Understanding Related Components
The capabilities you deploy in the Platform depend on functions and applications installed in your environment. For example, Transformation Hub consumes data from a wide variety of collectors and connectors before passing that content to ESM and other products. Recon and Intelligence need the ArcSight Database to store their data.
ArcSight Database
The ArcSight Database stores all collected events and provides event searches and analysis capabilities. The Database keeps the primary copy of your data in Communal Storage, and the local cache serves as the secondary copy. Communal storage is the database's centralized storage location, shared among the database nodes. This means that adding and removing nodes does not redistribute the primary copy. Communal storage is based on an object store, such as Amazon's S3 service in the cloud or an S3-compatible object store in an on-premises deployment.The database relies on the object store to maintain the durable copy of the data.
Within communal storage, data is divided into portions called shards. The Database uses the shards to divide the data among the nodes. Nodes subscribe to particular shards, with subscriptions balanced among the nodes. When loading or querying data, each node is responsible for the data in the shards that it subscribes to.
This shared storage model enables elasticity, meaning it is both time and cost-effective to adapt the cluster resources to fit the usage pattern of the cluster. If a node goes down, other nodes are not impacted because of shared storage. Node restarts are fast and no recovery is needed. Thus, you do not need to explicitly keep track of, or load/unload long-term event data. The Database can bring the data to the cache on demand automatically and then move the data out when not in use. To expand communal storage, you can purchase additional storage devices rather than purchasing additional CPU and memory.
For more information about the Database, see the following topics:
Data Sources
The deployed capabilities incorporate data from a variety of sources.
- SmartConnectors collect events from supported data sources, normalize those events, then send them to the Transformation Hub's Kafka cluster.
- When collecting data and sending it to Transformation Hub, the SmartConnector normalizes the values (such as severity, priority, and time zone) into the common format and normalizes the data structure into the common schema.
- Next, the connectors filter and aggregate events to reduce the event volume sent to the system.
- You need to install and maintain connectors separately.
- You can subscribe to the data Transformation Hub manages.
- Third-party collectors and connectors also provide data to the deployed capabilities.
For more information about data sources, see the following topics:
Enterprise Security Manager
ArcSight Enterprise Security Manager (ESM) operates outside of the Platform OMT environment, but integrates with capabilities that operate within the Platform environment. For example, ESM shares SSO, event processing, and event search behavior with the Platform.
You can deploy the ESM Command Center capability to the Platform OMT environment to provide a more seamless user experience with other capabilities that integrate with the Platform Fusion capability, such as Intelligence and SOAR. When deployed in this manner, ESM Command Center integrates with ESM operating outside of the Platform OMT environment.
For more information about ESM Command Center, see the following topics:
SMTP Server
The SMTP server enables the Platform to send notification messages to users. For example, when you create new users, you need the SMTP server to notify the users about their account and how to change their passwords.
For more information about SMTP Server, see the following topics: