Activate Packages

Activate organizes its packages by type. Wiki page names for each package are prefixed by 1- or 2-character code indicating the package type, as defined in the Data Fusion Model:

Prefix Package Type Description
N/A Activate Base Activate content used by all other packages
T Activate Templates Activate package templates for creating and exporting packages.
C Core Packages Content for monitoring Activate, the ArcSight environment, and your security infrastructure
L1 Indicators and Warnings Activate content to detect and report upon events possibly indicating malicious activity
L2 Situational Awareness Activate content to contextualize events based on various internal ArcSight models, including the network model, threat model, actor model, asset model, etc.
L3 Threat Impact and Assessment Activate content to contextualize events based on previous events and current state
L4 Process Refinement Activate Content to track metrics, identify deficiencies gaps with existing processes and missing processes
P Product Packages Packages pertaining to a specific log source
W Workflow Packages that enhance the workflow process, supplementing Activate Base
Within this wiki, each package type has its own page, which is the parent to the individual packages of that type.

Packages and Package Installation

The ArcSight Marketplace provides the zip files that contain the content and updates for the Activate Framework. You will notice that, for the packages that have been updated to the new installation methodology, the zip file contains multiple packages. The expected content bundle (the .arb file) is one of them. Please note that a bundle may contain more than one package. The other file is a Microsoft batch file (.bat). We are working on a Linux/Mac compatible script. There may also be one or more text files for additional information. Here is an example package installation procedure.

The ArcSight Activate Framework uses several different types of packages. Not all of these types of packages are necessary for every case.

Primary Packages

The primary package is the main package for a given bundle. Activate Base is an example of a primary package. It contains most, if not all, of the resources for the use cases, or other purposes, that the package addresses. Primary packages are exported with the package format 'export'. This format causes any active or session list resources contained within the package to be empty (i.e., no data in the lists is exported).

Primary List Packages

Primary list packages exist for bundles where the content requires pre-defined data for the content to work properly. These packages should only contain active lists (it doesn't really make sense for session lists, but I'm sure somebody will eventually come up with such a requirement). Primary list packages are exported with the package format 'default'. This means that the list data is included in the package. This also means that only active lists that have pre-defined entries should be included in the primary list package. Additionally, these lists should be explicitly and individually (i.e., the list, not the list's parent group), excluded from the primary package.

Update Packages

Update packages are special packages that are used to properly upgrade a package. This may include moving or removing resources. The ArcSight Console does not support packages being used in this way; it is only supported by the command line. This type of package is the secondary reason why we are using scripts, and not the GUI, to import packages.

Customization Packages

Customization packages are designed to save important configuration settings you made when you configured the product packages for your installation. When an updated L1 package is imported, it overwrites the configuration changes made for all the product packages it supports. The customization package is built to include the filters that are part of the product package configuration, but the package is actually empty, i.e., it contains no actual resources (they have been manually removed). This is done so that the scripts can import the customization package, which will then contain your updated filters. Then the script exports the customization package. Then the script imports the primary package, which overwrites the updated filters. Finally, the script imports the recently exported customization package to restore the product package configurations you have made.

How to Create Customization Packages

Instructions on how to build customizations packages are here: HowToBuildCustomizationPackage.

The Installation Scripts

The scripts (or .bat file if you're a die-hard Windows user), perform one or more of the following actions, in this order:
  1. Gather information necessary for the installation/upgrade process.
  2. Import the bundle (contains all the packages).
  3. Install the customizations package.
  4. Delete any old customization packages from the file system where the script is run.
  5. Export the customizations package.
  6. Uninstall the customizations package.
  7. Import the update bundle.
  8. Delete any old update packages from the file system where the script is run.
  9. Export the update bundle.
  10. Uninstall the update bundle.
  11. Install the primary list package, if it exists.
  12. Install the primary package.
  13. Install the customizations package.

The ArcSight Activate Packages

Here is a tree of currently defined package types and packages.

Create a New Package Type

Special Instructions for Editors Here is a form only to create a new package type. This should be a rare occurrence. Only changes to the entire data fusion model should necessitate a new package type. If you want to create a new package, which should be a more common task, please go the the appropriate package container page and create the new package from there. This will create a new package page using the appropriate template and parent.

If you do in fact need to create a whole new package type, then enter the new package type name in the box below as wikiword. The form will create a child package type according to our template. It will then which will then appear in the tree above. Also, please update the table above to indicate the prefix, name and description of your new package type. Finally, please use this form to create new package types; any other topic creation method will bypass the template.

New Package Type Name:

If you have any modifications to the package types template used to create new package type pages, you can find it here

-- GeorgeBoitano - 21 Jan 2016
Topic revision: r13 - 14 Aug 2018, YunPeng


 


Activate Wiki 2.1.0.0

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback