Configuring Event Integrity Checks
To validate that the event information in your database matches the content sent from SmartConnectors, run an Event Integrity Check. When you run the check, Recon searches the database for verification events received within the specified date range, then runs a series of checks to compare content in the database with information supplied by the verification event. The results of an Event Integrity Check help you identify whether event data might be compromised. In addition to reviewing the raw event data received from SmartConnectors, you can enable Transformation Hub to generate more than 20 parsed fields to include in the check.
-
Configuring a SmartConnector to Include a Verification Event for Raw Events
-
Enabling Transformation Hub to Generate Verification Events for Parsed Fields
For more information about verification events and running integrity checks, see the Help.
Configuring a SmartConnector to Include a Verification Event for Raw Events
For a SmartConnector to support event integrity checks, you must enable it to include a verification event for each batch of events. This configuration ensures that the connector generates a verification event for the field in an event at the moment that your environment captures it.
| For this setting... | Enter... |
|---|---|
| Preserve Raw Event |
Yes NOTE: When you enable this setting, the size of each event increases, which will require more storage space in your database. |
| Event Integrity Algorithm | MD5, SHA-1, or SHA-256 |
| Check Event Integrity Method | Recon |
For more information about configuring SmartConnectors, see the following topics:
- “Configuring Processing” in the Installation Guide for ArcSight SmartConnectors (ArcSight SmartConnectors documentation)
- Destination Runtime Parameters
Enabling Transformation Hub to Generate Verification Events for Parsed Fields
The Event Integrity Check can verify the integrity of multiple fields within an event. You must enable Transformation Hub to generate verification events for the parsed fields received from the SmartConnectors. You can configure this setting as you deploy Transformation Hub or at any time after deployment, such as an upgrade.
1. Adjust and match the number of partitions of the Integrity events Enrichment changelog with the source topic number of partitions. The internal topic is named with the following format and pattern:
com.arcsight.th.AVRO_ENRICHMENT_1-integrityMessageStore-changelog.2. Restart the TH Web services pod by running the following command:
kubectl delete pod th-web-service-xxxxxxxxx-yyyyy -n arcsight-installer-yyyyy-
Navigate to > .
-
Enable . Default value is false. If true, a verification event is generated that accompanies a batch of events for checking the integrity of parsed fields in each event. Recon uses this verification event to check event integrity. If true, then specify a value for Verification event batch size as described below.
-
For , specify the number of events that you want to be associated with a verification event. Default value is 256. A lower value indicates fewer associated events need to be included in the batch for integrity checks. However, a lower value will also result in higher resource consumption by generating more verification events.