.NET Runtime Requirement 

CyMate requires the .NET Runtime to be installed on your system. Since the runtime is not bundled with CyMate, you must ensure that it is installed before running the application.

• Simply continue with the installation and configuration of CyMate.

• When you try to run CyMate, if .NET Runtime is missing, a system error message will appear, providing a direct download link for .NET Runtime.

• Click on the provided link, download the .NET Runtime installer, and then double-click the downloaded .exe file to install it.

• Once the installation is complete, run CyMate again, and it will now work correctly!

Installation Steps

1. Download CyMate Installer: Obtain the CyMateInstaller.msi from here.

2. Run the Installer:

   • Follow the on-screen instructions to complete the installation.

   • The installer will automatically place the required files in the following locations:

     • CyMate executables & install config → C:\CyRay\Mobula\

       • CyMate.exe

       • RegisterEventSourceTool.exe (automatically deleted after installation)

       • install_config.json

       • CyRay.gif

     • Configuration files & logs → C:\Users\<user>\AppData\Roaming\CyMate\Mobula

       • config.json (automatically created when running CyMate)

       • cymate.log (automatically created when running CyMate)

Installation Steps

If you need to run CyMate for multiple ArcSight consoles, the first installation should be done using the CyMateInstaller.msi (as shown in CyMate Installation - Standard Installation).
For additional installations, follow these manual installation steps:

Manual Installation Steps for Additional Instances:

1. Download CyMate ZIP Package:

   • Obtain the ZIP file from here.

   • Extract it to a temporary location.

2. Prepare CyMate Executable & Install Config:

   • Inside the extracted folder, you will see these files:

     • CyMate.exe

     • RegisterCyMateEventSourceTool.exe

     • CyRay.gif

     • install_config.json

   • Create a new folder inside C:\CyRay\ with the name of your new installation (e.g., C:\CyRay\CustomConsole).

   • Copy CyMate.exe, RegisterCyMateEventSourceTool.exe, CyRay.gif and install_config.json into this new folder.

3. Edit the Installation Config File:

   • Open C:\CyRay\CustomConsole\install_config.json with Notepad++ (or other text editor).

   • Locate the "Mobula" entry and replace it with the new installation name (e.g., "CustomConsole").

   • Save the file.

4. Prepare Configuration Files in AppData:

   • Navigate to: C:\Users\<user>\AppData\Roaming\CyMate\

• If you don’t see the AppData folder in File Explorer Click View → Show → Hidden Items.

4. • Create a new folder inside CyMate with the same name as your ne w installation (e.g., C:\Users\<user>\AppData\Roaming\CyMate\CustomConsole).

   • The config.json file will be automatically created into this folder when running CyMate.

5. Register the Event Source Used by CyMate: 

Note: This step is performed automatically during the MSI installation. If you installed CyMate on your console using the MSI in the previous step ("Standard Installation"), you can safely skip this step. 

To set up the event source that CyMate uses for logging to the Windows Event Viewer, follow these steps: 

1. Open Command Prompt as Administrator
   Press Start, type cmd, right-click on Command Prompt, and select Run as administrator. 

2. Navigate to the CyMate installation directory
   cd C:\CyRay\<CustomConsole>
   * Replace <CustomConsole> with the actual folder name where RegisterCyMateEventSourceTool.exe is located

3.  Run the Event Source Registration Tool 

RegisterCyMateEventSourceTool.exe

This will create the required event source that allows CyMate to write structured logs to the Windows Event Viewer. 

To integrate CyMate with ArcSight, follow these steps:

Creating Commands:

Navigate to Integration Commands in ArcSight's Navigator.

Click on the Commands tab.

1. Create Staging Integration Command:

   • Right-click Mobula AI > New Command.

   • Set Type to Script.

   • Configure the following fields:

     • Name: Mobula Staging Local Tool

     • Working Directory: C:\CyRay\Mobula\

     • Program: C:\CyRay\Mobula\CyMate.exe

     • Parameters: 1 staging ${generatorID} ${generatorName} ${deviceEventClassId} ${customerURI} ${customerID}

   • Click Apply.

2. Create Exclusion Integration Command:

   • Right-click Mobula AI > New Command.

   • Set Type to Script.

   • Configure the following fields:

     • Name: Mobula Exclusion Local Tool

     • Working Directory: C:\CyRay\Mobula\

     • Program: C:\CyRay\Mobula\CyMate.exe

     • Parameters: 1 exclusion ${eventId}

   • Click Apply.

3. Create Restart Connector Integration Command:

   • Right-click Mobula AI > New Command.

   • Set Type to Script.

   • Configure the following fields:

     • Name: Mobula Restart Connector Local Tool

     • Working Directory: C:\CyRay\Mobula\

     • Program: C:\CyRay\Mobula\CyMate.exe

     • Parameters: 1 restart-connector

   • Click Apply.

Creating Configuration:

Stay in Integration Commands in ArcSight's Navigator.

Click on the Configurations tab.

3. • Right-click Mobula AI > New Configuration.

   • Set Type to Script.

Configure the following fields:

3. • Name: Mobula

Go to the Context tab:

3. • Click +Add

In Location select Viewer

Go to the Commands tab:

• Click +Add

Go to Mobula AI > Select all 3 commands you created: Mobula Staging Local Tool, Mobula Exclusion Local Tool, Mobula Restart Connector Local Tool > Click OK

Click Apply.

Accessing CyMate via ArcSight

1. Integration Commands and Setup Configuration (First-Time Only):

   • Within ArcSight, right-click on the event or rule you wish to modify.

   • Select Integration Commands from the context menu > Select Mobula

   • A Window will open - Select the appropriate command:

     • Mobula Exclusion Local Tool – for event exclusions.

     • Mobula Restart Connector Local Tool – for restarting connectors.

     • Mobula Staging Local Tool – for rule staging.

   • Click OK

   • In the setup window, enter the following details:

     • ArcSight Server

     • Username

     • Password

   • After completing the setup, the relevant workflow window (Exclusion or Rule Staging) will open.

   • For subsequent runs, the setup window will not appear.

Event Exclusion Workflow

• The Event ID of the alert is automatically fetched from the log and displayed in the Exclusion Workflow window.

• A list of available exclusion options will be displayed.

• Modify any exclusion values as needed by editing the corresponding fields in the options list.

• If you want to keep the Exclusion Workflow window open after applying an exclusion, click the Keep Window Open button.

• Select the appropriate exclusion option and click Select Exclusion to apply the exclusion.

Rule Staging Workflow

• The Event ID and Rule Action ID are automatically fetched from the log and displayed in the Rule Staging window.

• The staging table includes three rows:

  1. Default Stage (not modifiable).

  2. Platform-Specific Stage (modifiable).

  3. Customer-Specific Stage (modifiable).

• The left column displays the current value, while the right column allows selecting a new value from a dropdown list.

• Selecting an empty value ('') removes the rule from the list.

• Click Update Staging to apply the changes.

Restart Connector Workflow

• Enter the Cygent ID in the "Cygent Id" field.

• Enter the Connector ID in the "Command" field.

• The Command ID and Status (new) are automatically set and displayed.

• Click the Restart Connector button to proceed.

• You can retrieve the Cygent ID and Connector ID from the ArcSight QueryViewer by navigating to /All Query Viewers/Mobula Administration/Cygent/ConKits Status - Platform V5 in the ArcSight console. 

Log File

• All actions and errors are logged to cymate.log located in:

C:\Users\<user>\AppData\Roaming\CyMate\<Console>\cymate.log

• Check this file for debugging or auditing purposes.

Step 1: Uninstall CyMate from the Control Panel

1. Open the Control Panel.

2. Navigate to Programs → Uninstall a program.

3. Locate CyMateInstaller in the list of installed programs.

4. Select it and click Uninstall.

Step 2: Delete Remaining Files (If They Exist)

After uninstalling, manually delete any leftover files:

1. Open File Explorer.

2. Delete the following folders (if they exist):

   • C:\CyRay

   • C:\Users\<user>\AppData\Roaming\CyMate

common issues:

1. There was an error in executing the following command line:

CyMate.exe exclusion 123456789

Please check the program and working directory parameters for the tool.
This means Arcsight failed to execte the program. Check the configuration of the tool, go over the guide and make sure it is configured correctly.