Quick shout to and since any credit deserved here is theirs. All I did was try not to get in the way any more than I had to.

All, thanks for the arb, this is very timely and and really great that Activate is getting traction.

Is there a wiki page or other doc for end device configuration?

DOH:

"Installation instructions are provided within the wiki under the Security Technology Monitoring section."

But I am missing end device configuration. Need some help from a few experts!

Sent from my iPhone

Here's a doc to help if you dont have it already:

Error while installing Malware dependency package :

Could Not Find C:\arcsight\Console\current\L1-Malware Monitoring - Indicators adn Warnings 1.0.0.5\L

1-Perimeter_and_Network_Monitoring_-_Indicators_and_Warnings_-_Customizations_*.arb

Any help?

Hey,

So, my guess, and this seems to be a common problem, is that you didn't put all the contents of the zip file into your console's current directory. If you used 7zip or native Windows extraction, it may have put them in a sub-directory. If so, move the contents up a level, and that should fix it when you run the .bat file again.

Hope this helps,

--

Prentice

Hey Mary,

Yes, you are correct, this is done from your console directory, not from ESM.

The screenshot you added has everything you need. The L1-Malware_Monitoring... bundle contains all the other bundles. The .bat file (script) imports this bundle onto the manager, which includes the other .arb files.

The screenshot also has this path:

C:\arcsight\Console\current\L-1Malware Monitoring - Indicators and Warnings 1.0.0.5

This means you have:

C:\arcsight\Console\current\L-1Malware Monitoring - Indicators and Warnings 1.0.0.5\DO NOT IMPORT VIA CONSOLE.txt, etc.

Move the .bat and .arb files up one directory, then run the .bat file again. It will work.

ok...now this (apologies for the noobie questions):

'bin\arcsight' is not recognized as an internal or external command,

operable program or batch file.

Could Not Find C:\arcsight\Console\current\L1-Perimeter_and_Network_Monitoring_-_Indicators_and_Warn

ings_-_Customizations_*.arb

For anyone else that might be having issues below is the resolution:

1. I am using several console versions to connect to several versions of ESM
2. Extracted file contents need to be copied into the *\current directory of the console version/installation for the corresponding ESM destination of the package (oh yeah, of course, totally makes sense!)

Thanks for the call, WebEx, and 2nd pair of eyes Prentice! 

Hi Prentice,

Another issue, in the installation guide for the McAfee ePO package there are instructions from the wiki for the package configuration that outlines "hooking" four filters into the L1 Malware package.  In the screenshots it shows just the McAfee filter.  However, in my package there is a broken filter resource present called "/All Filters/ArcSight Activate/Core/Common/Events/No Events". 

Do I need to address this or should I delete that dependency?

-Mary

Oy!

Yeah, just delete it. I'll fix it in the next update! It should be "false", not a reference to a filter...

Thanks for pointing that out!

--

Prentice

Just a clarification point, if I may.

The filters that we hook product package filters into should have a default value of false. This should be deleted and replaced with the appropriate product filter.

This allows us to install the packages and keep them from randomly firing off of the wrong events before we can configure the product packages. It makes all of our lives easier!

Thanks & fyi,

--

Prentice