Activate Framework Installation and Configuration


The Activate Framework is NOT just content. It is an end-to-end framework for getting the most out of your security tools. The framework is designed with these factors in mind:
  • A (security) device is useless if it is improperly configured. This means it should be configured to operate using the best practices for that device AND its auditing should be configured to log the things necessary to detect the actions that the device is designed to perform.
  • The ArcSight connectors should be configured and tuned to get the relevant information into ArcSight ESM. This includes validation that the device logs are properly normalized (parsed), with the data mapped to the proper ArcSight Security Event Schema fields, and properly categorized.
  • The ArcSight ESM content (the Activate Content) needs to follow content development best practices, but more importantly, identify the events from the devices it needs in order to address the use cases it was written to support.
  • The ESM content also needs to assist security analysts in determining what is immediately important and actionable. For this, we have the Activate Workflow, which is based of the HPE ArcSight SIOC workflow.
  • Part of the Activate Framework's workflow is process refinement. Tuning rules, updating the Network Model, updating the Asset Model, and regularly reviewing the entries in the Suppression Lists is part of this. Identifying gaps in security coverage, new use cases, retiring old use cases (i.e., your content should fall under a Software Development Life Cycle), is also important.


Most people make the mistake of installing all the content, all at once, then wondering why nothing is working. The most common complaint is "I installed L1-X, and all the rules point to filters that are blank, and nothing works!" This is, of course, the way the system is designed. The L1 packages are dependent upon the Product packages. The Product packages have configuration steps that tell you how to update the proper L1 filters so that the content will work.

This, along with the points in the introduction, means that you should not just blindly start installing content! If anyone ever tells you that all you need to do is plug their device into your network and it automagically will start finding bad guys, they're nave, or they're just trying to make a sale. You spent a lot of time designing and implementing your network, then a lot more time designing and implementing your security program. Plug and Play isn't suddenly going to work, in spite of our goal to make it as easy as possible. We're security people, paranoia is an occupational requirement, if not hazard. Trust, but verify!


include instructions (which will change) on downloading the framework


Testing and QA

A few simple tests to make sure it works

Next Steps

-- GeorgeBoitano - 21 Jan 2016
Topic attachments
I Attachment Action Size Date Who Comment
CIF_FlexConnector.docxdocx CIF_FlexConnector.docx manage 577.3 K 25 Apr 2016 - 01:12 AdaiKumarappan CIF_FlexConnector
models.pngpng models.png manage 13.5 K 18 Apr 2016 - 17:36 MaryCordova  
Edit | Attach | Print version | History: r6 | r4 < r3 < r2 < r1 | Backlinks | View wiki text | Edit WikiText | More topic actions...
Topic revision: r3 - 30 Jan 2017, PrenticeHayes


Activate Wiki

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback