![Configure the maximum number of simultaneous connections
1. Open SAP BusinessObjects Central management Console (CMC) using the following URL:
http://[server_name]:8081/CmcApp
2. Under Organize, click Servers.
3. In the left pane, expand Service Categories, and then click Web Intelligence.
4. In the right pane, double-click WebIntelligenceProcessingServer.
5. In the Properties window, in the Web Intelligence Processing Service group box, enter the
following information, and then click Save:
n In the Maximum Connections box, enter 1000.
n In the Maximum Document Cache Size (KB) box, enter 10000000.
n In the Maximum Documents Per User box, enter 20.
6. In the right pane, double-click AdaptiveJobServer.
7. In the Properties window, in the Maximum Concurrent Jobs box, enter 10, and then click Save.
Update the administrator password
1. In SAP BusinessObjects Central management Console (CMC) under Organize, click Users and
Groups.
2. In the left pane, click User List.
3. In the right pane, right click Administrator and select Account Manager in the menu.
4. Verify that Change User Passwords To New Value is checked. Enter the new password and
confirm it.
5. Verify that Password never expires is checked, and click Save.
Update the time zone
1. Open InfoView (BusinessObjects client tool) using the following URL:
http://[server_name]:8081/InfoViewApp
2. On the top right corner, click Preferences.
Deployment Guide
HP Risk Insight (1.1) Page 11 of 43](https://image.slidesharecdn.com/riskinsight1-170531051027/85/Deployment-Guide-for-Risk_Insight-1-1-11-320.jpg)
Deployment Guide for Risk_Insight 1.1
- 1. HP ArcSight Risk Insight Software Version: 1.1 Linux Operating System Deployment Guide December 8, 2015
- 2. Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. The network information used in the examples in this document (including IP addresses and hostnames) is for illustration purposes only. HP ArcSight products are highly flexible and function as you configure them. The accessibility, integrity, and confidentiality of your data is your responsibility. Implement a comprehensive security strategy and follow good security practices. This document is confidential. Restricted Rights Legend Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Copyright Notice © Copyright 2015 Hewlett-Packard Development Company, L.P. Follow this link to see a complete statement of copyrights and acknowledgements: https://www.protect724.hpe.com/docs/DOC-13026 Support Phone A list of phone numbers is available on the HP ArcSight Technical Support Page: https://softwaresupport.hp.com/documents/10180/14684/esp-support- contact-list Support Web Site https://softwaresupport.hp.com Protect 724 Community https://www.protect724.hpe.com Contact Information HP Risk Insight (1.1) Page 2 of 43
- 3. Contents Chapter 1: Welcome to This Guide 5 About ArcSight Risk Insight 5 Chapter 2: Install Risk Insight 7 System Requirements 7 Prerequisites 8 Preparing to Install SAP BusinessObjects 8 Install SAP BusinessObjects Enterprise 10 SAP BusinessObject Configuration and Post Installation Tasks 10 Preparing to Install Risk Insight 12 Install Risk Insight 12 Uninstall Risk Insight 13 Open Risk Insight 14 Chapter 3: Grant Permissions to Users 15 Chapter 4: Import Assets from ArcSight ESM 17 About ArcSight ESM Asset Synchronization Job 17 How to Integrate with ESM for Asset Synchronization 18 Change ESM Session Timeout 18 Define Connection Parameters with ESM 19 Map Asset Types with ESM 20 Define Imported Asset Type Properties 22 Schedule and Activate the ESM Job 22 Chapter 5: Import Risk Information from ESM 24 About Risk Factor Import Job 24 Create a Risk Factor Report in ESM 25 How to Create a Risk Factor in Risk Insight 28 Define a New Risk Factor 28 Configure the Risk Factor Connector Parameters 29 Configure the Risk Factor Import Job 30 Configure the Risk Factor Normalization Settings 30 Configure the Risk Factor Aggregation Method 31 Configure Risk Factor Ranges 32 Delete a Risk Factor 33 Chapter 6: Import Vulnerabilities From Vulnerability Assessment Tools 34 About the Vulnerability Import Job 35 HP Risk Insight (1.1) Page 3 of 43
- 4. Install and Configure ArcSight SmartConnector 36 Schedule and Activate Vulnerabilities Import Job 37 Chapter 7: Manage Configuration Sets 39 Select Configuration Set 39 Save and Apply Configuration Changes 40 Appendix A: Asset Reporting 41 About the Asset Report 41 Import Risk Insight Reports into ArcSight ESM 42 Send Documentation Feedback 43 Deployment Guide HP Risk Insight (1.1) Page 4 of 43
- 5. Chapter 1: Welcome to This Guide This guide provides you information about the installation and initial configuration of Risk Insight. This guide is intended for the Risk Insight System Administrator. Readers of this guide should be knowledgeable about enterprise system administration and have familiarity with information security concepts. About ArcSight Risk Insight Risk Insight is an ArcSight ESM add-on that enables Risk Managers and Security Operation Center (SOC) Managers to analyze security risk information in a business context and prioritize actions to minimize that risk. Security risk information is processed periodically providing continuous monitoring capabilities on the risks imposed on your organization's assets. Risk Insight optimizes the way risk information is delivered in the following ways: l By building a hierarchical business model from the assets defined in ESM. The business model depicts the entire organization from high-level business assets to low-level IT assets, allowing you to quickly respond to real-time threats and to invest your resources efficiently. l By defining risk factors based on the logic that exists in ESM to help focus the risk analysis on what really matters to the organization. l By following up after the various risk factors using sophisticated executive dashboards. You can present risk information visually in configurable dashboards, create custom dashboards, create new KPIs, and apply any other type of logic to your risk information in order to make analysis more efficient. Risk Insight also includes a Vulnerability Management module that collects vulnerabilities by using ArcSight SmartConnectors, removes duplicates, assigns them to assets, and prioritizes them accordingly, allowing you to manage the remediation process. HP Risk Insight (1.1) Page 5 of 43
- 6. Page 6 of 43HP Risk Insight (1.1) Deployment Guide
- 7. Chapter 2: Install Risk Insight This chapter describes how to install and start Risk Insight. Risk Insight is an ArcSight ESM add-on. Therefore, it can be installed only after ESM is installed. You need to install Risk Insight in a separate partition than ArcSight ESM. Risk Insight integrates with SAP BusinessObjects Enterprise for creating reports and dashboards. Before you install Risk Insight, you must have a complete installation of BusinessObjects version 3.1 SP 5.0 running on the ESM server. Note: Risk Insight supports only a new installation of BusinessObjects, which is delivered with the Risk Insight installation package. It does not support the installation of Risk Insight alongside an existing installation of BusinessObjects. To install Risk Insight: 1. Review the system requirements and make sure that you comply with all the requirements. For more information, see "System Requirements" below. 2. Review the prerequisites and make sure that all pre-installation tasks are done. For more information, see "Prerequisites" on the next page. 3. Prepare your system before installing BusinessObjects. For more information, see "Preparing to Install SAP BusinessObjects" on the next page. 4. Install BusinessObjects. For more information, see "Install SAP BusinessObjects Enterprise " on page 10. 5. Configure SAP BusinessObjects Enterprise. For more information, see "SAP BusinessObject Configuration and Post Installation Tasks " on page 10. 6. Prepare your system before installing Risk Insight. For more information, see "Preparing to Install Risk Insight" on page 12. 7. Install Risk Insight. For more information, see "Install Risk Insight" on page 12. System Requirements Risk Insight is an ArcSight ESM add-on. It is installed on the server on which ESM is installed (in a separate /usr/local directory). Risk Insight is supported on the Red Hat Enterprise Linux 6.7 64-bit platform and uses the ArcSight CORR-Engine as its database. Server System Requirements Risk Insight requires 25 GB free disk space in addition to the system requirements defined for ESM. For more information, see ArcSight ESM Installation and Configuration Guide. HP Risk Insight (1.1) Page 7 of 43
- 8. Client Requirements Risk Insight requires Adobe Flash Player 11.2. For browser support, see the HPE ArcSight ESM Support Matrix. Prerequisites Before you start the installation process, for both BusinessObjects and Risk Insight, perform the following tasks: l From the installation media, copy the following file to the ESM server: ArcSightRiskInsight-xxxxx.tar The xxxxx in the file name stands for the build number. Make sure that the .tar file is owned by user arcsight. l Open the following TCP ports on your system (if they are not already open), and make sure that no other processes are using these ports: n For Risk Insight: 6060, 9005, 9009, 1099 n For BusinessObjects: 8081, 6005, 8444, 6410, 6400 l Risk Insight is installed on the ESM server in GUI or console mode. To install in GUI mode, verify that the X Window System package is installed on the ESM server (xorg-x11-server-utils.x86_64). Preparing to Install SAP BusinessObjects Before you run the installation file, you must prepare your system. Perform the following in console mode. Note: Perform the following procedure using user root. 1. From the installation media, copy the Installations/SAP BusinessObjects/Deployment directory to the ESM server. 2. As user root install the following five packages to ensure proper functionality of SAP BusinessObjects: n compat-libstdc++-33.i686 n glibc.i686 n libXext.i686 Deployment Guide HP Risk Insight (1.1) Page 8 of 43
- 9. n libXext-devel.i686 n ncurses-libs.i686 Use the command yum install <package name>.rpm from required_RPMs directory. Note: If you are missing some dependency packages, the directory additional_RPMs contains all of them. Deployment Guide HP Risk Insight (1.1) Page 9 of 43
- 10. Install SAP BusinessObjects Enterprise Note: SAP BusinessObjects Enterprise installation alongside Risk Insight is supported only in the English language. SAP BusinessObjects Enterprise is installed on the ESM server, which is a Linux platform. Part of BusinessObjects client tools for dashboard and report editing, Web Intelligence, is supplied as a thin Java client as part of SAP BusinessObjects Enterprise deployment by default. To install BusinessObjects 1. Log in to the ESM server with user root. 2. Open the directory to which you copied the /Installation/SAP BusinessObjects/Deployment. 3. Run the installation file as follows: ./installbo.sh 4. Follow the instructions in the BusinessObjects Setup Wizard. Note: A new user (sapbo) is created during the installation as an owner of SAP Business Objects software. There are prompts for credentials, as well as a prompt for accessing the CORR-Engine database as user arcsight and creating a new database schema called ri_ sapbo_data . This database schema is needed for SAP Business Objects to operate properly. 5. After you install BusinessObjects, use the following credentials to log on: n User name: Administrator n Password: admin123 If you intend to change the password for Administrator, follow the "Update the administrator password" step in "SAP BusinessObject Configuration and Post Installation Tasks " below. After the installation is complete, follow the instructions in "SAP BusinessObject Configuration and Post Installation Tasks " below. SAP BusinessObject Configuration and Post Installation Tasks After BusinessObjects is installed, perform the following procedures: Deployment Guide HP Risk Insight (1.1) Page 10 of 43
- 11. Configure the maximum number of simultaneous connections 1. Open SAP BusinessObjects Central management Console (CMC) using the following URL: http://[server_name]:8081/CmcApp 2. Under Organize, click Servers. 3. In the left pane, expand Service Categories, and then click Web Intelligence. 4. In the right pane, double-click WebIntelligenceProcessingServer. 5. In the Properties window, in the Web Intelligence Processing Service group box, enter the following information, and then click Save: n In the Maximum Connections box, enter 1000. n In the Maximum Document Cache Size (KB) box, enter 10000000. n In the Maximum Documents Per User box, enter 20. 6. In the right pane, double-click AdaptiveJobServer. 7. In the Properties window, in the Maximum Concurrent Jobs box, enter 10, and then click Save. Update the administrator password 1. In SAP BusinessObjects Central management Console (CMC) under Organize, click Users and Groups. 2. In the left pane, click User List. 3. In the right pane, right click Administrator and select Account Manager in the menu. 4. Verify that Change User Passwords To New Value is checked. Enter the new password and confirm it. 5. Verify that Password never expires is checked, and click Save. Update the time zone 1. Open InfoView (BusinessObjects client tool) using the following URL: http://[server_name]:8081/InfoViewApp 2. On the top right corner, click Preferences. Deployment Guide HP Risk Insight (1.1) Page 11 of 43
- 12. 3. From the Current Time Zone list, select your time zone. 4. Save the changes. Preparing to Install Risk Insight Before you run the Risk Insight installation file, you must prepare your system. 1. Create the following installation directory using the root user: /usr/local/riskinsight 2. Make sure that the user arcsight has write and execute permission for the /usr/local/riskinsight directory. 3. Change the owner and group of /usr/local/riskinsight directory to arcsight user and arcsight group by issuing the following command: chown arcsight:arcsight /usr/local/riskinsight Install Risk Insight This section describes how to install Risk Insight. You can install Risk Insight in GUI or console mode. When you finish installing Risk Insight, follow the instructions in "Import Assets from ArcSight ESM" on page 17. To install Risk Insight 1. Log in to the ESM server with user arcsight. 2. Untar the ArcSightRiskInsight-xxxxx.tar file by running the following command: tar xvf ArcSightRiskInsight-xxxxx.tar 3. If not already granted, give the installArcSightRiskInsight.sh file the execute permission. To do so, enter: chmod +x installArcSightRiskInsight.sh 4. Run the installation file as follows: ./installArcSightRiskInsight.sh -console (or ./installArcSightRiskInsight.sh, for GUI mode, if you are using X Window.) Deployment Guide HP Risk Insight (1.1) Page 12 of 43
- 13. Installation considerations: n To run in GUI mode, X Window must be running. If it is not, the installer automatically runs in Console mode. GUI mode is entirely optional. n To run in Console mode, make sure X Windows is not running. GUI mode requests the same information as console mode and is not documented separately. n The log file for installation is located at /tmp/riskinsight-installation.log 5. Follow the instructions in the Risk Insight Setup Wizard until the installation is finished. During setup, the wizard prompts you for credentials to access the CORR-Engine database, and to create a new database schema called bri. This schema is needed for Risk Insight to operate properly. 6. Log in as user root and run the following script to set up the required services: /usr/local/riskinsight/bin/setup-service.sh Note: This step is required in order to start the services. 7. You can open Risk Insight, as described in "Open Risk Insight" on the next page. Note: By default Vulnerability dictionary is not populated during the installation. See "About the Dictionary Information Import Job" in the Risk Insight Administration Guide. Uninstall Risk Insight Use the following procedure to uninstall Risk Insight. 1. Log in as user root. 2. Run the following command: /usr/local/riskinsight/bin/remove-service.sh 3. Login as user arcsight. 4. Check and shut down any riskinsight processes that are still running. ps -elf | grep "/usr/local/riskinsight" kill -9 <process_id_number> Deployment Guide HP Risk Insight (1.1) Page 13 of 43
- 14. 5. Run the uninstaller program from the /usr/local/riskinsight directory: ./uninstall.sh -parameters The following parameters are accepted: -c or --console to run the uninstaller in console mode. The default behavior is to run in GUI mode if X Window is running. -f or --force-deletion to delete all content of the Risk Insight /usr/local/riskinsight installation folder -bo=some_password or --bo-admin-password=some_password to enable BusinessObjects Administrator password to delete RiskInsight folders and universe in BusinessObjects, including user edited and created reports and dashboards (by default not deleted) -db=some_password or --mysql-root-password=some_password to enable the arcsight user password to the CORR Engine database to delete RiskInsight database schema (by default not deleted) Open Risk Insight Risk Insight is an ArcSight ESM add-on that is opened from ArcSight ESM. To open Risk Insight, open ArcSight Command Center and then click Applications. Deployment Guide HP Risk Insight (1.1) Page 14 of 43
- 15. Chapter 3: Grant Permissions to Users Risk Insight users are managed in through the ArcSight Console in ESM. If this is the first time that you have installed Risk Insight, then there is only one user authorized to open Risk Insight—the Administrator user. To allow other users to open Risk Insight you must give them permissions through the ArcSight Console. For information on managing users and groups, see the Managing Users and Permissions chapter in the ArcSight ESM User's Guide. There are three Risk Insight permissions: l Admin: A user with the Admin permission can view everything and perform any task in Risk Insight. Specifically, administrator tasks performed in the Administration module, such as managing Risk Insight's configuration and creating new dashboards. l Editor: A user with Editor permissions can perform tasks in the Asset module, the Vulnerabilities module, and in Settings, as well as view all dashboards. l Reader: A user with Reader permissions can view the Asset module, the Vulnerabilities module, the Settings module, and all the dashboards. In ESM, users are managed in groups. If this is the first time that you have installed Risk Insight, create dedicated user groups for Risk Insight, and grant them permissions, as described in the procedures below. If you already have Risk Insight groups, then any user that you add to these groups automatically receives the group's permissions. To create Risk Insight groups 1. Create the following group hierarchy: n Risk Insight o Risk Insight Admin o Risk Insight Editor o Risk Insight Reader For instructions, see the Handling User Groups section in the Managing Users and Permissions chapter of the ArcSight ESM User's Guide. 2. Link users to the following groups according to their roles: n Risk Insight Admin n Risk Insight Editor HP Risk Insight (1.1) Page 15 of 43
- 16. n Risk Insight Reader For instructions, see the Moving or Linking a User section in the Managing Users and Permissions chapter of the ArcSight ESM User's Guide. To grant permissions to Risk Insight user groups Grant permissions to the groups as follows: l Risk Insight Admin grant ArcSight Risk Insight > Admin permissions l Risk Insight Editor grant ArcSight Risk Insight > Editor permissions l Risk Insight Reader grant ArcSight Risk Insight > Reader permissions For instructions, see the Granting or Removing Operations Permissions section in the Managing Users and Permissions chapter of the ArcSight ESM User's Guide. Deployment Guide HP Risk Insight (1.1) Page 16 of 43
- 17. Chapter 4: Import Assets from ArcSight ESM You can integrate with ArcSight ESM in order to synchronize the Risk Insight business model with ArcSight ESM assets. Integrating with ESM involves preparation in Risk Insight as well as in ArcSight ESM. Before you begin the integration process, the ArcSight ESM administrator must install the Risk_Insight.arb (ArcSight Resource Bundle) file in ESM. This file defines the parameters of data from the ESM data source that will be delivered in the Risk Insight Report (in the form of a .csv file). For more information, see "Import Risk Insight Reports into ArcSight ESM" on page 42. The file is located in <Risk Insight installation folder>resources. The Risk Insight Report will be triggered by Risk Insight and will be used to create a file (.csv) that includes asset information. The ArcSight ESM administrator should provide you with connection parameters, described in "Define Connection Parameters with ESM" on page 19. After you have gathered all the information from the ArcSight ESM administrator, you can begin the integration process, as described in "How to Integrate with ESM for Asset Synchronization" on the next page. After Risk Insight is fully integrated with ArcSight ESM, the Synchronization job runs periodically, according to the schedule that you defined. To learn more about the Asset Synchronization job, see "About ArcSight ESM Asset Synchronization Job" below. About ArcSight ESM Asset Synchronization Job The Asset Synchronization Job periodically imports ArcSight ESM entities from ArcSight ESM into Risk Insight, as follows: 1. The Risk Insight Asset Report is created based on the Risk_Insight.arb ArcSight Resource Bundle (*.arb) file. 2. The ArcSight ESM Report contains all of the asset information, according to the asset mapping between these two applications. Each record in the report represents an asset. 3. ArcSight ESM assets and their properties are converted into Risk Insight assets and relationships. For more information on mapping logic, see "Map Asset Types with ESM" on page 20. 4. The process checks the Risk Insight database for each of the assets/relationships. n If the element does not exist in the database, then the process writes that element to the database. n If the element changed, then the process updates these changes in the database. 5. Outdated assets and relationships are deleted from the Risk Insight database (meaning that they no longer exist in the database). HP Risk Insight (1.1) Page 17 of 43
- 18. You can check the status of the job in the Job Management module. For more information, see the Troubleshoot Batch Jobs section in the ArcSight Risk Insight Administration Guide. How to Integrate with ESM for Asset Synchronization Before you begin integrating Risk Insight and ArcSight ESM, make sure that you have the connection parameters provided to you by the ArcSight ESM administrator. The following procedure outlines the steps for integrating with ArcSight ESM. This procedure includes steps for configuring asset synchronization. 1. Change the session timeout in ArcSight ESM. The default session timeout in ArcSight ESM is 10 minutes; this amount of time is not always enough to generate the asset report. If your business model has more than 50,000 assets, then you need to change the session timeout in ArcSight ESM. Note: Changing the session timeout requires restarting ESM Manager. For more information, see "Change ESM Session Timeout" below. 2. Define connection parameters. Define the parameters necessary for connecting with ArcSight ESM. These parameters must be provided to you by the ArcSight ESM administrator. Follow the instructions in "Define Connection Parameters with ESM" on the next page. 3. Review Default Asset Type Mapping. Review the default asset type mappings that are included in Risk Insight to see whether they reflect your business model. If required, follow the instructions in "Map Asset Types with ESM" on page 20 to tailor the mapping to your needs. 4. Define Imported Asset Type properties. Decide which asset properties will be imported from ArcSight ESM, as described in "Define Imported Asset Type Properties" on page 22. 5. Schedule and activate the Synchronization job in order to complete the process, as described in "Schedule and Activate the ESM Job" on page 22. Change ESM Session Timeout Note: Changing the session timeout requires restarting ESM Manager. To change the session timeout 1. On the server on which ArcSight ESM is installed, open a command window or shell window on <ARCSIGHT_HOME>/manager/config. 2. Type the following file name, and then press ENTER: Deployment Guide HP Risk Insight (1.1) Page 18 of 43
- 19. ./server.properties 3. Change the session timeout by typing the following line, and then press ENTER: servletcontainer.jetty311.session.timeout.default=20 4. As user arcsight, restart the ESM Manager by typing the following command, and then press ENTER: /sbin/service arcsight_services restart manager Define Connection Parameters with ESM The first step in integrating with ArcSight ESM is defining connection parameters. These parameters should be provided by the ArcSight ESM administrator, prior to integration. To define connection parameters with ArcSight ESM 1. Click Administration > Configuration. 2. In the left pane, click Integrations > ArcSight ESM > Connector. 3. In the Connector page, enter the parameters for connecting with ArcSight ESM as described in the following table: Parameter Description Connector Name Enter a name for the ArcSight ESM system to which you want to connect. This is the name that is displayed in the Source property of the asset. Host The host name or IP address of the ArcSight ESM server, provided by the ArcSight ESM administrator. Port The server port, provided by the ArcSight ESM administrator. Username Credentials for accessing ArcSight ESM, provided by the ArcSight ESM administrator. Password Credentials for accessing ArcSight ESM, provided by the ArcSight ESM administrator. ArcSight ESM Integration Parameters 4. Save and apply the configuration changes. For more information, see "Save and Apply Configuration Changes" on page 40. Deployment Guide HP Risk Insight (1.1) Page 19 of 43
- 20. Note: The ArcSight user for accessing ArcSight ESM should be Normal User or Web User type and should be given read ACL permissions for the required resources involved with the creating a report. For example, for an asset synchronization report there should be ACL permission granted to the involved resources, in this case, Asset Categories, Zones, Reports, Report Template and Query. Also, read and write ACL permission to Archived Reports resources is required to store the report successfully. For more information consult your ArcSight ESM administrator. Map Asset Types with ESM Note: Before you begin, you should have a clear vision of what you want your business model to look like. If at any time you want to change the business model, then you can change the mapping configuration; the business model will be updated after the next Asset Synchronization Job runs. ArcSight ESM holds assets that represent IP addresses in a flat file format. When these assets are imported to Risk Insight they are converted into the Risk Insight business model format, where the IP asset is the primary asset. To help you create a hierarchical business model that reflects the ArcSight ESM network model but also provides business context, in addition to assets, the Asset Synchronization Job imports the following ArcSight ESM entities: l Asset Group l Asset Category l Zone Group l Zone All of these entities have a corresponding asset type in Risk Insight, and they all belong to the Business Asset category, as presented in the following table. ESM Entities Risk Insight Asset Category Risk Insight Asset Type Asset Group Business Asset Asset Group Asset Category Business Asset Category Zone Group Business Asset Zone Group Zone Business Asset Zone The asset zone and zone group are reflected in the business model by design. You can decide whether to reflect the asset group and asset category in the business model. If you choose to reflect the asset Deployment Guide HP Risk Insight (1.1) Page 20 of 43
- 21. group and the asset category, then two additional hierarchies will be created. So, potentially, you can have numerous hierarchies under the Organization asset. By default, each of the ArcSight ESM entities is mapped to its corresponding asset type in Risk Insight, but you can map them to any asset type defined in Risk Insight. You can also create exceptions. For example, if you mapped a zone in ArcSight ESM to a zone in Risk Insight, but you want to map one specific zone to a subnet, then you can create an exception. The following procedure describes how to select which hierarchies will be created, map asset types, and create exceptions. To map asset types with ArcSight ESM 1. Click Administration > Configuration. 2. In the left pane, click Integrations > ArcSight ESM > Asset Synchronization > Asset Type Mapping. 3. In the Asset Type Mapping page, depending on the number of hierarchies that you want to create, select the following: n Create a Group-based Model n Create a Category-based Model Note: By default group-based model is preferred, if you plan to build category-based model in Integrations > ArcSight ESM > Asset Synchronization change the Asset Report Resource Id value to 9E8+stFABABCHi+KlterIPQ== 4. If required, change the default mapping in the mapping table. 5. To create an exception, do the following: a. Click a new row in the mappings table to create a new record. b. From the ESM Entities list, select the ESM entity for which you want to create an exception. c. In the ESM Entity Exception cell, enter the name of the ESM entity for which you want to create a separate mapping. d. From the Risk Insight Asset Category list, select the category of the Risk Insight asset type that you want to map. e. In the Risk Insight Asset Type enter the asset type to which you want to map the exception. 6. Save and apply the configuration changes. For more information, see "Save and Apply Configuration Changes" on page 40. Deployment Guide HP Risk Insight (1.1) Page 21 of 43
- 22. Define Imported Asset Type Properties For each asset category, you can decide which properties from the asset repository are periodically imported and synchronized, meaning that they cannot be overridden in Risk Insight. The following properties are common to all categories: l Name l Description To define imported asset type properties 1. Click Administration > Configuration. 2. In the Configuration module, in the left pane, click Asset Management > Imported Asset Properties Policy. 3. For each asset category displayed under Imported Asset Properties Policy, do the following: a. In the left pane, click the asset category. b. For each property, select or clear the Synchronize check box. If a check box is not selected, then the asset property will be editable in Risk Insight. 4. Save and apply the configuration changes. For more information, see "Save and Apply Configuration Changes" on page 40. Schedule and Activate the ESM Job After you define all of the required parameters for connecting with ArcSight ESM, you can schedule and activate the Asset Synchronization job, the Event Import job, or both. For more information on the jobs, see "About ArcSight ESM Asset Synchronization Job" on page 17. To schedule and activate a synchronization job 1. Click Administration > Configuration. 2. In the left pane, click Integrations > ArcSight ESM > Asset Synchronization > Schedule Job. 3. In the Job page, do the following: n In Job Schedule, select the options for the recurrence pattern you want (every number of minutes, every number of hours, every number of days, or on certain days of the week). Deployment Guide HP Risk Insight (1.1) Page 22 of 43
- 23. n Select the Activate Job check box. 4. Save and apply the configuration changes. For more information, see "Save and Apply Configuration Changes" on page 40. The Synchronization job is activated and will run according to the schedule that you have set. Deployment Guide HP Risk Insight (1.1) Page 23 of 43
- 24. Chapter 5: Import Risk Information from ESM Risk Insight enables you to import information on risk factors from ArcSight ESM. For more information on risk factors, see the Risk Factors section in the ArcSight Risk Insight User Guide. Information is imported by using a connector. Following are the steps for importing risk information into Risk Insight: 1. Create an ESM report. For more information, see "Create a Risk Factor Report in ESM" on the next page. 2. Define the risk factor and configure the connector. For more information, see "How to Create a Risk Factor in Risk Insight" on page 28. Note: For optimal performance, schedule the import jobs for each of the risk factors to run at different times, with at least a 30-minute difference between runs. About Risk Factor Import Job The Risk Factor Import Job periodically imports risk information from ESM. For each risk factor that you define and configure in Risk Insight, a specific job is created with the name: <risk factor name>ImportJob. The job is created only after the new configuration is saved and activated. Following is the process: 1. The process checks whether the data was already imported into Risk Insight. If it was, then the process completes without import. If the data is invalid, for example if one of the columns is missing, then the job fails. 2. The process reads the data from the data source. 3. The process writes the new data to the scores table in the database. n If a score is out of range, then the record is skipped. n If there are duplicate records, then the last record found overrides the previous record. n If Risk Insight has more than one asset defined in the business matches the Asset Identifier in the data source, then the first one found is updated. Note: In all of these cases, a warning is written to the error log. HP Risk Insight (1.1) Page 24 of 43
- 25. 4. If there is data in the scores table in the database, then the process deletes it according to the Delete Old Scores indicator. If you selected the Delete Old Scores check box when you configured the connection parameters, then all the scores are deleted regardless of whether they have been updated or not. If you did not select this check box, then only scores that were updated are deleted. 5. The process aggregates the scores and writes them to the database. 6. If you selected the Archive immediately after import check box in Configuration, then both scores and aggregate scores are archived. For more information on archiving, see the Archive Trend Data section in the ArcSight Risk Insight Administration Guide. Create a Risk Factor Report in ESM When you create a risk factor report, you need to export it as a CSV file. Note: Make sure that the ESM entities that are included in the file do not have a "," character (comma) in their name. The file generated by the report includes a "," delimiter, so if this character is used in an ESM entity name, then the name will be split into two. There are two types of report formats: l ESM-based business model format: Use this format when your business model is imported from ESM. l Non-ESM business model format: Use this format when your business model is imported from any source other than ESM. The following tables detail the formats. Parameter Format Description Asset Identifier Maximum 100 characters Mandatory If the asset identifier is empty, then the record is skipped. This parameter is used for asset reconciliation. You do not need to configure a reconciliation parameter in Risk Insight, as described in Configure Asset Reconciliation Parameters. Score Rational number Mandatory If the score is empty, then the record is skipped. ESM-based business model format Deployment Guide HP Risk Insight (1.1) Page 25 of 43
- 26. Parameter Format Description Comment Maximum 1024 characters Optional ESM-based business model format, continued Parameter Format Description Asset Name, External ID, IP Address, DNS Name, Mac Address Maximum 100 characters These parameters are used for asset reconciliation. It is mandatory to pass at least one of these parameters. We recommend to create a report with all of these parameters. You need to configure a reconciliation parameter in Risk Insight, as described in Configure Asset Reconciliation Parameters. Score Rational number Mandatory If the score is empty, then the record is skipped. Comment Maximum 1024 characters Optional Non-ESM business model format The following procedure explains how to create a risk factor report in ESM. To create a risk factor report 1. Follow the instructions in the Building Reports section in the ArcSight Console User's Guide. 2. When you define the query settings, create a query based on one of the following data sources: n Events n Assets n Active List These data sources are the most suitable for creating a risk factor report. Out-of-the-box reports included in Risk Insight are based on the data sources listed above. For more information, see the Out-of-the-Box Risk Factor Reports section in the ArcSight Risk Insight User Guide. 3. Edit the Row Limit query field. We recommend that the maximum number of rows is similar to the number of assets in the business model. Deployment Guide HP Risk Insight (1.1) Page 26 of 43
- 27. 4. When you create the query structure, depending on the report format, do the following: n ESM-based business model format. Create active columns in the following order: i. The asset identifier ii. The score of the risk factor for a specific asset iii. Additional evidence n Non-ESM business model format. Create active columns in the following order: i. Asset Name ii. External ID iii. IP Address iv. DNS Name v. Mac Address vi. The score of the risk factor for a specific asset vii. Additional evidence Note: Comment is a reserved word in ESM. When you create this column enter a different name. Change the column name back to Comment by editing the query later on. 5. When you define the report settings, in the Report Data area, depending on the report format, do the following: n ESM-based business model format. Change the Alias for each column that you defined to the following names: i. Asset Identifier ii. Score iii. Comment n Non-ESM business model format. Change the Alias for the last two columns that you defined to the following names: i. Score ii. Comment Deployment Guide HP Risk Insight (1.1) Page 27 of 43
- 28. These names are the column names that are created in the CSV file. The column name is case- sensitive. 6. When you define the report settings, in the Report Parameters area, from the Format list, select CSV. 7. For each risk factor for which you want to import data into Risk Insight, deploy real-time rules, as described in the Deploying Real-Time Rules section in the ArcSight Console User's Guide. How to Create a Risk Factor in Risk Insight In order to import risk information from ESM you must first define and configure the risk factors in Risk Insight. The following procedure outlines the steps for defining and configuring risk factors: 1. Define a new risk factor in Risk Insight. For more information, see "Define a New Risk Factor " below. 2. Configure the connection parameters. For more information see "Configure the Risk Factor Connector Parameters" on the next page. 3. Configure the risk factor import job. For more information see "Configure the Risk Factor Import Job" on page 30. 4. Configure the normalization settings for the risk factor. For more information, see "Configure the Risk Factor Normalization Settings" on page 30. 5. Configure the risk factor score aggregation method. For more information, see "Configure the Risk Factor Aggregation Method" on page 31. 6. Configure the archive settings. For more information, see the Configure the Risk Factor Archive Settings section in the ArcSight Risk Insight Administration Guide. 7. Save and apply the configuration changes. For more information, see "Save and Apply Configuration Changes" on page 40. 8. Configure risk factor ranges in order to display the risk factor scores with the appropriate score severity. For more information, see the Configure Risk Factor Ranges section in the ArcSight Risk Insight User Guide. Define a New Risk Factor You can define any number of risk factors in Risk Insight. Whenever you add a risk factor to Risk Insight, a corresponding KPI is created automatically. For more information, see the Risk Factor Dashboard section in the ArcSight Risk Insight User Guide. Deployment Guide HP Risk Insight (1.1) Page 28 of 43
- 29. After you define the risk factor you can configure its connection parameters, as described in "Configure the Risk Factor Connector Parameters" below. To define a new risk factor 1. Click Administration > Configuration. 2. On the Configuration page, in the left pane, click Risk Factor. 3. Click the Add configuration to configuration set button, and select ESM Connector. 4. In the left pane, expand the risk factor folder, and then click the empty folder. 5. In the left pane, enter the following information: a. Risk Factor Name: enter the name of the risk factor for which you want to import risk information. Note: o The name cannot include the following characters: * ? = ’ : o This is also the display name of the risk factor. It will be displayed in the folder name, Risk Register, Risk Indicators, Risk Factor Dashboard, and any other report that includes this risk factor. b. Description: this field is optional. Configure the Risk Factor Connector Parameters You need to configure the connection parameters to ESM from which you are importing the risk factor information. To configure connection parameters 1. Open the risk factor folder. Click Administration > Configuration, expand the risk factor folder, and then click the factor that you defined. 2. Under the folder of the risk factor that you defined, click Connector Parameters. 3. Do the following: a. In Resource ID, enter the resource ID that you defined when you created the report in ESM. b. In Port, enter the ESM server port. Deployment Guide HP Risk Insight (1.1) Page 29 of 43
- 30. 4. Select the Delete Old Scores check box if you want all the scores to be deleted when the Risk Factor Import Job is run regardless of whether the scores have been updated or not. if you do not select this check box, then the job will only delete scores that have changed and will leave the unchanged scores in the database. 5. Save and apply the configuration changes. For more information, see "Save and Apply Configuration Changes" on page 40. Configure the Risk Factor Import Job After the connector parameters are configured, you need to schedule and activate the Risk Factor Import Job. For each risk factor that you define and configure in Risk Insight, a specific job is created with the name: <risk factorname>ImportJob. The job is created only after the new configuration is saved and activated. For more information on the job, see "About Risk Factor Import Job" on page 24. To schedule and activate the import job 1. Open the risk factor folder. Click Administration > Configuration, expand the risk factor folder, and then click the factor that you defined. 2. Under the folder of the risk factor that you defined, click Import Job. 3. In the Import Job window, in the right pane, do the following: a. Select the Activate Job check box. b. In Job Schedule, select the options for the recurrence pattern you want (every number of minutes, every number of hours, every number of days, or on certain days of the week). 4. Save and apply the configuration changes. For more information, see "Save and Apply Configuration Changes" on page 40. Configure the Risk Factor Normalization Settings In order to be included in the asset overall score calculation, all risk factors are normalized to a score between 0 and 100 (inclusive). In order to normalize the score, you must set the score range for the risk factor. You must also define the directionality of the score severity. For example, a low score is considered low risk while a high score is considered high risk. These settings affect the definition of the severity ranges reflected in Settings > Risk Factor. For more information, see the Configure Risk Factor Ranges section in the ArcSight Risk Insight User Guide. Deployment Guide HP Risk Insight (1.1) Page 30 of 43
- 31. To configure normalization settings 1. Open the risk factor folder. Click Administration > Configuration, expand the Risk Factor folder, and then click the risk factor that you defined. 2. Under the folder of the risk factor that you defined, click Normalization. 3. In the Normalization page, do the following: n Minimum Score: enter the first number in the score range. n Maximum Score: enter the last number in the score range. Note: The score range is inclusive. n Display score with this number of digits after the decimal point: to define the score display precision level, enter the number of digits after the decimal point that you want to display. n To define the directionality of the score severity, select or clear the Lower Score is Best check box. 4. Save and apply the configuration changes. For more information, see "Save and Apply Configuration Changes" on page 40. Configure the Risk Factor Aggregation Method You can configure the aggregation method for each of the risk factors defined in Risk Insight. To configure aggregation method 1. Click Administration > Configuration. 2. In the left pane, click Risk Factor > <Risk Factor Name> > Aggregation Method. 3. In the right pane, from the Aggregation Method list, select one of the following options: n Average (default) The weighted average of aggregate scores of an asset's children including the score of asset itself. This is the default method. The asset's score and the aggregate score of its children is taken into account. Deployment Guide HP Risk Insight (1.1) Page 31 of 43
- 32. n Override Children If the asset already has a score, then its aggregate score receives the value of the score. If the asset does not have a score, then its aggregate score is calculated according to the Average formula. The asset's score takes precedence over its children's aggregate score. Asset score or n Average of Children The weighted average of aggregate scores of an asset's children, excluding the score of the asset itself. The aggregate score of the children takes precedence over the asset's own score. 4. Save and apply the configuration changes. For more information, see "Save and Apply Configuration Changes" on page 40 Configure Risk Factor Ranges You can configure the ranges for the score severity indication for any risk factor defined in Risk Insight. Score ranges and the directionality of the score severity may differ between risk factors. These settings are defined during the configuration process of the risk factor. For more information, see the Configure the Risk Factor Normalization Settings in the ArcSight Risk Insight Administration Guide. risk factor scores are displayed with one of the following icons: Better score (high or low, depending on the directionality) Medium score Worse score (high or low, depending on the directionality) This configuration is reflected throughout the application, wherever these measurements are displayed. For example, on the Risk Register page in the Asset Summary component. To configure risk factor ranges 1. On the Risk Insight toolbar, click the Settings button. 2. On the Settings dialog box, click Risk Factors. 3. In the left pane, click the risk factor for which you want to configure ranges. 4. Drag the slider to define the ranges. 5. Click Save. Deployment Guide HP Risk Insight (1.1) Page 32 of 43
- 33. Delete a Risk Factor You can delete a risk factor from Risk Insight when it is no longer relevant. When you delete a risk factor all of the data pertaining to this factor in the database is deleted, as well. The job that is created when you create a new risk factor ( <risk factor name>ImportJob) is not deleted and can be viewed in the Job Management module. To delete a risk factor 1. Click Administration > Configuration. 2. On the Configuration page, in the left pane, expand Risk Factor. 3. Click the risk factor that you want to delete, and then click the Remove configuration from configuration set button. 4. Save and apply the configuration changes. For more information, see "Save and Apply Configuration Changes" on page 40. Deployment Guide HP Risk Insight (1.1) Page 33 of 43
- 34. Chapter 6: Import Vulnerabilities From Vulnerability Assessment Tools Risk Insight enables you to regularly import vulnerability information from vulnerability assessment tools, providing near real-time monitoring capabilities on the vulnerabilities and exposures affecting your organization's physical and business assets. Risk Insight imports the vulnerability information from vulnerability scanner reports by using ArcSight SmartConnectors. For an overview on the Vulnerabilities module, see the Vulnerability Management chapter in the ArcSight Risk Insight User Guide. Note: In order to work with the Vulnerabilities module, you must have at least one of the vulnerability assessment tools supported by Risk Insight installed in your network. The following table includes the vulnerability assessment tools supported by Risk Insight and their corresponding ArcSight SmartConnector. Vulnerability Assessment Tool ArcSight SmartConnector Tenable Nessus Vulnerability Scanner Tenable Nessus .nessus File McAfee Vulnerability Manager (Foundscan) McAffee Vulnerability Manager DB Qualys Guard Qualys QualysGuard File HP WebInspect ArcSight FlexConnector XML file Rapid7 Nexpose Rapid7 NeXpose XML File To acquire latest version of required ArcSight SmartConnectors, download the appropriate executable for your platform from the Support Web site (https://softwaresupport.hp.com//), as well as the separate downloadable zip file of SmartConnector Configuration Guides. Vulnerability assessment tools generate reports in a variety of formats, such as an XML file or a database. The ArcSight SmartConnector normalizes the different formats into one format. In Risk Insight, the ArcSight SmartConnector is configured to use a CSV file format. The CSV file is then processed by the Vulnerabilities Import Job. The vulnerability information is imported into Risk Insight and displayed in the Vulnerability Management window. Note: HP WebInspect does not generate reports automatically. In order to load vulnerability information into Risk Insight, you must manually export the scans in Full XML format, as described in the Export scan details in WebInspect task, in the Web Application Firewall Integration Tool section, in the HP WebInspect User Guide. After you export the scan, copy it to the reports folder that you defined when you installed the connector. HP Risk Insight (1.1) Page 34 of 43
- 35. To import vulnerabilities, first "Install and Configure ArcSight SmartConnector" on the next page and then "Schedule and Activate Vulnerabilities Import Job" on page 37. About the Vulnerability Import Job The Vulnerability Import Job periodically imports and processes vulnerability information from scanners into Risk Insight, as follows: 1. The process retrieves CSV files that are generated by ArcSight SmartConnectors that have a *.done.csv extension from the following folder: <Risk Insight Installation folder>vmimportpending<connector ID> 2. Each record from the CSV file is standardized (normalized) and enhanced to create a single vulnerability instance. Records are processed in batches. a. For each CSV record, the process checks whether the vulnerability is defined in the vulnerability dictionary. If it is, then the vulnerability's name (classifier) is taken from the vulnerability dictionary and its information is enhanced accordingly. If it is not, then the vulnerability name receives the identifier provided by the source, taken from the CSV file. b. Information is modified and standardized in a consistent manner. For example, vulnerability priority or severity is normalized to a score between 0 and 10. c. The vulnerability instance records are saved in the Risk Insight database. 3. The process aggregates vulnerability instances that represent the same vulnerability into a single vulnerability occurrence, according to the vulnerability name and location. For more information on these properties, see the Vulnerability Properties section in the ArcSight Risk Insight User Guide. 4. Closed vulnerability occurrences that do not have a remediation status of Not an Issue and that have new vulnerability instances, are reopened. 5. The process maps vulnerability occurrences to assets of type IP Address in the business model according to the host, IP address, and MAC address.All matched vulnerabilities are attached to assets. 6. Outdated vulnerability occurrences (no vulnerability instances have been reported for over an N number of days) are closed, with remediation status Automatically Closed. The Automatically close vulnerability after (days) parameter is configured in "Schedule and Activate Vulnerabilities Import Job" on page 37. 7. The CSV files are moved to the following folders: n Successfully processed files are moved to the <Risk Insight Installation folder>vmimportdone<connector ID> folder. n Files that contain erroneous records are moved to the <Risk Insight Installation folder>vmimporterrors<connector ID> folder. Deployment Guide HP Risk Insight (1.1) Page 35 of 43
- 36. For more information, see the Vulnerability Error Handling section in the ArcSight Risk Insight User Guide. You can check the status of the job in the Job Management module. For more information, see the Troubleshoot Batch Jobs section in the ArcSight Risk Insight Administration Guide. Install and Configure ArcSight SmartConnector You can either install a new connector or add a destination to an existing connector. For more information on destinations, see the SmartConnector Destinations chapter in the ArcSight SmartConnector User's Guide. Connectors do not have to be installed on the ESM server. If you are installing a new connector, for all installation instructions, including system requirements for the connector that you want to install, see the SmartConnector Configuration Guide for: l Tenable Nessus .nessus File l McAfee Vulnerability Manager DB l Qualys QualysGuard File l ArcSight FlexConnector XML file (for HP WebInspect) l Rapid7 NeXpose XML File The SmartConnector configuration setup should be used to configure new connectors and to add a destination to an existing connectors. It is strongly recommended to run connectors as a service in automatic mode to schedule uninterrupted flow of information on vulnerabilities to Risk Insight. Note: It is important that you perform the configuration procedure immediately after you install the connector. In order for Risk Insight to work with ArcSight SmartConnectors, you need to run connector configuration for each connector, this means that if you have two connectors, then you need to configure each of them. Existing connectors should have added an extra destination to write the CSV files containing the vulnerability information to the following folder on the Risk Insight server: <Risk Insight installation folder>vmimportpending<connector ID> To add or edit a destination for an existing or newly installed connector Execute runagentsetup in the folder <Connector Installation Folder>currentbin on an existing connector or if not installed already, get the SmartConnector installation media and install the required SmartConnector type using the installation wizard. On the wizard Destination screen: 1. Select either Add, Modify, or Remove Destinations, and click Next. If it is a first time installation, you will next be able to select the type of destination. Deployment Guide HP Risk Insight (1.1) Page 36 of 43
- 37. 2. Select CSV File, and click Next. 3. On the next page, enter a CSV Path, which should be the <Risk Insight installation folder>vmimportpending folder or the local path for the mounted NFS share pointing to it. a. Set the fields value to include the CSV content in this format: event.categoryTechnique,event.deviceDomain,event.deviceVendor,event.deviceProdu ct,event.deviceVersion,event.oldFilePath,event.destinationAddress,event.destination HostName,event.destinationMacAddress,event.destinationZoneURI,event.destination Port,event.flexNumber1,event.flexNumber2,event.deviceCustomString2,event.deviceC ustomString6,event.deviceEventClassId,event.deviceSeverity,event.name,event.flexSt ring1,event.flexString2 b. Set the file rotation interval to at least 3600. c. Set the value for write the format header to true 4. Complete the wizard. 5. Start the ArcSight SmartConnector service. Note: Make sure that the connector has write permissions for the following folder in Risk Insight: <Risk Insight installation folder>vmimportpending Schedule and Activate Vulnerabilities Import Job After the connector/connectors are running, and new CSV reports are successfully written to the <RiskInsight installation folder>vmimportpending<connector ID> according to file rotation interval, you need to schedule and activate the Vulnerabilities Import Job. For more information on the job, see "About the Vulnerability Import Job" on page 35. To schedule and activate the Vulnerabilities Import Job 1. Click Administration > Configuration. 2. In the left pane, click Vulnerability Management > Schedule Import Job. 3. In the Schedule Import Job window, in the right pane, do the following: a. Select the Activate Job check box. b. In Job Schedule, select the options for the recurrence pattern you want (every number of minutes, every number of hours, every number of days, or on certain days of the week). Deployment Guide HP Risk Insight (1.1) Page 37 of 43
- 38. c. Select the Automatically Close Vulnerabilities check box in order to enable automatic closing of vulnerabilities. d. If you selected the Automatically Close Vulnerabilities check box, then in the Automatically Close Vulnerability After (days), enter the number of days after which the remediation status should be changed to Automatically Closed. 4. Save and apply the configuration changes. For more information, see "Save and Apply Configuration Changes" on page 40. Deployment Guide HP Risk Insight (1.1) Page 38 of 43
- 39. Chapter 7: Manage Configuration Sets The Configuration module enables you to define the configuration settings needed to set up your environment. A configuration set contains the properties defined for the system. You can create any number of configuration sets and then select one with which to run your system. Risk Insight maintains a history of all the configuration sets created. For more information, see "Select Configuration Set" below. A new configuration set is initially saved as a draft. A draft is a configuration set that has not yet been activated. A draft can be edited only until it is first activated. The new configuration properties are only applied to Risk Insight when a draft is activated. For details on how to activate a draft, see "Save and Apply Configuration Changes" on the next page. You cannot edit a configuration set after it has been activated, you must create a new draft instead. You can create a new draft based on an existing configuration set and save it with a new name. Risk Insight validates the configuration set and identifies the problems in the configuration, such as, a field with a missing value. If a problem is found, Risk Insight displays a description of the problem, a link to the configuration pane in which the problem was found, and an icon that indicates the severity of the problem. Select Configuration Set You can create any number of configuration sets and then select one with which to run your system. To select a configuration set 1. Click Administration > Configuration. 2. In the Configuration window, in the left pane, click the Open Configuration Set button. The currently active configuration set is displayed in bold. 3. In the Open Configuration Set window, from the list of configuration sets, click the one that you want to run, and then click Open. You can filter the list of configuration sets by selecting one of the following options: n Activated n Drafts 4. In the left pane, click the Activate current configuration set button. HP Risk Insight (1.1) Page 39 of 43
- 40. In the Activate Configuration Set dialog box, click Yes. Save and Apply Configuration Changes You can save configuration changes and then apply the new configuration settings to Risk Insight by creating a new configuration set. When a change is made to one of the settings, an asterisk appears next to the category name in the left pane. To create a new configuration set 1. Click Administration > Configuration and make the required configuration changes. 2. In the Configuration window, in the left pane, click the Save current editable configuration set button. 3. In the Save as Draft dialog box, in the Draft name box, type the name of the draft, and then click Save. Risk Insight applies the new configuration settings when you activate the draft. Note: If the configuration set contains invalid or missing values, messages are displayed in the Problems pane at the bottom of the screen. To navigate to the page on which the problem occurs, click the Code link and try to resolve the problem. You can activate only configuration sets that do not have any problems. 4. In the left pane, click Open configuration set button. 5. In the Open Configuration Set dialog box, select the required draft, and then click Open. You can select the Draft option to display only draft configuration sets. The name of the currently selected configuration set appears at the top of the left pane. 6. In the left pane, click the Activate current configuration set button to activate the selected draft and apply the new configuration settings to Risk Insight. Deployment Guide HP Risk Insight (1.1) Page 40 of 43
- 41. Appendix A: Asset Reporting The following sections describe this report and provide additional information about accessing it and interpreting its content. For more information about integration with Risk Insight, see "Import Assets from ArcSight ESM" on page 17. About the Asset Report The Asset report lists all of the assets currently stored in your ArcSight ESM environment. An asset is defined in ArcSight ESM as a network endpoint that contains an IP address and a host name or external ID. The report is generated by querying the ArcSight ESM asset schema, from which the relevant fields are retrieved. The report can provide asset information from these fields. (Not all fields will be populated all of the time.) l Asset ID l Asset External ID l Asset Name (The name used to identify the asset ) l Asset Description (The description of the asset) l IP Address (The IP address of the network device represented by the asset) l Zone URI (The URI of the zone to which the asset belongs) l Hostname (The host name of the network device represented by the asset) l MAC Address (The MAC address of the network device represented by the asset) l OS (The operating system under which the asset is run) l Application l Location l Location ID l Modification Time l Create Time l Zone Name l Zone ID HP Risk Insight (1.1) Page 41 of 43
- 42. l Asset URI l All Categories The Asset report is located in the following directory in the ArcSight ESM environment: .. /All Reports/ArcSight Risk Insight/Asset Report Note: By default group-based model is pre-selected in Asset Synchronization properties. It omits collection of information on all categories for assets to improve report run-time. If you plan to build category-based model use the following report which will contain information on "All Categories": ../All Reports/ArcSight Risk Insight/Asset Report with Categories Import Risk Insight Reports into ArcSight ESM Risk Insight reports are available from a bundled file, Risk_Insight.arb, in the ArcSight ESM Manager. To install the reports and import the .arb file as a package 1. In the ESM Manager Console, in the Navigator panel, click the Packages tab. 2. Click the green down-arrow icon. 3. Select the Risk_Insight.arb file, and click Open. Note: To import the package without installing it, clear the check box next to the .arb file name. (The default is to install all imported packages.) 4. Review the Import dialog box for any conflicts. Each conflict displays one or more resolution options. To resolve a conflict, choose the preferred resolution option and click the OK button next to the options window. For more about resolving conflicts, see the section Resolving Package Conflicts in the ArcSight Console User Guide. 5. Click OK to complete the import process. The package from which the reports can be generated will be imported into the folder: /All Packages/ArcSight Risk Insight Deployment Guide HP Risk Insight (1.1) Page 42 of 43
- 43. Send Documentation Feedback If you have comments about this document, you can contact the documentation team by email. If an email client is configured on this system, click the link above and an email window opens with the following information in the subject line: Feedback on Deployment Guide (Risk Insight 1.1) Just add your feedback to the email and click send. If no email client is available, copy the information above to a new message in a web mail client, and send your feedback to arc-doc@hp.com. We appreciate your feedback! HP Risk Insight (1.1) Page 43 of 43