Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
mding Absent Member.
Absent Member.
652 views

Arcsight Recommended Naming convention

A new customer is asking what is Arcsight recommended naming convention format for the followings,

1. Connector  2. Rule  3. Report 4. Asset  5. Zone  6. Resource  7. Case

Do we have some doc for this?

Thanks.

0 Likes
Reply
3 Replies
Vini Acclaimed Contributor.
Acclaimed Contributor.

Re: Arcsight Recommended Naming convention

Even if ArcSight has a document for this I still see it as a very personal thing.  I would follow the internal naming conventions of the enterprise in case.
0 Likes
Reply
esantiago Absent Member.
Absent Member.

Re: Arcsight Recommended Naming convention

ArcSight doesn’t have a recommended naming convention for any of the resources. This will all have to be customer specific in the sense that they need to make sure they pick a naming convention that makes sense to them.

Connector names can be a combination of location and function. Rules can have the organization’s ticker symbol or name appended in order to identify it as a custom rule. Cases can have target information, event/rule name, or time. It all really depends on the organization.

I will say, that whatever they choose, it needs to be documented and communicated with whoever is responsible for content creation so that there can be consistency. Grouping of resources logically will also help identify pieces that can be leveraged more than once and will reduce the duplication of effort overall.

0 Likes
Reply
spark8888 Absent Member.
Absent Member.

Re: Arcsight Recommended Naming convention

Hey there,

Indeed it is very customer specific, but if they don't have any sort of template, here is some of the stuff that I suggest to them:

General

For each of the resources in the tree I create a new folder called "customer name". E.g. under filters I create a group called /All Filters/customer. Then I will create all the content under there. What ever new directories that I create under the original folder I will replicate to all other resources.

I try to keep the sub-directories generic. So for example for content based around authentication, I would create a high level group called Authentication Monitoring, and then break it down further say perhaps for Windows or Unix.

When I create a new resource I always add the description to the description field. I also add a note. I use the notes as version tracking. So if we make a change to a resource I will add in the change details, why it was done and CR number if applicable.

Connector Naming

What I use is the machine name followed by the connector type E.g. server01_syslog_file, server02_syslog_daemon, server03_syslog_file. I then name the folder they are located in as the connector type as well. So for example server01 and server03 would be found under "Syslog File". The reason that I do this is that if I have misplaced a connector (when I installed it) it is easy to see that its not in the right place. Also if the connector goes down, then I know which box its on straight away (if a rule hasn't told you already ;-).

It's also worthwhile to use the Comments field when you install a connector to keep installer information such as "Installed by XXXX". This is useful if you have more than 1 admin, as you can track who installed the connector should you have any questions. You can see the value in a few places, but the easiest is if you do "get status"

Queries

For queries I will append a "- report", "- trend" or a "- queryv" to end of the name. The reason for this is when I create a trend,report or qv, I know which query I should associate with it.

Just some of the stuff that I use, hope its helpful

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.