Filtering Events for ESM

Transformation Hub is capable of filtering and routing from a source topic of type event-avro to a destination topic of type event-avro. This capability can be used to filter events from a source topic such as mf-event-avro-enriched to a destination topic which ESM can consume from, such as mf-event-avro-esmfiltered. Both of these are default topics described here.

1. Use ArcSight Smart Connectors or any producer that supports sending Avro formatted events to send the events directly to an event-avro topic. Smart Connectors by default will send Avro formatted events to the th-arcsight-avro topic.

2. Filter the events using Transformation Hub's Avro routing rules using ArcMC 2.96 or later. Create a routing rule with an event-avro topic as source topic (such as mf-event-avro-enriched) and an event-avro topic as destination topic (such as mf-event-avro-esmfiltered). For more information, please refer to the Routing section in the ArcMC Administration Guide.

   Earlier versions of Transformation Hub that did not yet support Avro routing rules required using a combination of CEF routing rules and CEF-to-Avro conversion. Using Avro routing rules is the recommended way to filter events for ESM.
   As a general guideline, th-arcsight-avro is no longer a recommended source topic for Avro routing; use mf-event-avro-enriched instead. For more information, see About Routes.