How to Add the JSONImporter as a Part of the 6.2.2 HF1 Installation

book

Article ID: 184899

calendar_today

Updated On:

Products

Information Centric Analytics Data Loss Prevention Core Package

Issue/Introduction

How do I include the JSONImporter that is included with the HF1 installer for ICA 6.2.2.1?

 

N/A

Cause

N/A

Environment

ICA 6.6.6.2 HF1

Resolution

First - you may not need the JSONIMporter.  You will need this importer if you are using any of the following importers:

  • CloudSOC
  • Carbon Black
  • Symantec Web Email Security
  • Symantec EDR

If you then continue below:

  1. Copy the JSONIMporter.exe to the same location where the database utilties for ICA are installed
  2. Execute the exe, and then extract the ZIP file to a folder called JSONImporter
  3. Following the Readme.txt to deploy:
    1. Create an appropriately sized database, named appropriately (CarbonBlackDW, CloudSocDW, etc), set for Simple Recovery.

    2. Run the included JsonDW_Create.SQL script to create base tables and initialization stored procedures.

    3. Run the appropriate initialization stored procedure (spInitializeCarbonBlackDefense, etc). This will create required tables, populate the Endpoints and EndpointAttributes tables, etc.

    4. Edit the ApplicationSettings table to update the API Url, Username, etc. NOTE that there might be instructions in the Username and Password fields in this table to describe the necessary steps. NOTE that the Password field will be handled below. NOTE that the API Url might have been pre-populated. Double check it with the customer.

      1. You have to manually set the Api field in the ApplicationSettings to be the appropiate string:
            CloudSoc, CarbonBlack, SymantecWebEmailSecurity, SymantecEDR

      2. Update the JsonImporter.exe.config connection string.

      3. Update the JsonImporter.exe.config options for the desired importer. For instance, uncomment the section for CloudSoc, and make sure the other importer sections are commented out.

      4. If necessary, run the JsonImporter.exe command line with the -password command line argument (followed by the password to be encrypted). This will update the ApplicationSettings table Password field with the encrypted value.

      5. Setup an SQL Agent job if necessary.

      6. Run the importer. Monitor log files.

        Supported importers:
        CloudSOC
        Carbon Black
        Symantec Web Email Security
        Symantec EDR

        ---
        CarbonBlack Notes
        Use importer -password command line argument to set API key and Connector ID concatenated with "/" between them:
        APIKey/ConnectorID -- also known as SecretKey/ApiID (24 digits, then a single /, then 10 digits).
        You can set this password per endpoint by using the -overridepassword EndpointID CombinedKey from the command line.

        Note that Risk Fabric does not currently use the Events or Processes endpoints. You can leave these off.
        !!!NOTE that Nofications only get delivered to an API Key once. Do NOT reuse API Keys between different importers or other outside processes. Do not truncate the final Notifications table and try to reload.!!!

        ---
        CloudSoc Notes
        You can override the username and password per endpoint by using the -overrideusername EndpointID username and -overridepassword EndpointID password options from the command line.

        ---
        Symantec Web Email Security Notes
        You can override the username and password per endpoint by using the -overrideusername EndpointID username and -overridepassword EndpointID password options from the command line.