How do I include the JSONImporter that is included with the HF1 installer for ICA 6.2.2.1?
N/A
N/A
ICA 6.6.6.2 HF1
First - you may not need the JSONIMporter. You will need this importer if you are using any of the following importers:
If you then continue below:
Create an appropriately sized database, named appropriately (CarbonBlackDW, CloudSocDW, etc), set for Simple Recovery.
Run the included JsonDW_Create.SQL script to create base tables and initialization stored procedures.
Run the appropriate initialization stored procedure (spInitializeCarbonBlackDefense, etc). This will create required tables, populate the Endpoints and EndpointAttributes tables, etc.
Edit the ApplicationSettings table to update the API Url, Username, etc. NOTE that there might be instructions in the Username and Password fields in this table to describe the necessary steps. NOTE that the Password field will be handled below. NOTE that the API Url might have been pre-populated. Double check it with the customer.
You have to manually set the Api field in the ApplicationSettings to be the appropiate string:
CloudSoc, CarbonBlack, SymantecWebEmailSecurity, SymantecEDR
Update the JsonImporter.exe.config connection string.
Update the JsonImporter.exe.config options for the desired importer. For instance, uncomment the section for CloudSoc, and make sure the other importer sections are commented out.
If necessary, run the JsonImporter.exe command line with the -password command line argument (followed by the password to be encrypted). This will update the ApplicationSettings table Password field with the encrypted value.
Setup an SQL Agent job if necessary.
Run the importer. Monitor log files.
Supported importers:
CloudSOC
Carbon Black
Symantec Web Email Security
Symantec EDR
---
CarbonBlack Notes
Use importer -password command line argument to set API key and Connector ID concatenated with "/" between them:
APIKey/ConnectorID -- also known as SecretKey/ApiID (24 digits, then a single /, then 10 digits).
You can set this password per endpoint by using the -overridepassword EndpointID CombinedKey from the command line.
Note that Risk Fabric does not currently use the Events or Processes endpoints. You can leave these off.
!!!NOTE that Nofications only get delivered to an API Key once. Do NOT reuse API Keys between different importers or other outside processes. Do not truncate the final Notifications table and try to reload.!!!
---
CloudSoc Notes
You can override the username and password per endpoint by using the -overrideusername EndpointID username and -overridepassword EndpointID password options from the command line.
---
Symantec Web Email Security Notes
You can override the username and password per endpoint by using the -overrideusername EndpointID username and -overridepassword EndpointID password options from the command line.