Micro Focus Expert
Micro Focus Expert
4226 views

Now Available: ArcSight 2020.2 - Including Recon 1.0, Interset 6.1, ESM 7.3, Logger 7.1, and more...

The ArcSight Product Team is pleased to announce ArcSight 2020.2, which introduces a number of upgrades to the ArcSight platform, and premieres our new logging and investigation tool, ArcSight Recon.

General Availability - ArcSight 2020.2

We are excited to announce the general availability of our Micro Focus ArcSight 2020.2 release! After 20 years in the SIEM space, ArcSight has evolved into a single, Intelligent SOC platform that delivers real-time correlation, behavioral analytics, and advanced threat hunting. This release marks a significant accomplishment in our mission to make SecOps more simple, open and intelligent.

ArcSight 2020.2 offers SOCs a simple approach through a holistic SecOps platform benefiting from a shared UI and a unified storage solution. ArcSight Recon, our new threat hunting and log management solution, consolidates the collection and storage of security event data into a single repository that can be used for all your SecOps needs. Recon joins ESM and Interset on Fusion, our new ArcSight UI. Further, Interset’s new release marks its first general availability within the ArcSight family, and fully integrates the Behavioral Analytics solution into the ArcSight architecture.

Our team works tirelessly to provide a solution that is open to your ever-expanding security environment. Cloud integration in particular has been greatly expanded in this release, ArcSight now features cloud-native deployments and enhanced support for Microsoft Azure and AWS. 

ArcSight continues to improve the intelligence of its layered analytics by combining machine learning, correlation, and powerful threat hunting. With its intuitive interface and unified platform, ArcSight improves your SOC’s ability to find and react to threats in your organization.

ArcSight 2020.2 features the releases of ArcSight Recon 1.0 (Next generation Logging/Investigate solution), ArcSight Interset 6.1, ArcSight ESM 7.3, ArcSight Fusion 1.1 (our new UI), ArcSight Logger 7.1, Transformation Hub 3.3, ArcMC 2.9.5 and SmartConnectors 8.0. Below are listed the key features and improvements of our second ArcSight 2020 release. Please refer to the ArcSight Documentation pages for each product (cited below) for more complete information. 

ArcSight Recon 1.0 - Logging and Investigation

Arcsight.jpg

 

ArcSight Recon is a comprehensive log management and search solution that eases compliance burdens and accelerates forensic investigation for security professionals. It combines the compliance, storage and reporting needs of log management with the capabilities of big-data search and analysis. Recon is built for security event logs and is therefore more intuitive and accessible for security analysts, it won’t require a DBA to operate. It helps hunt and defeat threats by unifying data logs from across organizations, processing billions of events, and quickly making them available for search, visualization and reporting. Recon helps SOC analysts gain a deeper understanding of alerts across their organization and plays an important role in ArcSight’s mission to deliver powerful layered analytics.

  • User friendly search displays grid or message views, time-based histogram, dynamic query suggestions and search time horizons, UI dark theme, and syntax highlighting
  • Raw message view allows analysts to inspect original, unformatted event logs
  • Event detail panel allows detail inspection for selected events
  • Unified Platform updates to enable routing, filtering and storage for all ArcSight products 
  • Reporting content packages to create, edit and publish reports
  • MITRE ATT&CK reports are available as pre-built content
  • Outlier detection visualizes deviations from baseline host behavior metrics 
  • Single ID and password to access all products within the ArcSight suite

ArcSight Interset 6.1 - Behavioral Analytics

This release provides unmatched visibility with a layered analytics approach through ArcSight architecture alignment including analytical engine, storage, and data movement components. This release allows customers to have an easier path to adding in the complete set of Interset capabilities, which are complimentary to ArcSight’s real-time correlation engine. There have been multiple improvements to performance focused around more efficient results, and simplified deployment through a unified platform.

  • Joining the ArcSight architecture allows Interset to simplify deployment with more efficient and enriched analytics
  • Enhanced use case detection through the exercising of additional models 
  • Reduced footprint by more accurately sizing environments and resources
  • Integration with Recon for a unified user experience 
  • Simplified and intuitive installation through the Micro Focus Container Deployment Framework
  • Improved analytics flexibility through the updated risk engine which sets the stage for enhanced feedback features, investigation and hunting experiences
  • Unified and extensible user experience through personalized dashboards and Jump and Search features which suit different personas and use cases, using ArcSight UI components, in one view
  • Pluggable UX components for a customizable environment both within and outside the product for a more holistic view

ArcSight ESM 7.3 - Real-time Threat Detection

  • Greater ArcSight Fusion adoption including the option for SecOps administrators to access ArcSight Command Center directly from the new Fusion UI for simpler SIEM management
  • Interactive API documentation through Swagger integration supports a standards-based approach to REST APIs
  • Performance improvements to lists, actor data, and list update speeds
  • Avro ingestion from Transformation Hub, in addition to ESM Binary format

ArcSight Fusion 1.1 – New Layered Analytics UI

  • New Fusion widget SDK (Software Development Kit) enables developers to build their own Fusion widgets, and to publish them to the ArcSight Marketplace
  • ArcSight Recon support with new widgets to convey system health of the Recon infrastructure

ArcSight Logger 7.1 – Log Management

  • Enhanced search UI provides a new navbar, exporting, field summary and saved searches
  • Persisted search results that can be loaded on UI for monitoring
  • Definable Logger roles allow administrators to tune Logger resources based on role
  • Logger peer monitoring enables editing of Logger peer status for searches
  • Data forwarding to Transformation Hub and other Kafka-based message buses 
  • Cloud integration allows Logger to forward data to AWS for archiving
  • Updated libraries for PostgreSQL
  • Unified platform updates to enable routing, filtering and storage for all ArcSight products
  • Storage improvements for more data in the same disk space

Security Open Data Platform - Data Collection, Routing, and Distribution

Transformation Hub 3.3

  • Cloud-native deployment available to leverage Azure services and capabilities
  • Unified platform updates to enable routing, filtering and storage for all ArcSight products
  • CDF doctor available for troubleshooting features of CDF 
  • ZSTD compression is supported, performs better than GZIP compression
  • Updated libraries for RHEL and CentOS
  • Connector support for latest release v8.0

ArcSight Management Center 2.9.5

  • Cloud support for Transformation Hub and Connectors in Azure
  • Unified platform updates to enable routing, filtering and storage for all ArcSight products
  • ZSTD compression is supported, performs better than GZIP compression
  • Updated libraries for RHEL and CentOS, PostgreSQL, Azul Java
  • Connector support for latest release v8.0

SmartConnectors 8.0  

  • Cloud-native support for Azure and AWS, including connectors for AWS S3 and Security Hub
  • Un-obfuscated parsers allow access to parser definitions
  • Updated support for newest Micro Focus Security, Risk and Governance products
  • Improved Connector Load Balancer to increase security
  • ZSTD compression is supported, performs better than GZIP compression
  • Customizable roles to tailor memory allocations for Connectors (with Logger)
  • Updated libraries for RHEL and CentOS

 

Documentation can be found as follows:

 

Please note that the above documentation pages will be updated throughout the day and may not all be immediately available.

You will be able to access the new software from the software entitlement portal.

If you have any questions, please contact Customer Support.

Finally, we recommend checking out last week’s ArcSight 2020 webinar as well as our SecOps Unplugged YouTube channel (including our ArcSight 2020.2 video update, which covers the highlights of this release).  We also have exciting news about our recent SOAR acquisition available in our security blog.

Thank you,

ArcSight Product Team

12 Replies
Commodore
Commodore

Hi! I can't find in the documentation how to Un-obfuscated parsers on SmartConnector 8.0... does anybody found how to do it?

Thanks!

0 Likes
Vice Admiral Vice Admiral
Vice Admiral

Look for FCP-8.0.0.zip in connector downloads

Micro Focus Expert
Micro Focus Expert

Unobfuscated Parsers.jpg

 

With the 8.0 release you will now see the link to download the parses from your download pages, as seen in the example above. The naming convention is FCP-8.0.0.zip

This is a licensed component of the SmartConnectors

 

0 Likes
Cadet 1st Class
Cadet 1st Class

Unfortunately categorization files are not included in FCP archive.
It would be great to deobfuscate these also.

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

@pwheiler @COEST  @dalesio @Wayne Dalesio Can you please let us know under which License the unobfuscated files were released? GPL? BSD? Apache?

0 Likes
Micro Focus Expert
Micro Focus Expert

Hello,

Thank you for the great question @vitz1 .  The short answer is Micro Focus is NOT releasing the unobfuscated parsers under any Open Source license, because we ARE NOT releasing the parsers as Open Source.  The Connector, and associated parser, remains the property of Micro Focus in full.

For a bit longer answer, what made the release of unobfuscated parsers noteworthy was that it was correcting a historic decision for modern expectations.  For just under twenty years,  ArcSight treated the parser, which is essentially a configuration file for the connector used to dissect an event, as closed intellectual property.  Therefore, if a customer ran into an issue, their only recourse was to contact Micro Focus / ArcSight and either we would issue a fix, or in some cases we would provide the unobfuscated parser on a case-by-case basis.  This was time consuming and frustrating for customers and partners.

Today, modern SIEMs should be Open.  while there is intellectual property that we should aggressively protect, how we dissect an event shouldn't be one of them.  Not when other alternatives exist in the market that allow customers to see the parsing information and correct it on their own.  So we have spent the past year making sure working through the process of providing a means where we could remove the obfuscation and enable customers, who feel qualified to do so, to make their own parser corrections when needed.

We understand parser editing is not for everyone, and if you do not feel comfortable editing the parser, please do not.  We would still rather have you call our Technical Support and let us help you, but for others editing parsers is in their blood, and this is one more example of how this is not the ArcSight of the past and further demonstrates our commitment to being more open, and enabling ArcSight users to get to value quicker than ever.

I hope this helps resolve any confusion.  If not, post a reply and we'll try again.

Respectfully,

Knowledge Partner Knowledge Partner
Knowledge Partner

Hello @Myxlplyx ,

 

thanks for your answer. When you say modern SIEMs should be open and that the customers should be able to see and edit parsers on their own, wouldn't make it sense, to have the parsers in an more or less open git repository, so that enhancments customers make can find their way back into a central point?

KR

A

 

Vice Admiral Vice Admiral
Vice Admiral

That would be extremely powerful. Also adding parsers found on Community and by the Community then (separate folders)?

A lot of magic happens on GitHub 😉. Thank this would be a great next step, in line with the philosophy laid out before (open but not free to use makes sense).

The repo could be set to have a proprietary license 🙂.

Micro Focus Expert
Micro Focus Expert

All,

I sincerely appreciate you all taking the time and providing the feedback.  I can tell you that this conversation has come up before.  I appreciate the insight and frankly the affirmation.  At this time in the process, going as far as what you suggest was something we were not able to do for a number of reasons.  However, I will say that your thoughts / reasoning are not something that is off the table for the future consideration, just was not and option right now.  Again, keep the ideas / thoughts flowing.  I love to hear / read them.

Respectfully,

0 Likes
Commodore
Commodore

Updated Software Logger files available for what I assume is 7.1.  ArcSight-logger-7.1.0.8337.0.bin and logger-sw-8337-remote.enc are available in the download portal.

 

Micro Focus, please notify customers when this happens.  I would not have known without running into issues and checking the download portal.

0 Likes
Commodore
Commodore

All, ArcMC 2.9.5 update IS NOT applicable to C6500 appliances.  This is a change from how it was originally released.  Not sure when it was done but my company did not receive notice and had already downloaded the ArcMC documentation and binaries.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.