Another issue, in the installation guide for the McAfee ePO package there are instructions from the wiki for the package configuration that outlines "hooking" four filters into the L1 Malware package. In the screenshots it shows just the McAfee filter. However, in my package there is a broken filter resource present called "/All Filters/ArcSight Activate/Core/Common/Events/No Events".
Do I need to address this or should I delete that dependency?
Yeah, just delete it. I'll fix it in the next update! It should be "false", not a reference to a filter...
Thanks for pointing that out!
Just a clarification point, if I may.
The filters that we hook product package filters into should have a default value of false. This should be deleted and replaced with the appropriate product filter.
This allows us to install the packages and keep them from randomly firing off of the wrong events before we can configure the product packages. It makes all of our lives easier!
Thanks & fyi,
So I believe there is definitely supposed to be a parser override. Below is a screenshot from the wiki documentation:
Also, parsed events don't contain a target or attacker hostname but the raw events have that information in their schema as agenthostname. Raw events also have the username which is not available in parsed events as well as some other pieces of data.