Professional Documents
Culture Documents
Test
Test
ArcSight SmartConnector
Release 4.7.4.5335
July 10, 2009
ArcSight Confidential
Release Notes
ArcSight SmartConnector
Release 4.7.4.5335
July 10, 2009
Copyright 2009 ArcSight, Inc. All rights reserved. ArcSight, the ArcSight logo, ArcSight TRM, ArcSight NCM, ArcSight
Enterprise Security Alliance, ArcSight Enterprise Security Alliance logo, ArcSight Interactive Discovery, ArcSight Pattern
Discovery, ArcSight Logger, FlexConnector, SmartConnector, SmartStorage and CounterACT are trademarks of ArcSight,
Inc. All other brands, products and company names used herein may be trademarks of their respective owners.
Follow this link to see a complete statement of ArcSight's copyrights, trademarks and acknowledgements:
http://www.arcsight.com/company/copyright/ .
This document is ArcSight Confidential.
Page ii
ArcSight Confidential
Contents
SmartConnector Release 4.7.4.5335 ...............................................................................................1
Important Note for Versions of ArcSight Manager Prior to 3.5 SP3..................................................1
To Apply This Release..............................................................................................................1
New Connectors ...........................................................................................................................1
Connectors with New Device Versions Supported ..............................................................................1
SmartConnector Enhancements......................................................................................................2
Connector End-of-Life Notices ........................................................................................................2
Issues Closed ..............................................................................................................................3
Available Beta Support..................................................................................................................4
Beta SmartConnectors.............................................................................................................4
Scanner FlexConnectors...........................................................................................................5
Known Issues or Limitations ..........................................................................................................5
New and Updated SmartConnector Documentation............................................................................7
Page iii
New Connectors
SmartConnector for
10
R70
4.1 5.0
McAfee FoundScan DB
6.7
5.1
6.5.118-1
Page 1
ArcSight Confidential
SmartConnector Enhancements
In each SmartConnector release, updates and enhancements are made to the field mappings for individual
SmartConnectors. If you use any of the SmartConnectors listed in the "Issues Closed" section of these release
notes, be aware that installing the updated SmartConnector can impact your created content.
ArcSight advises you to verify your content before deploying the SmartConnector into your production
environment.
FIPS Compliance
Under the Information Technology Management Reform Act (Public Law 104-106), the Secretary of Commerce
approves standards and guidelines that are developed by the National Institute of Standards and Technology
(NIST) for Federal computer systems. These standards and guidelines are issued by NIST as Federal
Information Processing Standards (FIPS) for government-wide use.
ArcSight has added support for SmartConnector installation in FIPS-compliant mode. See the connectors under
New and Updated SmartConnector Documentation for a list of connectors with this new support.
McAfee ePolicy Orchestrator DB
Added support for HIPS, Rogue System Detection, and MA events. See the SmartConnector Configuration
Guide for specific products and versions now supported.
Microsoft DHCP File
Added support for processing of multiple log files.
Symantec Endpoint Protection DB
Added support for Network Access Control events.
Page 2
ArcSight Confidential
Issues Closed
SmartConnector for
Number
Description
All SmartConnectors
58006
Entries in the name resolver cache normally are refreshed after the
Time To Live (TTL), but if that refresh is substantially delayed, the
normal algorithm disregards the cached value after double the TTL.
There is a new property (name.resolver.cache.no.ttl) that can be set
in agent.properties. When this property is set to true, the name
resolver cache entries will continue to be used indefinitely.
All SmartConnectors
56959
55963
56915
Previous problems with URL and URI field resolution have been fixed.
29167
Updated severity mappings for the Check Point AD connector. See the
SmartConnector for Check Point FW-1/VPN-1 OPSEC NG
Configuration Guide for detailed mapping information.
56813
57333
45363
The connector no longer creates assets with blank Host Name fields.
51709
The parser has been updated to fix problems that previously caused a
fatal exception at connector startup.
McAfee ePolicy
Orchestrator DB
McAfee HIPS DB
McAfee HIPS Multiple DB
57190
When running connectors for both McAfee ePO DB and McAfee HIPS
DB that pull events from the same database, some event duplication
previously occurred. The McAfee HIPS DB connectors no longer
collect anti-virus events. The McAfee ePolicy Orchestrator DB
connector now collects HIPS events. See the SmartConnector
Configuration Guides for more information.
MessageGate Syslog
56767
Previously, the connector set the Device Receipt Time year to 1970 for
MessageGate events without a date | time. This problem has been
fixed.
53335
SID translation for security events 538, 540, and 576 previously did not
occur. This problem has been fixed.
54480
Page 3
ArcSight Confidential
SmartConnector for
Number
Description
56002
The connector now continues to map correctly, even when the 'Reason'
field is missing from the raw event for security event 529.
56254
57249
57157
NIKSUN NetDetector
Syslog
56811
Oracle Audit DB
58319
58363
57004
Symantec Endpoint
Protection DB
Symantec Endpoint
Protection Syslog
57393
50148
Beta SmartConnectors
SmartConnector for Lancope SMC Web Services
This SmartConnector obtains flows, probes, and host snapshots from Lancope StealthWatch Management
Console (SMC) and can, optionally, generate ArcSight events. Lancope SMC version 5.8 is supported.
SmartConnector Release 4.7.4.5335 Release Notes
Page 4
ArcSight Confidential
Scanner FlexConnectors
ArcSight FlexConnector Developer's Guide for complete information on Scanner FlexConnector beta support for
the following:
In the ARCSIGHT_HOME/jre6/lib directory, create a sub-directory called endorsed with read, write, and
execute permissions.
2.
Copy the ARCSIGHT_HOME/lib/agent/saaj.jar file to the sub-directory called endorsed, which you
created in step 1.
On Windows:
1.
In the ARCSIGHT_HOME\jre6\lib directory, create a sub-directory called endorsed with read, write, and
execute permissions.
2.
Copy the ARCSIGHT_HOME\lib\agent\saaj.jar file to the sub-directory called endorsed, which you
created in step 1.
Page 5
ArcSight Confidential
In some cases, the description of specific Windows events may not be captured into individual ArcSight
event fields. When this happens, the missing information is captured in the Raw Event field and the agent
log displays a warning that it has received an unmatched number of keys and values for a particular
Windows event ID. This can be addressed by a parser fix. See the "Troubleshooting" section for an
example of how to resolve these key values.
SID translation is supported on a best-effort basis, but there may be a few instances when SIDs cannot be
successfully translated. This could happen due to network issues, the host could be busy and may not
respond, or the SID could be unresolvable, which results in the connector being unable to translate the SID.
The connector attempts to translate all the SIDs by default. If the first translation attempt fails, the connector
retries three times. If translation still fails, SID translation can be enabled in multi-threaded mode by setting
the parameter sidguidtranslationmultithreaded to true. See "Troubleshooting" or "Advanced Common
Configuration Parameters for SID Translation" for more configuration information.
Page 6
ArcSight Confidential
Page 7
ArcSight Confidential
Page 8
ArcSight Confidential
Page 9
ArcSight Confidential
Page 10
ArcSight Confidential
Page 11
ArcSight Confidential
Page 12