ArcSight Threat Intelligence Feed/Galaxy SmartConnector

ArcSight Threat intelligence Feed or GTAP  suddenly stops sending logs to the ESM server, even though the connector status shows as running. When I check the logs, only the connector statistics are displayed. I attempted to reinstall it, but I couldn't find it listed under the connector types. Can anyone help with this issue?

Note: The installation was basic and it was on a Red Hat server, which is a separate connector server from the ESM server.

  • Verified Answer

    0

    Hello Mulualem, 

    ArcSight Threat Intelligence Feed/Galaxy SmartConnector is one of the special connectors that only to be installed and registered to the destination, ESM is not enough. 

    There is one step that everyone is missing it, most probably nobody used the steps from the documentation because in 99% of the situation version (for example the latest version of this connector https://www.microfocus.com/documentation/arcsight/threathub-24.3/pdfdoc/threathub-24.3-admin-guide/threathub-24.3-admin-guide.pdf ) page 25 and 26, which is referring of assigned a Model Import User ( having administrator rights ) to be able to push data to ESM. 

    On top of that please check on release note of the version that you are using which is the Content Package version that needs to be present on ESM.

    For example for the recently version https://www.microfocus.com/documentation/arcsight/threathub-24.3/threathub-24.3-release-notes/#Installing-default-packages.htm?TocPath=_____3  related to “Installing and Upgrading Default Packages” the requirements are the following:

    For a fresh installation of Content Package 4.4, see Installing Default Content Package.

    If you already have 3.x version of default content, you cannot directly upgrade the package to 4.x. For more information, see Upgrading Default Content Package from Version 3.x to Version 4.x.

    You can however, upgrade from 4.3 to 4.4.

    To resume. The connector after reinstalling/deploying it on the Windows/Linux host you need to 

    1. Using the ArcSight Console connect to the ESM where the connector was registered and assign a Model Import User ( having administrator rights ) to be able to push data to ESM;

    2. Make sure that the arb package of Content Package is the version support/requester by the Smart Connector version.

    I hope that what I have provided to you makes sense and will help you to solve the issue.

    Best Regards, 

    Daniel