UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.
Micro Focus Expert
Micro Focus Expert

Now Available: ArcSight 2020.3 - Including SOAR, Intelligence SaaS, ESM 7.4, Recon 1.1, and more...

General Availability – ArcSight 2020.3

We are excited to announce the general availability of ArcSight 2020.3! This year, ArcSight has made incredible strides to help security teams like yours reduce their threat exposure and establish a cyber resilient SOC. The 2020.3 release delivers more resilient, faster, and broader end-to-end detection and response to threats across cloud, on-premises, and SaaS deployments.

ArcSight's 2020.3 release represents another leap forward in the proven and mature ArcSight SecOps platform.  It continues ArcSight’s simplification and modernization journey, focusing on threat detection and response, simplified administration and significant improvement of Connector throughput, hunt/search query performance, and speed of report generation. 

The acquisition and integration of SOAR into the ArcSight family fills a key role in ArcSight’s end-to-end security operations offering, adding orchestration, automation and response capabilities to ArcSight’s powerful layered analytics. With this release, SOAR has been added as a native component to both ESM and Recon, at no additional charge.

Also key to this release is the introduction of ArcSight’s first SaaS solution, announced on October 30, 2020.  Micro Focus launched ArcSight Intelligence (previously known as ArcSight Interset) as a Service to simplify adoption and management of behavioral analytics, with minimal barriers to entry. ArcSight Intelligence as a Service works closely with ArcSight ESM and provides SIEM customers with an easy way to pair behavioral analytics with real-time correlation.

Importantly, this release greatly simplifies ArcSight installation and deployment. A new silent install for containerized deployments installs and configures OS, storage and other prerequisites. It supports both simple single node and highly-available multi-node deployment of ArcSight Intelligence, ArcSight Recon, ArcSight Fusion, and Transformation Hub, based on simple, easy to understand deployment templates.

ArcSight 2020.3 features the releases of ArcSight SOAR 3.0, ArcSight Intelligence SaaS and 6.2, ArcSight ESM 7.4, ArcSight Fusion 1.2, ArcSight Recon 1.1, Transformation Hub 3.4, ArcMC 2.9.6, ArcSight SmartConnectors 8.1, and ArcSight Logger 7.1.1.  The key features and improvements of our third ArcSight 2020 release are listed below. Please refer to the individual release notes for more complete information.

Platform Highlights

  • Automate responses to recognized threats in real-time via native SOAR capabilities offered with ArcSight ESM and ArcSight Recon
  • Deploy ArcSight components in the cloud natively, leveraging native Amazon Web Services and Microsoft Azure services enabling you to reduce TCO and optimize infrastructure footprint
  • Monitor cloud-based services and applications like Amazon S3, AWS Security Hub, Azure Event Hubs and Azure Security Center using cloud-native Connectors
  • Gain enhanced insights with new integrations that pair ArcSight Intelligence’s (aka Interset’s) behavioral analytics with ArcSight ESM's real-time correlation
  • Deploy ArcSight with greater ease using the new silent installer for ArcSight’s containerized products. Supporting both simple single-node deployment, and highly available multi-node deployment of ArcSight Intelligence, ArcSight Recon, ArcSight Fusion, and Transformation Hub, it performs pre- and post-deployment checks and remediates prerequisites.
  • Upgrade ArcSight with no downtime by performing rolling upgrades through the Master and Worker nodes in clusters of containerized products.  Clusters deployed in highly available configurations continue to process events throughout the upgrade.
  • Access information more easily with new online documentation that supplements the traditional PDF guides and enables searching for relevant topics.  Installation, configuration and administration of all containerized products is now covered by the new Administrator's Guide for the ArcSight Platform.
  • Save resources with smaller deployment footprints. Avro-formatted event data is now supported across all ArcSight components, eliminating disk storage duplication, and reducing network transfer and compute overhead. 
  • Navigate the UI more seamlessly with continued integration of the recently introduced ArcSight unified interface, called Fusion, by ArcSight components such as ESM, SOAR, Intelligence and Recon.    
  • Benefit from up-to-date and secure underlying components. The platform has been certified on Red Hat Enterprise Linux 8.2, CentOS 8.2, with current releases of Java runtime, Kubernetes, Docker, CDF, PostgreSQL, Apache Kafka Client, Apache Tomcat, and the Confluent platform (which includes Apache Kafka, Schema Registry and ZooKeeper). Component libraries include current vulnerability compliance, and ciphers are up-to-date.

Component Highlights

ArcSight SOAR 3.0


ArcSight SOAR brings native security orchestration automation and response capabilities to the ArcSight family for faster security operations and enhanced operational efficiency. ArcSight SOAR is available free of charge to both new and existing customers of ArcSight ESM and ArcSight Recon. It is fully programmable and adaptable to meet your team’s unique needs, and enables multiple forms of automation, analyst augmentation, collaborative investigation and response through an intuitive interface.  

ArcSight SOAR connects people, processes, and technology to help security engineers run day-to-day security operations efficiently.  By providing tactical automation and orchestration through a single pane of glass, it enables SecOps teams to ramp up their output despite a growing cybersecurity skills gap and an increasing volume of complex attacks and alerts. 

  • Unified look and feel with ArcSight and single sign-on through Fusion.
  • Full and semi automation of incident creation, triage, investigation, response activities orchestrate all the machine and human elements in SecOps from an easy-to-use interface. Analyst decisions, analyst tasks and end user decisions can be introduced into the loop whenever human supervision is needed with semi automation.
  • Scenario and playbook automation can be customized to efficiently address your SOC’s unique needs with workflows and automation bits written in Python language.
  • Incident Management Service Desk provides collaborative incident response in SecOps, speeds up incident response, and increases analyst efficiency while closing the communication gap.
  • Customizable case management of incident fields, severity, classification, and UI.
  • 110+ integration plugins from 70+ vendors for centralized investigation and response activities from a single pane of glass. No more switching between multiple different tools.
  • Task delegation allows delegation of sensitive tasks to less experienced team members without disruption risks, and engages security analysts from various levels around certain cases while controlling precisely who can do what.
  • Detailed incident timeline records and visualizes incidents while promoting accountability and collaboration in SecOps in an easy-to-digest visualization. 
  • KPI monitoring records SLAs, workloads, analyst activities and automated operations, and reports them in ArcSight's shared Fusion interface. 

ArcSight Intelligence SaaS

ArcSight Intelligence (previously known as ArcSight Interset) evolves to meet your enterprise’s growing threat needs by simplifying adoption of behavioral analytics via a SaaS deployment model. This release reduces and optimizes resource requirements from prior releases. With multiple integration points into ArcSight, gain ingest flexibility for seamless integration and threat coverage. The ArcSight Intelligence SaaS offering provides a simplified service initiative to minimize exposure by reducing your enterprise’s attack surface.

  • Avoid heavy resource requirements typically associated with SaaS analytics implementations.
  • Quicker time to value with seamless integration points into existing ArcSight solutions.
  • Broad event source coverage provided by well-known SmartConnectors.
  • Detect threats in real-time through seamless integration with ArcSight’s real-time correlation engine and auto-populated Active Lists with analytics results.
  • Threat-based risk scores rank entity-specific threats using configurable rules.

ArcSight Intelligence 6.2 (Previously known as ArcSight Interset)

  • Support for additional Connectors allowing analytics to be performed on events from additional VPNs and introducing support for repositories.
  • Integration with Fusion UI eases navigation between Fusion and Intelligence UIs leading to improved analyst experience.

ArcSight ESM 7.4

  • ArcSight SOAR now a native solution within ESM, pairing real-time detection with automated threat response.
  • New MITRE ATT&CK dashboard visualizes your organization’s ability to detect MITRE ATT&CK techniques, to more clearly convey where your organization is covered and, more importantly, where it’s not.
  • Web-based Command Center expands Active List visibility beyond the ArcSight Console, allowing your security team to more easily monitor users and/or systems flagged by ArcSight’s correlation engine.
  • Event Throughput dashboard now includes Pre-Aggregation EPS details.
  • Performance improvements to lists, including enhanced diagnostics, optimization choices, and more.

ArcSight Recon 1.1

  • Improved event details include unique sharable event URLs, export options, integration with “nslookup” and “whois”, and the ability to select field values to search for similar events.
  • New User preferences for search parameters, display formats and limits.
  • Independent retention periods per Storage Group, with support for up to 10 groups, allows sets of logs to be retained for different periods and improves search performance.

Transformation Hub 3.4

  • Cloud-native deployment and configuration of Transformation Hub in an Amazon Web Services environment leveraging AWS services and capabilities.
  • A new stream processor and new Kafka Topics supporting Avro-formatted events are now available.  ArcSight Management Center (ArcMC) and Transformation Hub now enable routing of Avro streams and consumption of Avro events forwarded from ESM or Logger.

ArcSight Management Center 2.9.6

  • New Host Status Exceptions dashboard shows host systems in an exception status (FATAL, CRITICAL, or WARNING).  Pertinent information like the container and rule that was breached is displayed.  It is periodically refreshed like other dashboards.
  • New Device Status export option can now use recent and locally cached status data from the last refresh to quickly generate the device status report. 
  • Transformation Hub AWS and Azure configuration now support cloud-native deployment models.

ArcSight SmartConnectors 8.1

  • Significant SmartConnector performance and stability improvements increase throughput for all event formats, with improvements of up to 1,000% versus SmartConnectors v8.0. As a result of these improvements, this release is also more stable and reliable. 
  • SmartConnectors now emit Avro-formatted event streams for ingestion throughout ArcSight and by non-ArcSight components capable of processing Avro formats.
  • Enhanced support for AWS and Azure cloud services, including:  Azure Security Center and bi-directional SASL Plain Authentication, AWS Security Hub, S3 and CloudTrail, Microsoft 365 Defender and Microsoft Threat Protection.
  • New SmartConnector supporting Okta Identity Management and updated parsers for popular vendors like:  Cisco, Fortigate, Zeek and Juniper.
  • Load Balancer stability improvements

ArcSight Logger 7.1.1

  • Maintenance release addressing security vulnerabilities and issues found in Logger 7.1.


Documentation can be found as follows:


We recommend attending our upcoming ArcSight Expert Days on December 14th and 15th. Our experts will be discussing the 2020.3 release and will be eager to answer any questions you may have!

Finally, we recommend checking out our recent webinar Wrapping up ArcSight 2020as well as our SecOps Unplugged YouTube channel (including our ArcSight 2020.3 video update, which covers the highlights of this release). 

Thank you,

ArcSight Product Team

3 Replies
Micro Focus Contributor
Micro Focus Contributor

Excellent news!


Hi team! Is there any step by step procedure to install a SOAR in a single node architecture?

For an instance, wIth Recon 1.0 there were a recon-installer- package with a "install-single-node.sh" script that did everything automatically, but we are not seeing nothing similar with the new version... As I'm seeing Recon 1.1 does not included it, and neither SOAR.

The procedure to install CDF and their dependecies is so complex, it will be great if Microfocus builds an Ansible or a Shell script to do everything automatically... or at least, an easy step by step procedure.


Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Recon 1.1 has a combined installer for single node and multi node. The steps are described in the docs (link below). Basically, you download the ArcSight Platform Installer, installation packages(Recon, THub, SOAR, etc), create a yaml file based on the examples provided and run the installation (preinstall, install and postinstall).


Thank you

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.