Compatibility Questionnaire: ArcSight, Inc. (ArcSight ESM) — Archive

Important: The OVAL Compatibility Program was moved to "archive" status in December 2009, and replaced with the "OVAL Adoption Program." Under the OVAL Adoption Program product validation is performed by an external organization, allowing the OVAL Team to focus on educating vendors on best practices regarding the use and implementation OVAL and on how OVAL can continue to evolve as needed by the community.

Refer to the OVAL Adoption Program section for addition information and to review all products and services listed.

Organizational Information

Name of Your Organization:

ArcSight, Inc.

Web Site:

Product Information

Product/Service Name:

ArcSight ESM

Compatible Categories:

OVAL Results Consumer

Product/Service Home Page:

General Capability Questions

Product Accessibility

Provide a short description of how and where your capability is made available to your customers and the public (required):
ArcSight provides a commercially available enterprise security management software solution. For more information visit http://www.arcsight.com or call 408-864-2600
Accuracy Questions

Schema Currency Indication

Describe how and where your capability indicate the OVAL Schema used to create or update its contents and/or results (required):
ArcSight is a results consumer. When importing a scan, ArcSight normalizes the provided results file and imports it into the system. The SmartAgent Configuration Guide for OVAL specifies what version of the OVAL schema is supported.

Schema Currency Update Approach

Indicate how often you plan on updating content to reflect new OVAL Schema versions and describe your approach to keeping reasonably current with schema versions (recommended):
As a results consumer, ArcSight only needs to stay current with the results format and not with individual tests. ArcSight plans on staying current with future schema versions by updating the OVAL SmartAgent as needed.

Platform and Definition Type Support

Indicate which platforms and definition types for those platforms that your capability supports for each category of OVAL compatibility your capability supports (required):
ArcSight supports all platforms currently used by OVAL. As a results consumer, ArcSight only relies on the XML format to read the data.

Approach for Correction of Errors

Indicate how someone who discovers an error in your capabilities use of OVAL can report the error and describe your approach to responding to such reports and applying fixes (required):
ArcSight is a commercial software product. Errors can be reported to our support organization. They would then be prioritized by prodcut management and be released with subsequent releases of the OVAL agent.
Documentation Questions

Compatibility Documentation

Provide a copy, or directions to its location, of where your documentation describes OVAL, OVAL compatibility and/or OVAL-ID compatibility for your customers (required):
See attached OVAL SmartAgent Configuration Guide. This guide is made available to customers who purchased the OVAL agent. OVAL compatibility will be listed on the "supported products" page on arcsight.com

Documentation of Finding Elements Using OVAL

Provide a copy, or directions to its location, of where your Documentation describes the specific details of how your customers can find individual security elements in the capability's repository by using OVAL definitions and/or how the user can find them elsewhere through the use of OVAL-IDs (required):
  • Using the vulnerability navigator, the user can use the "resource graph" or "resource grid" feature by right-clicking on a resource to show the resources associated with a vulnerability (in this case an asset). See documentation pages 7 and 17.
  • If an event is reported in ArcSight, the user can right-click on the event and immediately get to the associated vulnerability resource. (See attached documentation, page 59).
  • General handling of vulnerabilities is described on pages 115 and following in the documentation attached.
  • ActiveChannels can also be used with a filter to search for a vulnerability. (see attached documentation p. 29-32)

Documentation of Finding Results Information from Elements

Provide a copy, or directions to its location, of where your documentation describes how the user can obtain information in the OVAL Results Schema from individual elements in the capability's repository (required):
The user can investigate what OVAL IDs were found on an asset by using the asset navigator and right-clicking on on an individual asset. This will bring up an asset investigator panel which lists all the vulnerabilities associated with this asset, also showing the OVAL IDs.

Documentation Indexing of OVAL-Related Material

If your documentation includes an index, provide a copy of the items and resources that you have listed under "OVAL" in your index. Alternately, provide directions to where these "OVAL" items are posted on your web site (recommended):

ArcSight uses a concept called reference pages for documenting individual aspects of the product. By right-clicking on elements in the ArcSight Console, the user can choose to get all the reference pages associated with an object.

Reference pages are described on page 220 of the documentation. Furthermore, each ArcSight SmartAgent comes with an installation documentation (see attached).

Capability Specific Questions

OVAL-ID Output and Searchable

Finding Elements Using OVAL-ID

Give detailed examples and explanations of how a user can locate security elements in the capability by looking for their associated OVAL-ID(s) (required):
  • ArcSight uses a full-text search capability to search individual resources in the system.
  • Using the vulnerability navigator, the user can use the "resource graph" or "resource grid" feature by right-clicking on a resource to show the resources associated with a vulnerability (in this case an asset).
  • If an event is reported in ArcSight, the user can right-click on the event and immediately get to the associated vulnerability resource.
  • ActiveChannels can also be used with a filter to search for a vulnerability.

Finding OVAL-ID Using Elements in Reports

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated OVAL-IDs for the individual security elements in the report (recommended):
ArcSight can run reports on assets, subnets, asset categories or vulnerabilities, which can show all the respective vulnerabilities.

Questions for Signature

Statement of Compatibility

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory Compatibility Requirements as well as all of the additional mandatory Compatibility Requirements that are appropriate for our specific type of capability."

Name:   Raffael Marty
Title:   Senior Security Engineer

Statement of Accuracy

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the correctness of our capability's use of OVAL schema and logic."

Name:   Raffael Marty
Title:   Senior Security Engineer

Statement on Follow-on Testing Activity Support

Have an authorized individual sign and date the following statement about your organizations willingness to support correctness testing of other capabilities, which will be managed by the Reviewing Authority and kept to reasonable levels of effort for all involved. (required):

"As an authorized representative of my organization, we agree to support the Reviewing Authority in follow-on testing activities, where appropriate types of files will be exchanged with other organizations attempting to prove the correctness of their capabilities."

Name:   Raffael Marty
Title:   Senior Security Engineer

Page Last Updated: December 17, 2009