An ArcSight SIEM consultant discussion...
Recently, I was contacted regarding an SIEM Consultant position
involving ArcSight. I was initially interviewed by an agency's IT
consultant. After asking me what my achievement at the company was, I
told him that I managed to add custom functions to FlexConnectors, which
I then shared with the company. Unfortunately, this supposedly IT
consultant then misinterpreted what I said, and wrote that I "found a
solution to set up Smart Connector, which was then used by the company
globally." He asked me the difference between SmartConnectors
and FlexConnectors, which I explained to him as well. Despite that, I have no idea how he managed to goof up what I explained.
The next
day, this guy called Darren from the company called, and he asked me if I have
done any ArcSight implementation for customers, to which I answered no.
And the following day, the agency's IT consultant called me to say that I
did not qualify for the position, because I have not done any ArcSight
implementation before and that I'm only a Technical Support Engineer who
only knew how to troubleshoot, configure, etc.
This is even though I am certified ACIA (which meant I am certified to
perform ArcSight implementations). If TSEs do not know how to implement
ArcSight installations, then, heaven help customers! All TSEs have to
implement ArcSight installations, because otherwise, we couldn't even
troubleshoot customers' ArcSight issues.
I felt quite insulted that I'm told by this Darren who does not know
ArcSight that I do not know to implement ArcSight. When I shared this
with my ex-colleague, he commented that "you no experience who has?"
Besides, a few months back, when another ex-colleague needed to
recommend to a customer for someone to implement ArcSight, who else did
he call but me?
For good measure, I'm sharing the world's first instructions on how to develop your own custom FlexConnector functions:
Here’s how any Java developer can add their own operations to the FlexConnector framework .
- Create a Java project.
- Unzip the arcsightagents.jar to d:\arcsightagentsclass
- Add external class folder, d:\arcsightagentsclass to the project’s
properties, Java Build Path, Libraries, Add External Class Folder.
- Create a class that descends from the BaseOperation class, and ends with the suffix Operation.
- ---------------------------------------------------------
- ---------------------------------------------------------------------------------
- Compile the project.
- ---------------------------------------------------------------------------------
- ---------------------------------------------------------------------------------
Steps 5-6, 8-9 intentionally blanked out. Let's see if there's
someone else in the world who can figure out what I figured out years ago
(and I did it without help from ArcSight R&D)
Hopefully, now that I've blogged about this, my emotions regarding this will go away.