Understanding Related Components

The capabilities you deploy in the Platform depend on functions and applications installed in your environment. For example, Transformation Hub consumes data from a wide variety of collectors and connectors before passing that content to ESM and other products. Recon and Intelligence need the ArcSight Database to store their data.

• ArcSight Database
• Data Sources
• Enterprise Security Manager
• SMTP Server

ArcSight Database

The ArcSight Database stores all collected events and provides event searches and analysis capabilities.

The database keeps the primary copy of your data in Communal Storage, and the local cache serves as the secondary copy. Communal storage is the database's centralized storage location, shared among the database nodes. This means that adding and removing nodes does not redistribute the primary copy. Communal storage is based on an object store, such as Amazon's S3 service in the cloud or an S3 compatible object store in an on-premises deployment.The database relies on the object store to maintain the durable copy of the data.

Within communal storage, data is divided into portions called shards. Shards are how the database divides the data among the nodes. Nodes subscribe to particular shards, with subscriptions balanced among the nodes. When loading or querying data, each node is responsible for the data in the shards that it subscribes to.

This shared storage model enables elasticity, meaning it is both time and cost effective to adapt the cluster resources to fit the usage pattern of the cluster. If a node goes down, other nodes are not impacted because of shared storage. Node restarts are fast and no recovery is needed. Thus, you do not need to keep track of and load/unload long- term retention event data explicitly. The ArcSight Database can bring them to the cache on demand automatically then move data out when not in use. To expand communal storage, you can purchase additional storage devices rather than purchasing additional CPU and memory.

Data Sources

The deployed capabilities incorporate data from a variety of sources.

• SmartConnectors collect events from supported data sources, normalize those events, then send them to the Transformation Hub's Kafka cluster.
  • When collecting data and sending it to Transformation Hub, the SmartConnector normalizes the values (such as severity, priority, and time zone) into the common format and normalizes the data structure into the common schema.
  • Next, the connectors filter and aggregate events to reduce the volume of events sent to the system.
  • You need to install and maintain connectors separately.
  • You can subscribe to the data Transformation Hub manages.
    
• Third-party collectors and connectors also provide data to the deployed capabilities.

Enterprise Security Manager

ArcSight Enterprise Security Manager (ESM) operates outside of the Platform CDF environment, but integrates with capabilities that operate within the Platform environment. For example, ESM shares SSO, event processing, and event search behavior with the Platform.

You can deploy the ESM Command Center capability to the Platform CDF environment to provide a more seamless user experience with other capabilities that integrate with the Platform Fusion capability, such as Intelligence and SOAR. When deployed in this manner, ESM Command Center integrates with ESM operating outside of the Platform CDF environment.

SMTP Server

The SMTP server enables the Platform to send notification messages to users. For example, when you create new users, you need the SMTP server to notify the users about their account and how to change their passwords.