What records does OpenText copy in an ArcSight audit
An audit notice is also a data request, and the data you hand over shapes the finding before a single line is negotiated. What records does OpenText copy in an ArcSight audit is a question worth answering before you produce anything, because the right to copy relevant records is not a right to copy everything, and an over broad production gives the audit the widest possible reading of your deployment.
The OpenText EULA gives seven days notice before an audit and the right to copy relevant records. ArcSight reached the estate through the Micro Focus acquisition that closed on January 31, 2023, and is governed by the Additional License Authorizations, but the procedural right to inspect and copy still runs through the agreement that covers the audit. The word that does the work in that right is relevant. The defensive task is to make sure what is produced is genuinely relevant to the entitlement in question, and nothing wider.
The right to copy is bounded by relevance
A right to copy relevant records is not the same as a standing right to image every system, export every configuration, and walk away with the entire security data estate. Relevance is tied to the entitlement being measured. If the metric is EPS, the relevant records are those that establish the event rate the platform sustained over the measurement window. If the metric is data volume, the relevant records are those that establish ingestion or storage over that window. Producing material far beyond that scope does not help the buyer, and it gives the audit raw inputs to build a wider figure than the entitlement requires.
The right to copy attaches to relevant records, not to the whole estate. The broader the production, the broader the finding the audit can assemble from it. Scoping the production to the metric in question is a defensive act, not an obstruction.
What an ArcSight audit typically asks for
The specific records vary by metric and by edition, but in many engagements the audit requests fall into a few recognisable categories. Each should be assessed for relevance to the entitlement before it leaves the building.
- Throughput and volume data. Event rate or ingestion figures used to establish the measured metric over a defined window.
- Connector and collector inventories. Lists used to count connectors, which routinely include retired and duplicate entries that should be resolved first.
- Deployment topology. Node, instance, and environment listings that can sweep in non production and high availability components.
- Configuration exports. System settings that describe capacity but do not, by themselves, establish licensed use.
Produce through a single controlled channel
The four Rs begin here. Respond inside the seven day notice window by establishing one controlled channel through which every record is produced, so nothing reaches the audit unmanaged and every figure is described once, consistently. Reconstruct the effective position before producing, so the buyer knows what its own data shows. Rebut by scoping each request to the relevant records and resolving connector and topology inventories before they are handed over. Resolve on terms that settle the metric so future productions are bounded by a definition rather than open ended.
A recent engagement
The anonymised banking matter recorded as E-03 saw an ArcSight EPS and connector finding of $6.0M settle at $1.8M, a 70 percent reduction. A meaningful part of that outcome came from controlling what was produced and resolving the connector inventory before it was handed over, so the audit could not build a count from retired and duplicated entries. The same discipline applies to every category of record: relevance is established first, and only relevant material is produced.
Scope the production before the finding is built
The most important moment in an ArcSight audit is often the one before any negotiation begins: the production of records. A finding assembled from an over broad data set carries every duplicate, every retired component, and every non production feed into the opening number, and unwinding those later is harder than scoping them out at the start. The defensive discipline is to read the right to copy as a right bounded by relevance, to produce through one controlled channel, and to resolve inventories before they leave the building. Most of the reduction available in an ArcSight matter is protected, or lost, in how the records are handed over.
Facing a records request in an ArcSight audit?
We scope the production to relevant records, control the channel, and resolve connector and topology inventories before anything is handed over. To get a defense team on the file, open a case or download the ArcSight EPS defense briefing.
Get The Number Down →Related field notes
These notes from the ArcSight and Security audit defense cluster cover production, connectors, and measurement. Each links back to the complete OpenText audit defense playbook for 2026.
- how OpenText measures ArcSight in a self assessment
- ArcSight connector counting in an OpenText audit
- decommissioned ArcSight connectors still on the audit
- reconciling ArcSight entitlements before an audit
- how ArcSight non production and lab data is counted
If an OpenText or Micro Focus audit notice has reached you, the first seven days matter more than any week that comes after. OpenText Audit Defense is an independent, buyer side practice founded in 2020 by former vendor compliance leadership. We have defended more than 200 audits, reduced the average finding by 68 percent, and mitigated more than $90M in claims against vendor positions. We do not resell OpenText software and we are not affiliated with OpenText Corporation. To open a case, use the contact form on this site.