ArcSight SOAR "from the ground up" Build Guide

4 Likes

April 1, 2022

These guides walk through adding SOAR to an existing ESM deployment. First, we’ll cover ESM content that needs to be configured. Next, we’ll install the ArcSight Platform “from the ground up” with CentOS 7.9 Minimal installed nodes. Then, we’ll configure SOAR using the Fusion interface and install the Forwarding Connector. Finally, we’ll configure SSO with Fusion and ESM. There’s also a troubleshooting section, as well as information on integrating SOAR with MITRE ATT&CK and MISP (Malware Information Sharing Platform).

ArcSight ESM 7.6 now includes the SOAR/ESM content as a part of default content. If you're running ESM 7.6 or upgrade to ESM 7.6, this package is included as part of the release and you don't need to download the "ArcSight ESM and SOAR Integration Content" from Marketplace. If you're running a version previous to ESM 7.6, a link to the SOAR/ESM content is below.

ArcSight SOAR 3.2 / ESM 7.6

PDF

ArcSight SOAR 3.1 / ESM 7.5


PDF

ArcSight ESM 7.5 and SOAR 3.1 Integration Content

Labels:

How To-Best Practice
Comment List
Anonymous
  • Please contact Support, I've seen this before and they should have a fix for it.

  • i have an issue regarding

    (Login to the ITOM Management Portal using “admin” and the “CDF administrator password” you specified during the “install” phase)

    when ever i try to login it says invalid user, and my login :

    admin: cdf password

    but i can not login and i have been reinstalling and doing it over and over again on both redhat and centos but no use 

    please help me

  • I have attached an updated Build Guide for the 2022.1 release (SOAR 3.2 and ESM 7.6). ESM 7.6 now includes the SOAR/ESM content as a part of default content. If you're running ESM 7.6 or upgrade to ESM 7.6, this package is included as part of that release and you don't need to download the "ArcSight ESM and SOAR Integration Content" from Marketplace.

  • This content is now included with ArcSight ESM 7.6.

  • Steve,

    I know it's not relevant to this guide but for BIND, I would put those files you put in /etc/named into /var/named. I know for SELinux and permissions, it can cause problems to use /etc/named.

Related Discussions
Recommended