Tech Note: Exploring Unobfuscated Parser and Categorization Files

Summary:

This document from Hewlett-Packard (HP) outlines the process for accessing specific files related to their SmartConnector parser, categorization, and recorded events. It includes guidance on how to find these files on the ENGIBRIX file server using iRock credentials. The document also states that all information is confidential and not to be shared outside the evaluation team without explicit authorization from HP. The content of this technical note serves educational purposes and does not imply any partnership or contractual obligations. The SmartConnector release folder structure includes directories for parsers, categorization, and more, with files such as .properties parser files, mapping files, agent upgrade files, alert mappings, registry properties, scanner properties, and categorizer directory files like AgentInfoAdder1 maps, AgentInfoAdder1.properties, defaultzones.csv, os.mappings.csv, etc. Categorization is managed within a Categorization folder with vendor-specific directories for mapping application protocols to destination ports and categorizing device types based on vendor and product. The "SampleEvents" folder contains specific events and data from which parsers were created to help identify patterns or behaviors in system usage.

Details:

This document from Hewlett-Packard (HP) provides guidance on how to find specific files related to their SmartConnector parser, categorization, and recorded events. It also includes an important confidentiality notice stating that all information within the document is confidential and should not be shared outside of the evaluation team without explicit authorization from HP. The document mentions that it may contain details about current HP products, sales, and service programs which could change at HP's discretion. HP does not guarantee the accuracy or completeness of the information provided in this document, and any use of the information is done so at the recipient's own risk with no liability from HP if the information proves to be incorrect or irrelevant. This technical note outlines the process for obtaining unobfuscated parser and categorization files used by SmartConnectors, which are essential for troubleshooting event processing and building flexconnectors or parser overrides. The ENGIBRIX file server serves as a central location where Connector Team members can access these files. To access it, users must log into "Remote Access to HP" using their iRock credentials with the domain "arcsight". Once logged in, navigate to the path: \\engibrix.arst.usa.hp.com\Support\SupportFolders\Arcsight_Team_Folders\Connector_Team. The content of this document is provided for educational purposes and does not imply any formal partnership or contractual obligations between parties. Pricing estimates are valid for 30 days from the proposal submission date, and HP's proposals are submitted in electronic formats including native file formats and PDF. The SmartConnector release folder structure includes several directories and files, primarily focused on parsers and categorization. Parsers are contained within a Parsers directory, where specific vendor directories house .properties parser files and mapping files. The agent.upgradefiles.properties file aids in the upgrade process by mapping old to upgraded installations. Alert mappings are defined in alerttosecurityevent.map.properties, while registry.properties provides ArcSight Agent Registry details for that version. Scanner properties handle event handling specifics. Categorization is managed within a Categorization folder, which includes directories and files such as the categorizer directory, AgentInfoAdder1 maps (AgentInfoAdder1.map.0.csv, AgentInfoAdder1.map.1.csv, AgentInfoAdder1.map.2.csv), AgentInfoAdder1.properties, defaultzones.csv, and os.mappings.csv. These files map application protocols to destination ports in AgentInfoAdder1.map.0.csv and vice versa in AgentInfoAdder1.map.1.csv, categorize device types based on vendor and product in AgentInfoAdder1.map.2.csv, and contain default network zones in defaultzones.csv. This text is about a system or software that has directories for OS and version categorizations. There are two main categories within these directories: "current" and "v2x". Inside the "current" directory, there are vendor-specific folders where you can find files to help with categorizing things like behaviors, techniques, etc. In the "v2x" folder, there are also vendor-specific folders but they have information for setting a simpler category called "arcsightCategory." Lastly, there's a "SampleEvents" folder that stores specific events and data from which parsers were created to help identify patterns or behaviors in system usage.