Course Description

In this intermediate course, we tackle the concept of FlexConnectors, one of the most powerful tools in the ArcSight suite. Need to onboard a new event source but there’s no SmartConnector for it? That’s where FlexConnectors shine.

Taking the unparsed events from your new event source, you can create a custom FlexConnector to parse data from almost any source so it can be ingested into the ArcSight ecosystem.

This course takes students through all aspects of FlexConnector setup, from identifying when you need one, configuring all the required files, and then testing and validating the output.

Modules

1. Identifying Unparsed Events

   • What are the causes of unparsed events

   • How to spot them within ArcSight

2. Overview of ArcSight FlexConnectors

   • What are the types of FlexConnector

   • How do they differ from standard SmartConnectors

3. Components of a FlexConnector

   • Parsers

   • Categorisation Files

   • Map Files

   • Unobfuscation Files

4. FlexConnector Development Tools

   • FlexAgent Wizard for simple setups

   • ArcSight Regex Tool

5. Advance FlexConnector Operations

   • Multi-Line Parsing

   • Conditional Mappings

6. Regex Basics

   • Lightweight overview of using regular expression for parsing

Intended Audience

This course is designed for Security Professionals and SOC Administrators, who are responsible for deploying and administrating the ArcSight product suite within their environment.

Recommended Skills

• Familiarity working with command line tools

• Experience deploying applications in Windows and Linux environments

• Computer desktop, browser, and file system navigation skills

• Competence in writing/using Regular Expressions