Detailed Course Outline
Module 1: Introduction to FlexConnector
- Define SmartConnectors and their functions
- Follow device deployment and the event flow processing
- Describe FlexConnectors types
- Install a Connector
Module 2: Using ArcSight Schema
- Gather event requirements prior to developing your FlexConnector
- Normalize and map events
- Differentiate special cases
- List the different schema groups
Module 3: Basic Configuration File and Categorization
- Locate FlexConnector files
- Define the configuration procedure
- Apply the four steps to create a FlexConnector configuration file
- Parser configuration
- Token declaration
- Event mapping
- Severity mapping
- Use the FlexConnector wizard to install a configuration file
- Utilize Categorization to profile an event
- Six criteria are used: Object, Behavior, Outcome, Technique, Device Group, and Significance
Module 4: Regex FlexConnectors
- Install the Regex File Reader FlexConnector
- Create common Regex
- Define SubMessages
- Use the Regex Tester Introduction into the concept of Teams
Module 5: Installing ESM Syslog Connectors with Custom Parsers
- Identify the syslog Connectors
- Describe the syslog FlexConnector components
- Create the syslog FlexConnector configuration file
Module 6: JSON Folder Follower Connector
- Identify the properties of basic JSON objects
- Define Token and Mappings declarations for a JSON Folder Follower FlexConnector
- Perform installation and testing of a JSON Folder Follower FlexConnector in console mode
Module 7: Advanced Topics
- Describe the purposes of multi-line Regex configuration parameters:
- Concatenate lines belonging to a single event
- Identify the start and/or end of each event
- Describe parser linking when two or more FlexConnector types may be needed to parse the same data
- Define and create conditional mapping configurations
- Illustrate the LogFu tool which reads and parses ArcSight logs and generates interactive visual presentations of them