How to create an Activate Framework Product Package - Video
What is an Activate Framework Product Package?
An Activate Framework Product Package is a specific package to a particular product distributed by a software vendor. Product packages might also be specific to a range or releases and/or versions, as specified in their documentation.
- Provide content filters that hook into L1 and L2 Solution filters. A single package might contain filters that hook into several L1/L2 solution filters - Malware, Host, Entity, Network or Perimeter Monitoring.
- Contain other resources (active channels, field sets, rules, active lists) that provide device-specific data and context to SOC analysts
- Sometimes include FlexConnectors or Parser overrides
- Have a standard folder structure (Entity Authentication, Entity Management, Product Specific, System Changes, System Errors)
Why should I create a product package?
Product packages for common vendors and products are created by the ArcSight Security Team and uploaded to the ArcSight Marketplace, but if a vendor/product is not in the list or logs from an in-house solution are required to be collected and tracked by ESM, a product package can be created.
Activate Framework product packages typically (but are not limited to) contain these resources:
- Active channels: Show device-specific events
- Filters: Product level filters will be used in product-level rules, active channels and most importantly, can be hooked in L1 and L2 Solution filters. Product-specific filters should use event fields that make sure uniqueness of the events is guaranted, such event fields can be (but are not limited to) deviceEventClassID, deviceAction, deviceVendor, deviceProduct and deviceVersion (these last 3 event fields are usually grouped together in a Device-level filter what will be reused within all product package filters -as show in the video).
- Field Sets: Typically used by the product package active channels and show device-specific event fields
- Rules: If specific events need to be tracked and shown in the main or system monitored activate framework active channels but no L1 or L2 content exists for them (filters to be hooked into along with the proper rules), product-level rules can be created and correlation event fields populated accordingly (following activate categorization rules) to track these events.
- Variables: Can be created to access active list data, or show derived data in active channels
- Active Lists: If multiple values for a single type of event exist, an active list might be created to store these values and then accessed by other content (variables, filters, rules). For data to be persistent, the "T-P-Template - Active Lists" template needs to be used to store these active lists.
Download the Activate Template package to begin creating your own product package and let us know how we can help you getting the most value and leveraging activate framework in your ArcSight ESM environment.
More information regarding Activate Framework can be found in: