Highlighted
Kerry_Matre Absent Member.
Absent Member.
4733 views

Activate Base Forum

This is the official forum and change lists for Activate Base.

 

The latest update of Activate Base is at Activate Base | HPE Marketplace (https://saas.hpe.com/marketplace/arcsight/activate-base). All new and updated Activate Framework packages will be made available on the ArcSight Marketplace (http://arcsightmarketplace.com or https://saas.hpe.com/marketplace/arcsight).

 

The updated Activate Wiki is now available! See https://marketplace.saas.hpe.com/arcsight/content/activate-framework-wiki for details.

The Activate Base 2.5.2.0 Update is coming soon! (posted here 2017-09-01)

Activate Base 2.5.2.0 Changes

Attention:
There are some modifications to some of the host name Field Manipulation/Convert Case global variables. They should all be converting host names to lower case. Some were converting to upper case. This has been corrected, but may cause some issues when comparing data already in active lists. Please be certain to test this update on your test system with data from your production system to assess the impact. Most likely, some rules may trigger again. We apologize for the inconvenience this will cause.

Modified:

/All Active Channels/ArcSight Activate/Workflow/Investigating Channel
/All Active Channels/ArcSight Activate/Workflow/Main Channel
/All Active Channels/ArcSight Activate/Workflow/Personal Investigating Channel
/All Active Lists/ArcSight Activate/Core/Suppression Lists/Static Suppression Lists/Static (renamed to Static Trusted)
/All Field Sets/ArcSight Activate/Workflow/Investigating Channel
/All Fields/ArcSight Activate/Core/Field Manipulation/Convert Case/atkHostName
/All Fields/ArcSight Activate/Core/Field Manipulation/Convert Case/dstHostName
/All Fields/ArcSight Activate/Core/Field Manipulation/Convert Case/dvcHostName
/All Fields/ArcSight Activate/Core/Field Manipulation/Convert Case/srcHostName
/All Fields/ArcSight Activate/Core/Field Manipulation/Convert Case/tgtHostName
/All Filters/ArcSight Activate/Core/Suppression List Filters/All Network Based Suppression Lists
/All Stages/SOC Stages/1: Investigating/Engage External Team
/All Stages/SOC Stages/1: Investigating/Engineer Review
/All Stages/SOC Stages/1: Investigating/Level 1 Investigating
/All Stages/SOC Stages/1: Investigating/Level 2 Review
/All Stages/SOC Stages/2: Final/Added to Case
/All Stages/SOC Stages/2: Final/Case Created
/All Stages/SOC Stages/2: Final/No Further Action Required - Engineer
/All Stages/SOC Stages/2: Final/No Further Action Required - Level 1
/All Stages/SOC Stages/2: Final/No Further Action Required - Level 2
/All Stages/SOC Stages/2: Final/No Further Action Required - Triage
/All Stages/SOC Stages/System/System Monitored
/All Stages/SOC Stages/System/Testing
/All Stages/SOC Stages/System/Triage

Added:

/All Active Channels/ArcSight Activate/Workflow/Engineering Channel
/All Active Channels/ArcSight Activate/Workflow/Personal Engineering Channel
/All Asset Categories/Site Asset Categories/Business Impact Analysis/Business Unit/
/All Field Sets/ArcSight Activate/Workflow/Personal Channel
/All Fields/ArcSight Activate/Core/Supporting and Set Event Fields/Suppression List Variables/getDynamicDeviceAndActionWithComments
/All Fields/ArcSight Activate/Core/Supporting and Set Event Fields/Suppression List Variables/getDynamicIdsEventIdSuppressionWithComments
/All Fields/ArcSight Activate/Core/Supporting and Set Event Fields/Suppression List Variables/getDynamicIdsEventIdWithAttackerTargetAndComments
/All Fields/ArcSight Activate/Core/Supporting and Set Event Fields/Suppression List Variables/getDynamicNameTargetAndPortSuppressionWithComments
/All Fields/ArcSight Activate/Core/Supporting and Set Event Fields/Suppression List Variables/getStaticDeviceAndActionWithComments
/All Fields/ArcSight Activate/Core/Supporting and Set Event Fields/Suppression List Variables/getStaticIdsEvent IdWithAttackerTargetSuppressionWithComments
/All Fields/ArcSight Activate/Core/Supporting and Set Event Fields/Suppression List Variables/getStaticIdsEventIdSuppressionWithComments
/All Fields/ArcSight Activate/Core/Supporting and Set Event Fields/Suppression List Variables/getStaticNameTargetAndPortSuppressionWithComments
/All Fields/ArcSight Activate/Core/Supporting and Set Event Fields/Suppression List Variables/getStaticTrusted
/All Fields/ArcSight Activate/Core/Supporting and Set Event Fields/System Black Lists/getUntrustedDestination
/All Fields/ArcSight Activate/Core/Supporting and Set Event Fields/System Black Lists/getUntrustedSource

 

Activate Base 2.5.0.0 Changes (available as of 2017-01-13)

This update is supported on ESM v6.8 and newer.

 

Added:

/All Active Channels/ArcSight Activate/Workflow/Personal Investigating Channel

/All Active Lists/ArcSight Activate/Core/Resource Tracking/Asset Resource Tracking

/All Asset Categories/Site Asset Categories/Address Spaces/High Security/

/All Asset Categories/Site Asset Categories/Role/Business Role/Infrastructure/Computer/Desktop/

/All Asset Categories/Site Asset Categories/Role/Business Role/Security Devices/NIPS/

/All Field Sets/ArcSight Activate/Workflow/Investigating Channel

/All Fields/ArcSight Activate/Core/Field Manipulation/Convert Case/dcString1

/All Fields/ArcSight Activate/Core/Field Manipulation/Convert Case/dvcDnsDomain

/All Fields/ArcSight Activate/Core/Field Manipulation/Convert Case/dvcNtDomain

/All Fields/ArcSight Activate/Core/Field Manipulation/Convert Type/Assets/agtAssetReference

/All Fields/ArcSight Activate/Core/Field Manipulation/Convert Type/Assets/atkAssetReference

/All Fields/ArcSight Activate/Core/Field Manipulation/Convert Type/Assets/dstAssetReference

/All Fields/ArcSight Activate/Core/Field Manipulation/Convert Type/Assets/dvcAssetReference

/All Fields/ArcSight Activate/Core/Field Manipulation/Convert Type/Assets/srcAssetReference

/All Fields/ArcSight Activate/Core/Field Manipulation/Convert Type/Assets/tgtAssetReference

/All Fields/ArcSight Activate/Core/Field Manipulation/Supporting and Set Event Fields/dstAddress

/All Fields/ArcSight Activate/Core/Field Manipulation/Supporting and Set Event Fields/dvcZone

/All Fields/ArcSight Activate/Core/Resource Tracking/getAssetResourceReference

/All Rules/ArcSight Activate/Core/Resource Tracking/Asset Resource Tracking

 

Updated:

/All Active Channels/ArcSight Activate/Workflow/Investigating Channel

/All Filters/ArcSight Activate/Core/Common/Assets/Device Asset is a NIPS

/All Packages/ArcSight Activate/Activate Base

/All Stages/SOC Stages/1: Investigating/Engage External Team

/All Stages/SOC Stages/1: Investigating/Engineer Review

/All Stages/SOC Stages/1: Investigating/Level 1 Investigating

/All Stages/SOC Stages/1: Investigating/Level 2 Review

/All Stages/SOC Stages/2: Final/Added to Case

/All Stages/SOC Stages/2: Final/Case Created

/All Stages/SOC Stages/2: Final/No Further Action Required - Engineer

/All Stages/SOC Stages/2: Final/No Further Action Required - Level 1

/All Stages/SOC Stages/2: Final/No Further Action Required - Level 2

/All Stages/SOC Stages/2: Final/No Further Action Required - Triage

/All Stages/SOC Stages/System/System Monitored

/All Stages/SOC Stages/System/Testing

/All Stages/SOC Stages/System/Triage

 

Activate Base 2.4.0.0 Changes

Added:

/All Asset Categories/Site Asset Categories/Application/Type/Network Monitoring System

 

Updated:

/All Filters/ArcSight Activate/Core/Suppression List Filters/All Network Based Suppression Lists

/All Active Channels/ArcSight Activate/Workflow/Testing Channel

/All Active Channels/ArcSight Activate/Workflow/Investigating Channel

 

Activate Base 2.3.0.0 Changes

Fixed an issue with the Active Lists package.

 

Activate Base 2.2.0.0 Changes

Added

  • /All Use Cases/ArcSight Activate
  • /All Use Cases/ArcSight Activate/Core
  • /All Use Cases/ArcSight Activate/Core/Product Use Cases
  • /All Use Cases/ArcSight Activate/Development
  • /All Use Cases/ArcSight Activate/Solutions
  • /All Use Cases/ArcSight Activate/Workflow
  • /All Stages/Queued

 

Removed

  • /All Session Lists/ArcSight Activate/Core/User Management
  • /All Session Lists/ArcSight Activate/Core/User Authentication/System Login Tracking

 

Activate Base 2.2.0.0  Notes

Adding the Queued stage was a difficult decision. This is a slightly modified version that allows the SOC Workflow methodology of using the various stages work (that got broken somehow, or at least became really inconsistent...).  The biggest problem with it is that it won't survive an ESM upgrade. We are working on that problem, but there will probably be some workarounds in the meantime.

 

Activate Base Version 2.1.0.0

The latest update of Activate Base is at Activate Base | HPE Marketplace (https://saas.hpe.com/marketplace/arcsight/activate-base). All new and updated Activate Framework packages will be made available on the ArcSight Marketplace (http://arcsightmarketplace.com or https://saas.hpe.com/marketplace/arcsight).

 

  • The updated Activate Wiki will be released soon (hopefully by July 27, 2016)
    • Original FOSwiki format will be supported
    • Centralized Activate documentation is in the works (stay tuned).
  • Activate Base 2.1.0.0 supports ESM v6.8c or newer
    • Apologies to everyone not yet on ESM v6.8c, there were just some changes that wouldn't work on 6.5c SP1.
  • Installer requires Windows (we are working on that).
  • See attached Activate Base Updates.pdf file for list of all resources in Activate Base from version 1.1.0.0 to 2.1.0.0.
  • Complete changes:
    • ActiveList: Cleartext Protocols (moved from L1-Perimeter and Network Monitoring)

    • ActiveList: Suspicious Region - ITAR_OFAC Countries (moved from L1-Perimeter and Network Monitoring)

    • Field: dstDnsDomain

    • Field: dstFqdn

    • Field: dstNtDomain

    • Field: dstProcessName

    • Field: dstUserName

    • Field: srcDnsDomain

    • Field: srcFqdn

    • Field: srcNtDomain

    • Field: srcProcessName

    • Field: srcUserName

    • File: Cleartext Protocols.csv

    • File: Suspicious Region - ITAR_OFAC Countries.csv

    • Filter: Cleartext Protocols

 

Activate Base Version 2.0.0.0

The latest update of Activate Base is now available at Activate Base | HPE Marketplace (https://saas.hpe.com/marketplace/arcsight/activate-base). From this point forward, all new and updated Activate Framework packages will be made available on the ArcSight Marketplace (http://arcsightmarketplace.com or https://saas.hpe.com/marketplace/arcsight).

 

  • Supports ESM v6.5c or newer
  • Installer requires Windows (we are working on that).
  • The updated Activate Wiki will be released soon
    • Original FOSwiki format will be supported
    • Centralized Activate documentation is in the works (stay tuned).
  • Complete changes:
    • ActiveList: ArcSight Suppression List Entry Tracking

    • ActiveList: Dynamic Device and Action with Comments

    • ActiveList: Dynamic IDS Event ID Suppression with Comments

    • ActiveList: Dynamic IDS Event ID with Attacker Target and Comments

    • ActiveList: Dynamic Name Target and Port Suppression with Comments

    • ActiveList: Static Device and Action with Comments

    • ActiveList: Static IDS Event ID Suppression with Comments

    • ActiveList: Static IDS Event ID with Attacker Target Suppression with Comments

    • ActiveList: Static Name Target and Port Suppression with Comments

    • ActiveList: Suppression System Total Count Entry Tracking

    • ActiveList: User Login Tracking

    • ActiveList: User Management

    • AssetCategories: Site Asset Categories/Application/Type/FTP Server/External

    • AssetCategories: Site Asset Categories/Application/Type/FTP Server/Internal

    • AssetCategories: Site Asset Categories/Application/Type/SSH Server

    • AssetCategories: Site Asset Categories/Business Impact Analysis/Business Role/Infrastructure/Computer/Desktop

    • AssetCategories: Site Asset Categories/Business Impact Analysis/Business Role/Security Devices/NIPS

    • Dashboard: Suppression System Stats

    • Field: atkAddress

    • Field: atkAsset

    • Field: atkFqdn

    • Field: dcString3

    • Field: dcString4

    • Field: dcString6

    • Field: dvcAsset

    • Field: evtCustomer

    • Field: evtCustomerName

    • Field: getDeviceIDSType

    • Field: tgtAsset

    • Field: tgtFqdn

    • Field: timeDiffInDays

    • Field: timeDiffInHours

    • Field: timeDiffInMinutes

    • Filter: Active List Entry Added

    • Filter: Active List Entry Deleted

    • Filter: Active List Entry Expired

    • Filter: Active List Entry Updated

    • Filter: Attacker Criticality is High

    • Filter: Attacker Criticality is Very High

    • Filter: Device Asset is a NIDS

    • Filter: Device Asset is a NIPS

    • Filter: Event Locality

    • Filter: Target Criticality is High

    • Filter: Target Criticality is Very High

    • Query: ArcSight Suppression List Entry Tracking

    • Query: ArcSight Suppression Total Entry Count

    • QueryViewer: Suppression List Entry Counts

    • QueryViewer: Suppression System Total Entry Count

    • SessionList: System Login Tracking

 

Activate Base Version 1.1.0.0

  • Supports ESM v6.5c or newer
  • Added Syslog Server Asset Category
  • Added NTP Server Asset Category
  • Added Network Monitoring System Asset Category
  • Corrected issue where filters under development directory were being exported
  • Rearranged the Global Variables (GVs)
  • Replaced the Unit Conversion GVs for bytes in and bytes out
  • Moved and renamed the Labeled Field Viewers (e.g., DNC1 -> dvcCustomNumber1Labeled)
  • Added time stamp GVs suitable for using in case creation with dynamic case names, based on end time
  • Removed the GVs that were only used by the ArcSight System Monitoring 3.0 package
  • Removed the Time Stamp active list that was only used by the ArcSight System Monitoring 3.0 package
  • Created new installation and update procedures

 

See the latest Activate Wiki Content for details.

 

To upgrade:

1 - Download Activate Base 1.1.0.0.zip

2 - Extract it to your Microsoft Windows console installation's current directory (e.g., c:\arcsight\console\current)

3 - Execute ActivateBaseUpdate.bat and follow the instructions

 

DO NOT INSTALL THIS PACKAGE USING THE CONSOLE!!!

 

Note, other Activate packages are also being updated today. If you have any invalid resources, look for the updated package for those resources.

 

Older Version Release Notes

Activate Base Version 1.0.0.5

Added new static suppression lists for network rules

Added new dynamic suppression lists for network rules

Modified Workflow channels to sort by manager receipt time

 

To upgrade, simply import the package and follow the prompts.  You should not be prompted to resolve conflicts unless you have changed the default content.

Labels (1)
Tags (4)
36 Replies
prentice@hpe.co Honored Contributor.
Honored Contributor.

Re: Activate Base Forum

If you have ArcSight System Monitoring 3.0 for Activate (ASM 3.0 for Activate), please uninstall it; things will break. You can install the ASM 3.0 without Activate version to replace it.

Soon, we will publish ASM 4.0 for Activate.

0 Likes
Internetkid
New Member.

Re: Activate Base Forum

Do I need Activate_Base_1.0.0.1.arb to be able to install the Activate Base 1.1.0.0.zip?  is it dependent or not?

0 Likes
john.petropoulo1 Absent Member.
Absent Member.

Re: Activate Base Forum

Nope! Just run the installer as documented. Prentice went through great lengths to make sure we don't have to do things like this

Sent from my iPhone

0 Likes
Honored Contributor.. simon.simcic@sr Honored Contributor..
Honored Contributor..

Re: Activate Base Forum

Hi,

I am running the update, but I get the following error on step 1, Am I doing something wrong?:

Configuration initialized: config\console.defaults.properties; config\console.pr

operties

   ___           _____      __   __

  / _ | ________/ __(_)__ _/ /  / /_

/ __ |/ __/ __/\ \/ / _ `/ _ \/ __/

/_/ |_/_/  \__/___/_/\_, /_//_/\__/

    Package Utility /___/ Version 6.1.0.1933.1 (BE1933_2-18-2015_16:39:17)

Copyright (c) 2001-2015 Hewlett-Packard Development Company, L.P.

All rights reserved.

Logging in to manager 'srcarcex.src.si' with username 'admin'...12.8.2015 16:42:

53 com.arcsight.security.util.SSLUtils adjustCiphersuitesToPlatform

INFO: adjustCiphersuitesToPlatform: Excluding cipher suite TLS_ECDHE_ECDSA_WITH_

AES_128_CBC_SHA, it is not supported by this JVM.

12.8.2015 16:42:53 com.arcsight.security.util.SSLUtils adjustCiphersuitesToPlatf

orm

INFO: adjustCiphersuitesToPlatform: Excluding cipher suite TLS_ECDHE_ECDSA_WITH_

AES_256_CBC_SHA, it is not supported by this JVM.

done.

JVM memory allowed: 494.9 MB

System locale: sl_SI

Will now import on the following files:

        C:\arcsight\Console\current\Activate_Base_1.1.0.0.arb

---------------------------------------------------------------------------

com.arcsight.common.archive.c: Invalid archive:Element type "caseSensitiveType"

must be declared.

        at helma.xmlrpc.XmlRpcClient$Worker.remoteExceptionFound(Unknown Source)

        at helma.xmlrpc.XmlRpcClient$Worker.getExceptionFromFaultMap(Unknown Sou

rce)

        at helma.xmlrpc.XmlRpcClient$Worker.faultFound(Unknown Source)

        at helma.xmlrpc.XmlRpcClient$Worker.execute(Unknown Source)

        at helma.xmlrpc.XmlRpcClient.execute(Unknown Source)

        at com.arcsight.manager.XmlRpcManager.privateExecute(XmlRpcManager.java:

480)

        at com.arcsight.manager.XmlRpcManager.execute(XmlRpcManager.java:282)

        at com.arcsight.common.packageresource.bundle.RemoteImportPackageBundle.

importPackageBundle(RemoteImportPackageBundle.java:252)

        at com.arcsight.common.persist.remote.RemotePackageResourceBroker.import

PackagesForBundle(RemotePackageResourceBroker.java:133)

        at com.arcsight.common.packageresource.PackageUtility.importPackageBundl

e(PackageUtility.java:2698)

        at com.arcsight.common.packageresource.PackageUtility.main(PackageUtilit

y.java:1161)

Failure During Packaging Process:Invalid archive:Element type "caseSensitiveType

" must be declared.

---------------------------------------------------------------------------

Import Failed. Elapsed Packaging Time:1 sec 578 ms

0 Likes
prentice@hpe.co Honored Contributor.
Honored Contributor.

Re: Activate Base Forum

What version of ESM are you using? It's probably not at least ESM v6.5c...

There is a project for porting it for ArcSight Express 4.0, but we aren't really supporting it. I believe we will support the next release of ArcSight Express, but I don't know when that will be released.

0 Likes
StevenvandeBraak Outstanding Contributor.
Outstanding Contributor.

Re: Activate Base Forum

add: a base install script for linux / osx console users <ActivateBaseUpdate.sh>

#!/bin/bash

# ArcSight Activate Base Install shell script for linux / OSX

# Steven, aug 14 2015

# DO NOT IMPORT THE PACKAGE USING THE CONSOLE GUI !

# ARCSIGHT_HOME

arc_home='/Applications/ArcSight/Console/current/'

# ESM FQDN

manager=development-esm.local

# ESM admin user

user=admin

# ESM admin password

pwvar=XXXXXXX

cd $arc_home

version=1.1.0.0

updateBundle=Activate_Base_${version}.arb

updatePackage="/All Packages/ArcSight Activate/Activate Base Update"

primaryPackage="/All Packages/ArcSight Activate/Activate Base"

echo "Starting ArcSight Activate Base Install\n"

echo "Version: "${version}

if [ -f $updateBundle ]; then

   echo "Update Bundle '$updateBundle' Exists\n"

else

   echo "Update Bundle '$updateBundle' Does Not Exist\n";exit

fi

# Import the update bundle

echo "Importing the update bundle"

bin/arcsight package -q -i -f "${updateBundle}" -m $manager -u $user -p $pwvar

# Install the update package.

echo "Installing the update package."

bin/arcsight package -q -action install -conflict overwrite -package "${updatePackage}" -m $manager -u $user -p $pwvar

# Remove any previous updated package exports.

echo "Removing any previous updated package exports."

rm Activate_Base_Updated_*.arb

# Export the current updated package.

echo "Exporting the current updated package."

bin/arcsight package -q -action export -package "${updatePackage}" -m $manager -u $user -p $pwvar -f "Activate_Base_Updated_$version.arb"

# Uninstall the updated package.

echo "Uninstalling the updated package."

bin/arcsight package -q -action uninstall -package "${updatePackage}" -m $manager -u $user -p $pwvar

# Install the Activate Base content.

echo "Installing the Activate Base content."

bin/arcsight package -q -action install -package "${updatePackage}" -m $manager -u $user -p $pwvar

0 Likes
StevenvandeBraak Outstanding Contributor.
Outstanding Contributor.

Re: Activate Base Forum

In step 5 of the base install manual, screenshot shows Activate Base is installed  and Activate Base Update is not.

Mine show up the other way around:

Screen Shot 2015-08-15 at 01.53.31.png

add to manual: you have to install the Activate Base after the script?

0 Likes
Honored Contributor.. simon.simcic@sr Honored Contributor..
Honored Contributor..

Re: Activate Base Forum

I am using Express 4.0 ..

Will hold on for the Express new version.

0 Likes
alexeynl Honored Contributor.
Honored Contributor.

Re: Activate Base Forum

I've got the same issue on Arcsight Express 4.0.

0 Likes
alexeynl Honored Contributor.
Honored Contributor.

Re: Activate Base Forum

Please in description add version supported by the package.

0 Likes
prentice@hpe.co Honored Contributor.
Honored Contributor.

Re: Activate Base Forum

Done.

0 Likes
prentice@hpe.co Honored Contributor.
Honored Contributor.

Re: Activate Base Forum

If you ran the batch file, and everything was properly entered (your account name, the ESM instance name, the password), and everything else worked as usual, this shouldn't happen.

If you ran the script, then it looks like you did enter the proper values. Something else went wrong, like the connection to the manager was lost?

0 Likes
seniorj@bennett Absent Member.
Absent Member.

Re: Activate Base Forum

For what it's worth, I was able to get this going on arcsight express 4.0 fine.

Open up the ARB files with winzip/7zip, extract the xml, and find all instances of 'casesensitivetype' and just comment htem out, put them back in the ARB and run the installer.

0 Likes
Honored Contributor.. simon.simcic@sr Honored Contributor..
Honored Contributor..

Re: Activate Base Forum

Will try it

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.