RepSMModelImportConn Config Guide 5.2.5.6432.0

Summary:

The "Configuration Guide for Model Import Connector for RepSM" is a document designed to assist in setting up and configuring the HP ArcSight Model Import Connector for Reputation Security Monitor (RepSM). Key aspects covered include product overview, features & functional summary, supported platforms, prerequisites, installation instructions, running connectors, administrative tasks using the ArcSight Console, and optional data transfer optimization. The connector is used to retrieve internet reputation data from the HP DVLabs-powered RepSM threat intelligence service and forward it to the HP ArcSight Enterprise Security Manager (ESM). It supports multiple platforms including Windows Server 2008 R2 SP1, Windows Server 2012, Red Hat Enterprise Linux (RHEL) 6.x/7.x, and Ubuntu Linux 14.04/16.04. Prerequisites for installation include administrative access to both the RepSM server and ArcSight ESM manager machine, with certain configurations required on these machines for communication. Installation involves downloading the installer from HP's website onto both the RepSM server and the ArcSight ESM manager machine. Post-installation setup includes configuring IP addresses and ports for secure communication, setting up authentication methods (e.g., Kerberos or basic authentication), and configuring connector settings in the ArcSight Console. Administrative tasks include setting up a model import user in ESM for configuration tasks such as configuring connector settings and monitoring status through the ArcSight Console. Optional data transfer optimization can be achieved by adjusting memory allocation and modifying properties in the `agent.properties` file if required.

Details:

The "Configuration Guide for Model Import Connector for RepSM" is a document that provides instructions on how to install and configure the HP ArcSight Model Import Connector for Reputation Security Monitor (RepSM). This guide covers several key aspects including product overview, features & functional summary, supported platforms, prerequisites, installing the connector, running connectors, administrative tasks using the ArcSight Console, and optional optimization of data transfer. **Product Overview:** The document explains that the HP ArcSight Reputation Security Monitor (RepSM) solution uses internet reputation data to detect advanced persistent threats, zero-day attacks, and provide context to security events by identifying bad behavior from nodes or networks via their network address or DNS name. This information is used in conjunction with the Reputation Security RepSM content package for malware detection, zero-day attack prevention, and dangerous browsing avoidance. **Features & Functional Summary:** The connector retrieves reputation data from the RepSM threat intelligence service (powered by HP DVLabs) and forwards it to HP ArcSight Enterprise Security Manager (ESM). It supports one ESM destination and retains the last version of processed data between restarts. **Supported Platforms:** The guide specifies that the connector is supported on various platforms, including Windows Server 2008 R2 SP1, Windows Server 2012, Red Hat Enterprise Linux (RHEL) 6.x/7.x, and Ubuntu Linux 14.04/16.04. **Prerequisites:** To install the connector, one must have administrative access to both the RepSM server and the ArcSight ESM manager machine. Additionally, certain configurations are required on both machines, such as enabling Windows Remote Management (WinRM) or SSH for communication between platforms. **Installing the Connector:** The installation involves downloading the installer from HP's website onto both the RepSM server and the ArcSight ESM manager machine. Detailed steps include executing the installer, accepting terms and conditions, configuring IP addresses and ports for secure communication, and setting up authentication methods like Kerberos or basic authentication depending on the platform. **Running Connectors:** This section covers starting and stopping connectors, as well as reloading RepSM data to ensure continuous operation and updated data processing. **Administrative Tasks - RepSM Configuration using the ArcSight Console:** The guide explains how to set up a model import user in ESM for configuration tasks like configuring connector settings and monitoring status through the ArcSight Console. This document is intended for those responsible for security infrastructure setup and maintenance, providing detailed steps on integrating external threat intelligence into HP's ArcSight ecosystem for enhanced security operations. The Model Import Connector for RepSM is designed to retrieve and update reputation data from the Reputation Security Monitor (RepSM) service at regular intervals, using only delta information since the last retrieval. If no delta is available, it will perform a full update, potentially causing existing entries in the ESM active list to be replaced with new ones. The connector supports various platforms including Windows Server 2003 R2, 2008 R2, and Red Hat Enterprise Linux (RHEL) 5.x AS, all running on 64-bit systems. To install the connector, users must ensure they have a RepSM subscription and license activation key, as well as prerequisites for local administrator access to the installation machine and internet connectivity over port 443. The connector can be installed via an executable downloaded from HP after receiving a confirmation email containing a link or order number. Post-installation setup includes configuring parameters such as service activation key, update frequency, and proxy settings if required. This document provides a detailed guide on how to configure and set up the Model Import Connector for RepSM, which is an HP ArcSight SmartConnector used for importing data from various sources into Event Management (ESM). The setup process involves several steps including entering proxy settings, configuring manager details, setting connector properties, memory allocation, starting/stopping the import function, and user configuration. Key points include:

• Entering a proxy password if required by the proxy server.

• Configuring ArcSight Manager with host name, port, and authentication credentials.

• Naming the connector and providing additional environment information.

• Adjusting memory settings for optimal performance, which should be set to at least 2GB, with a maximum range of 4GB to 6GB depending on available system memory.

• Starting and stopping the connector's import function manually via the ArcSight Console.

• Setting up an admin user in ESM specifically for this connector’s import operations.

This guide ensures that all configurations are correctly applied to allow seamless integration of data from RepSM into the ArcSight platform. To reload RepSM data and optionally optimize data transfer using a timer, follow these steps: 1. **Stop the connector**: If it is active, stop the connector in the ArcSight Console. 2. **Remove files**: Remove all files at the specified paths:

• Linux: `~/ARCSIGHT_HOME/current/user/agent/agentdata`

• Windows: `$\ARCSIGHT_HOME\current\user\agent\agentdata`

• Linux: `~/ARCSIGHT_HOME/current/user/agent/mic/repdv`

• Windows: `$\ARCSIGHT_HOME\current\user\agent\mic\repdv`

3. **Clear active lists**: At the ArcSight Console, clear all entries in the Malicious Domains and Malicious IP Addresses Active Lists by:

• Selecting each Active List and right-clicking.

• Selecting "Clear Entries."

4. **Restart the connector**. 5. **Optional optimization**: To change the time interval for data transfer (default is 1 minute), edit the `agent.properties` file at `$ARCSIGHT_HOME\current\user\agent`:

• Add the property `agent.component<35>.buildmodeldelay=10000`. This sets the interval to 10 seconds.

By following these steps, you can reload RepSM data efficiently and optionally adjust the timing for data transfer between the connector and ESM (if applicable).