Activate Base

181214

Micro Focus Micro Focus Community

Micro Focus | Micro Focus Community

ArcSight Activate is a modular content development method designed to quickly deploy actionable use cases. The framework will unify our development methodology, allowing us to create portable content packages.
3,885 downloads

Description

Activate Base Version 2.5.x.0 is supported on ESM v6.8c

Activate Base Version 2.4.0.0 is supported on ESM v6.8c

Activate Base Version 2.2.0.0 is supported on ESM v6.8c

Activate Base Version 2.0.0.0 is supported on ESM v6.8c

ArcSight Activate is a modular content development method designed to quickly deploy actionable use cases. The framework will unify our development methodology, allowing us to create portable content packages. This will get us away from working on the same old mundane problems and working on expanding our detection capability within our customer’s environments. As our detection capability grows, so does our ability to enrich data by tracking attack patterns and system state. The benefits of following a framework like this are two-fold. For a small/medium customer with limited resources to develop and care for content, we are providing packages that simply work. For more ambitious customers, we are also providing a common development methodology. This provides them with continuity as their development team grows and changes over time. With the Activate Framework, both types of customers are able to thrive despite organizational limitations or changes. This is the base package that provides the Activate Framework resources, including global variables and active channels for the Activate Framework workflow methodology. Install this package first by following the instructions provided in the Activate wiki.

Activate Base falls under the Activate License

Releases

Release
Size
Date
Activate Base 2.5.4.0
151.9 KB
  |  
Aug 16, 2018
More info Less info
Product Compatibility
ESM
Version 6.8 · 6.9.1 · 6.11.0
Version 7.0
Release Notes

Added new category - DHCP server.

Micro Focus rebranding changes.

Languages
English
Files
Activate Base 2.5.3.0
151.9 KB
  |  
Jul 26, 2018
More info Less info
Product Compatibility
ESM
Version 6.8 · 6.9.1 · 6.11.0
Version 7.0
Release Notes

Fix global variable to convert hostname to lower case.

Languages
English
Files
Activate Base 2.5.2.0
174.6 KB
  |  
Oct 13, 2017
More info Less info
Product Compatibility
ESM
Version 7.0
Version 6.8 · 6.11.0
Release Notes

Attention:
There are some modifications to some of the host name Field Manipulation/Convert Case global variables. They should all be converting host names to lower case. Some were converting to upper case. This has been corrected, but may cause some issues when comparing data already in active lists. Please be certain to test this update on your test system with data from your production system to assess the impact. Most likely, some rules may trigger again. We apologize for the inconvenience this will cause.

Modified:

/All Active Channels/ArcSight Activate/Workflow/Investigating Channel
/All Active Channels/ArcSight Activate/Workflow/Main Channel
/All Active Channels/ArcSight Activate/Workflow/Personal Investigating Channel
/All Active Lists/ArcSight Activate/Core/Suppression Lists/Static Suppression Lists/Static (renamed to Static Trusted)
/All Field Sets/ArcSight Activate/Workflow/Investigating Channel
/All Fields/ArcSight Activate/Core/Field Manipulation/Convert Case/atkHostName
/All Fields/ArcSight Activate/Core/Field Manipulation/Convert Case/dstHostName
/All Fields/ArcSight Activate/Core/Field Manipulation/Convert Case/dvcHostName
/All Fields/ArcSight Activate/Core/Field Manipulation/Convert Case/srcHostName
/All Fields/ArcSight Activate/Core/Field Manipulation/Convert Case/tgtHostName
/All Filters/ArcSight Activate/Core/Suppression List Filters/All Network Based Suppression Lists
/All Stages/SOC Stages/1: Investigating/Engage External Team
/All Stages/SOC Stages/1: Investigating/Engineer Review
/All Stages/SOC Stages/1: Investigating/Level 1 Investigating
/All Stages/SOC Stages/1: Investigating/Level 2 Review
/All Stages/SOC Stages/2: Final/Added to Case
/All Stages/SOC Stages/2: Final/Case Created
/All Stages/SOC Stages/2: Final/No Further Action Required - Engineer
/All Stages/SOC Stages/2: Final/No Further Action Required - Level 1
/All Stages/SOC Stages/2: Final/No Further Action Required - Level 2
/All Stages/SOC Stages/2: Final/No Further Action Required - Triage
/All Stages/SOC Stages/System/System Monitored
/All Stages/SOC Stages/System/Testing
/All Stages/SOC Stages/System/Triage

Added:

/All Active Channels/ArcSight Activate/Workflow/Engineering Channel
/All Active Channels/ArcSight Activate/Workflow/Personal Engineering Channel
/All Asset Categories/Site Asset Categories/Business Impact Analysis/Business Unit/
/All Field Sets/ArcSight Activate/Workflow/Personal Channel
/All Fields/ArcSight Activate/Core/Supporting and Set Event Fields/Suppression List Variables/getDynamicDeviceAndActionWithComments
/All Fields/ArcSight Activate/Core/Supporting and Set Event Fields/Suppression List Variables/getDynamicIdsEventIdSuppressionWithComments
/All Fields/ArcSight Activate/Core/Supporting and Set Event Fields/Suppression List Variables/getDynamicIdsEventIdWithAttackerTargetAndComments
/All Fields/ArcSight Activate/Core/Supporting and Set Event Fields/Suppression List Variables/getDynamicNameTargetAndPortSuppressionWithComments
/All Fields/ArcSight Activate/Core/Supporting and Set Event Fields/Suppression List Variables/getStaticDeviceAndActionWithComments
/All Fields/ArcSight Activate/Core/Supporting and Set Event Fields/Suppression List Variables/getStaticIdsEvent IdWithAttackerTargetSuppressionWithComments
/All Fields/ArcSight Activate/Core/Supporting and Set Event Fields/Suppression List Variables/getStaticIdsEventIdSuppressionWithComments
/All Fields/ArcSight Activate/Core/Supporting and Set Event Fields/Suppression List Variables/getStaticNameTargetAndPortSuppressionWithComments
/All Fields/ArcSight Activate/Core/Supporting and Set Event Fields/Suppression List Variables/getStaticTrusted
/All Fields/ArcSight Activate/Core/Supporting and Set Event Fields/System Black Lists/getUntrustedDestination
/All Fields/ArcSight Activate/Core/Supporting and Set Event Fields/System Black Lists/getUntrustedSource 

Languages
English
Files
Activate Base 2.5.1.0
138.0 KB
  |  
Mar 31, 2017
More info Less info
Product Compatibility
ESM
Version 7.0
Version 6.8 · 6.11.0
Release Notes

Bug fixes for global variables

Languages
English
Files
Activate Base 2.5.0.0
135.5 KB
  |  
Jan 13, 2017
More info Less info
Product Compatibility
ESM
Version 7.0
Version 6.8 · 6.11.0
Release Notes

Activate Base 2.5.0.0 Changes

Added:

  • /All Active Channels/ArcSight Activate/Workflow/Personal Investigating Channel
  • /All Active Lists/ArcSight Activate/Core/Resource Tracking/Asset Resource Tracking
  • /All Asset Categories/Site Asset Categories/Address Spaces/High Security/
  • /All Asset Categories/Site Asset Categories/Role/Business Role/Infrastructure/Computer/Desktop/
  • /All Asset Categories/Site Asset Categories/Role/Business Role/Security Devices/NIPS/
  • /All Field Sets/ArcSight Activate/Workflow/Investigating Channel
  • /All Fields/ArcSight Activate/Core/Field Manipulation/Convert Case/dcString1
  • /All Fields/ArcSight Activate/Core/Field Manipulation/Convert Case/dvcDnsDomain
  • /All Fields/ArcSight Activate/Core/Field Manipulation/Convert Case/dvcNtDomain
  • /All Fields/ArcSight Activate/Core/Field Manipulation/Convert Type/Assets/agtAssetReference
  • /All Fields/ArcSight Activate/Core/Field Manipulation/Convert Type/Assets/atkAssetReference
  • /All Fields/ArcSight Activate/Core/Field Manipulation/Convert Type/Assets/dstAssetReference
  • /All Fields/ArcSight Activate/Core/Field Manipulation/Convert Type/Assets/dvcAssetReference
  • /All Fields/ArcSight Activate/Core/Field Manipulation/Convert Type/Assets/srcAssetReference
  • /All Fields/ArcSight Activate/Core/Field Manipulation/Convert Type/Assets/tgtAssetReference
  • /All Fields/ArcSight Activate/Core/Field Manipulation/Supporting and Set Event Fields/dstAddress
  • /All Fields/ArcSight Activate/Core/Field Manipulation/Supporting and Set Event Fields/dvcZone
  • /All Fields/ArcSight Activate/Core/Resource Tracking/getAssetResourceReference
  • /All Rules/ArcSight Activate/Core/Resource Tracking/Asset Resource Tracking

Updated:

  • /All Active Channels/ArcSight Activate/Workflow/Investigating Channel
  • /All Filters/ArcSight Activate/Core/Common/Assets/Device Asset is a NIPS
  • /All Packages/ArcSight Activate/Activate Base
  • /All Stages/SOC Stages/1: Investigating/Engage External Team
  • /All Stages/SOC Stages/1: Investigating/Engineer Review
  • /All Stages/SOC Stages/1: Investigating/Level 1 Investigating
  • /All Stages/SOC Stages/1: Investigating/Level 2 Review
  • /All Stages/SOC Stages/2: Final/Added to Case
  • /All Stages/SOC Stages/2: Final/Case Created
  • /All Stages/SOC Stages/2: Final/No Further Action Required - Engineer
  • /All Stages/SOC Stages/2: Final/No Further Action Required - Level 1
  • /All Stages/SOC Stages/2: Final/No Further Action Required - Level 2
  • /All Stages/SOC Stages/2: Final/No Further Action Required - Triage
  • /All Stages/SOC Stages/System/System Monitored
  • /All Stages/SOC Stages/System/Testing
  • /All Stages/SOC Stages/System/Triage
Languages
English
Files

Resources

Your browser is not supported!

Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox