeldelay`), which defaults to 1 minute, adjustable via the same property in `agent.properties`.

• **Memory Settings**: Specific scripts need to be created on Linux (`setmem.sh`) or Windows (`setmem.bat`) for memory allocation settings depending on the platform. The script should include options like -Xms1024m and -Xmx2048m for standalone mode, with similar options for service/daemon modes if applicable.

• **User Setup**: An admin user must be added to the Model Import User field in the ArcSight Console after connector installation.

The document also covers optional optimizations such as changing event archive sizes and reloading RepSM data by stopping and removing relevant files from the agent data directory. General troubleshooting for SmartConnectors includes viewing log files and stopping all connectors using specific commands, based on the platform (Windows or Linux). This configuration guide is crucial for ensuring optimal performance and functionality of the Model Import Connector for RepSM in an ArcSight environment, facilitating efficient import and management of real-time performance data from RepSM into ESM. The text provides a set of instructions to manage agent logs and clear specific entries in the ArcSight Console related to malicious domains and IP addresses, all pertaining to the "RepSM" aspect. Here's a summary of the steps outlined: 1. Identify the location where agent log files are stored (either Linux at ~/ARCSIGHT_HOME/current/logs or Windows at $\ARCSIGHT_HOME\current\logs). 2. Remove all agent.log files from this identified directory to manage storage space and avoid clutter. 3. Access the ArcSight Console interface to locate settings related to the Model Import Connector for RepSM. 4. Clear any entries in the Malicious Domains and Malicious IP Address sections of the console, which might include outdated or erroneous data that could affect system performance or reporting. 5. Restart the connector after making these changes to ensure that the modifications are applied correctly and effectively. 6. Refer to specific configuration guides for further details on Model Import Connector for RepSM if needed, noting that there may be multiple guides with confidential information denoted by "

" prefix.