Idea ID: 2879618

Adapt additional data mapping for TH architecture

Status: Needs Clarification

That would be great to adapt additional data mapping from ESM on other than ESM destination, as this one is used only for AUP updates with events filtered out when ArcsightPlatform Transformation Hub does the event transport.

  • Hello Prentice - to clarify:
    If connectors are connected directly to ESM, you can map additional data directly from ESM - as you can see in the picture.
    If you put TransformationHub between connector and ESM, you need another connector destination directly to ESM for connector content updates (e.g. zones) ...and to avoid duplicities, you need to switch on FilterOutAllEvents for this destination.
    But then, if you try to use additiona data mapping as before, it will push the addditionaldata mapping file to ESM destination, not to TH-one.
    ...but all the event transport occurs NOT on ESM destination, but TH destination - so on ESM destination is nothing to be mapped, but there is how to...and from TH destinations are streaming events, but there is no informationa about how-to-map-additional-data.

    so in short - additional data mapping from ESM works only if connectors are connected directly to ESM, if you put TH between those two, it breaks the function.

    Reagrds

    Jan

  • Hello Jan,

    I don't quite understand the scenario you are describing, "as this one is used only for AUP updates with events filtered out when ArcsightPlatform Transformation Hub does the event transport." What is "this one"? If events are filtered out, can there be any additional data?

    Please clarify what you are trying to do.

    Thank you,

    --
    Prentice S. Hayes
    Principal Product Manager | Cybersecurity Enterprise, Security Analytics
    OpenText Cybersecurity

    LinkedIn: https://www.linkedin.com/in/prenticeshayes/ 

    Website: https://www.opentext.com/