Hello maresj, 

first, let's clarify what SOAR is and what needs to deploy this capability.

Soar is a capability on top of the ArcSight Platform ( OMT ) and for more clarifications you may consult this link here  https://www.microfocus.com/documentation/arcsight/arcsight-platform-24.2/arcsight-pag-oc-24.2/#platform_intro/cap_options_deploy.htm?TocPath=Introducing%2520ArcSight%2520Platform%257C_____3 

Depending on what version ( ArcSight Platform ( OMT ) / SOAR) you want to deploy, SOAR is part of the Fusion capability or a separate capability.

Starting with 24.2 SOAR is a separate capability and if you wish to deploy it together with ArcSight Platform ( OMT ) you may consider having a look at "example-install-config-soar-recon-and-transformation-hub.yaml" and modifying it to accommodate to install only SOAR. Keep in mind that you need Fusion also for a minimum deployment.

Note: you may proceed to install only Fusion together with ArcSight Platform ( OMT ) and install after the SOAR from the management portal ( 5443 ) by following the documentation ( https://www.microfocus.com/documentation/arcsight/arcsight-platform-24.2/arcsight-pag-oc-24.2/#cluster_add/cluster_deploy.htm?TocPath=Adding%2520Additional%2520Capabilities%2520to%2520an%2520Existing%2520Cluster%257C_____2) 

Below the 24.2 version ( for example 24.1) SOAR is part of Fusion. The configuration that you may use can be "example-install-config-esm_cmd_center-single-node.yaml".

Hopefully, that's more clear for you how to plan your SOAR deployment.

Best Regards, 

Daniel

As for best practice it is better to have all component containerize under OMT or have ESM and Logger on separate location ? 

Hello Maresj, 

I think that you are referring to this scenario "www.microfocus.com/.../ TocPath=Examples%2520of%2520Deployment%2520Scenarios%257C_____3" right?

Note: Keep in mind that the above scenario is only with ESM and there is no scenario for Logger to be on the same vm/server with OMT.

Going back to your question, well, that's depends on what's your goal.

But what I have seen is that someone who wants to try SOAR sooner or later will want to try the other capabilities. If you have ESM and OMT on the same server well that will be harder to expand vs if you already started from the beginning with separate environments, for example allocating one vm/server to ESM and starting with a separate one vm/server for OMT ( even with one capability been deployed).

Best Regards,

Daniel

Hello Maresj, 

I think that you are referring to this scenario "www.microfocus.com/.../ TocPath=Examples%2520of%2520Deployment%2520Scenarios%257C_____3" right?

Note: Keep in mind that the above scenario is only with ESM and there is no scenario for Logger to be on the same vm/server with OMT.

Going back to your question, well, that's depends on what's your goal.

But what I have seen is that someone who wants to try SOAR sooner or later will want to try the other capabilities. If you have ESM and OMT on the same server well that will be harder to expand vs if you already started from the beginning with separate environments, for example allocating one vm/server to ESM and starting with a separate one vm/server for OMT ( even with one capability been deployed).

Best Regards,

Daniel