
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Device Status Monitoring Pack
Hey guys,
Appreciate that there are some threads that talk about Device Status Monitoring (DSM), but we have released a content pack to help you get started in ensuring that you always get your event logs. This is aimed more at people that are new to ArcSight and just getting started, as I'm sure that the more seasoned of you will already have something setup.
General Description
The success of any SIEM system relies on receiving events from the respective in scope source devices and servers. Without any events, the SIEM platform effectively becomes useless. Part of setting up a good SIEM system is creating mechanisms to ensure that these events are received and the most effective approach to do this is by using the Device Status Monitoring (DSM) capability built-in to the ArcSight platform.
This content pack utilises the DSM capability to track and alert on any event sources that stop sending events, so that you can take the appropriate action to re-establish the event flow. The pack also contains mechanisms to detect servers/devices that have potentially been removed from the network.
Other Information
+ Attached is the user guide, and the complete pack is available from our website http://www.edgeseven.com/resources.html.
+ This also ties into our blog (http://totalsiem.blogspot.com), where we are currently discussing the "Golden Rules of SIEM"
Hope you all find this useful ... please do provide feedback 😉

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hi Mark,
I'm Bob.
Can you please send me the package.
I really need it for my problem solving!
Email: hlog@ahnlab.com
Thank you!

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
I need the version that will work with ESM 5.0

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Superb
A++++++

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Dear Mark,
Could you please send me the Device Status Monitoring Pack @ hatem.metwally@mannai.com.qa
BR,
Hatem Metwally

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hi, Mark,
Could you please send me the device status monitoring pack to my email id Tajudeen.Abdulrashid@chemtura.com
Regards
Tajudeen
Mark Johnston wrote:
Hey guys,
Appreciate that there are some threads that talk about Device Status Monitoring (DSM), but we have released a content pack to help you get started in ensuring that you always get your event logs. This is aimed more at people that are new to ArcSight and just getting started, as I'm sure that the more seasoned of you will already have something setup.
General Description
The success of any SIEM system relies on receiving events from the respective in scope source devices and servers. Without any events, the SIEM platform effectively becomes useless. Part of setting up a good SIEM system is creating mechanisms to ensure that these events are received and the most effective approach to do this is by using the Device Status Monitoring (DSM) capability built-in to the ArcSight platform.
This content pack utilises the DSM capability to track and alert on any event sources that stop sending events, so that you can take the appropriate action to re-establish the event flow. The pack also contains mechanisms to detect servers/devices that have potentially been removed from the network.
Other Information
+ Attached is the user guide, and the complete pack is available from our website http://www.edgeseven.com/resources.html.
+ This also ties into our blog (http://totalsiem.blogspot.com), where we are currently discussing the "Golden Rules of SIEM"
Hope you all find this useful ... please do provide feedback 😉

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hello Tajudeen,
that links you provided are not working anymore. Can you share new one with us?
Solution Security Architect

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
fyi only
I just got the confirmation from HP support in Ticket ID 4651189492, that Connector DSM events are limited to 1000 entries only...
"/opt/arcsight/ArcSightSmartConnectors/current/bin/arcsight -quiet agentcommand -c status | grep "Device " | wc -l"
As per below the original wording from the ticket
Andro
###
Hi,
Thanks for the update. I have just confirmed that indeed that in the SmartConnector there is a hardcoded maximum limit in of devices for which DSM will be logged/sent. The limit is 1000 as you have observed. So if the connector is receiving events from 5000 devices only the first 1000 will have DSM enabled.
Regards
ArcSight Support
###

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Andro,
what would be a sufficient number?
~ Ofer


- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
hello people, I have the same problem as you, can not monitor the absence of events from devices on the connectors.
Could you send me the Device Status Monitoring Pack for email ?
Thank you for you help.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hi Ofer, Do you have DSM pack? kindly email to me rajaasilah.hazwani@gmail.com

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Take a look at the Activate content:
https://marketplace.saas.hpe.com/arcsight/content/c-security-system-monitoring-connectors
https://marketplace.saas.hpe.com/arcsight/content/activate-c-security-system-monitoring-base
https://marketplace.saas.hpe.com/arcsight/content/activate-c-security-system-monitoring-appliance
You will also need the base content package;
https://marketplace.saas.hpe.com/arcsight/content/activate-base