Integrate an ArcSight REST Cloud Device

Configure an ArcSight REST FlexConnector cloud device to pull IOCs from Threat Command.

When IOCs are pulled, only new IOCs that were discovered since the last update (the delta) are pulled.

Pulled IOCs are accompanied by the following Rapid7 enrichment data:

  • Alert ID
  • Severity
  • Last seen
  • First seen
  • Source name

IOC groups for this device can consist of domains, URLs, IP addresses, and file hashes (MD5 only). In addition, you can choose to pull the IOC event stream, including events such as add or delete.

The integration requires the following steps:

  1. Add an ArcSight FlexConnector REST cloud device.
    Note: Only v7.10 is supported.
  2. Configure an ArcSight FlexConnector REST cloud device to pull IOCs.
    At this point, you will need to choose whether to pull only enriched IOCs or to pull the event stream also.
  3. Add a connector configuration file.

Add an ArcSight FlexConnector REST cloud device

Add a cloud device to Threat Command.

Prerequisites

  • You have the credentials to access the device.
  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.

To add a cloud device to Threat Command:

  1. Log in to Threat Command at https://dashboard.ti.insight.rapid7.com
  2. From the main menu, select Automation -> Integrations. add cloud device
  3. From the Integrations page, click Cloud.
  4. Click Add new device.
  5. In the Add New Cloud Device dialog, type a user-defined name for the device.
    The name can contain a maximum of 50 letters, spaces, numbers, and underscores.
  6. Select the Device type.
    The default device IOCs limit is displayed.
  7. (Optional) You can change the IOCs limit.
  8. Click Add.
  9. To verify that the new device is added, refresh the Automation > Integrations page.
    The new device is added to the cloud integrations device list. Next to the device name, there is a red dot, indicating that communication has not yet been established. The dot will change to green when the device is synchronized. If the device cannot synchronize for more than 48 hours, an email warning is sent to the account administrator.

Configure an ArcSight FlexConnector REST device to pull IOCs

After a device has been added to the Threat Command virtual appliance, you must enable it to pull IOCs from Threat Command.

Prerequisites

  • You have the device login credentials.
  • The device has been added.
  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.
  • An IOC group for this device exists in Threat Command.
    Creating IOC groups is described in Create an IOC group

IOC groups for this device can consist of domains, URLs, IP addresses, and file hashes (MD5 only).

  • You can download and execute the ArcSight Connector file (v7.10 only).
  • You have the device hostname, username, and password.
  • You have the certificate information (optional).
  • You have the Threat Command account ID and appliance key.
  • For more information about generating, revoking, and displaying these credentials, see API key, account ID, and appliance key.

To edit an existing connector configuration, see Change Existing ArcSight Configuration.

First, set up a connector, then add a connector configuration file. Some of the steps will differ depending on whether you are pulling only IOCs or IOCs and the event stream.

To set up a connector:

  1. Download and run the ArcSight Connector executable file, which should resemble the following: temporary placeholder

  2. In the installation wizard Introduction screen, click Next.

  3. In the Choose Install Folder screen, select a free folder for the ArcSight. 
    Remember the directory you use. For this example, C:\program files\IntsightsRestArcSightSmartConnectors is used.

  4. Click Next.

  5. In the Pick Shortcut Folder screen, select where to create a program icon, then click Next.

  6. In the Pre-Install Summary screen, review the details, then click Install
    The ArcSight Connector setup begins. This process can take some time.

  7. In the Connector Setup screen, select Add a Connector, and then click Next.

  8. In the Connector to configure screen, select ArcSight FlexConnector REST, then click Next. In the Parameter details screen, enter the relevant details from the Threat CommandDevice Details screen for the defined ArcSights device, described in the next step.

  9. Display the Threat Command device details:

    1. From the Threat Command main menu, select Automation > Integrations.
    2. From the On-Premises device list, select the ArcSight REST device that was added.
    3. Click the Device Details link at the top of the screen. 
      temporary placeholder
      Use the device details in the next step.

  10. In the ArcSight parameter details screen, type the information for your device:

    FieldValueDescription
    Port, User Name, and PasswordAs needed, per clientOptional
    Configuration FileintsightsRequired.  - Type "intsights" in lowercase.  - This configuration file will be created after the connector is installed.
    Events/IOCs URLPaste theAPI Root URLfrom the Threat CommandDevice Detailsscreen.Example:

    https://api.intsights.com/tip/integrations/arcsight/5feb578325dc0b000732c04a/iocs ?start_date=$START_AT_TIME&limit=5000

    https://api.intsights.com/tip/integrations/arcsight/5feb578325dc0b000732c04a/events ?start_date=$START_AT_TIME&limit=5000

    Do not change $START_AT_TIME

    You can control the rate of events by specifying a different limit. For example, use limit=1000 to receive 1000 events at a time.
    -

    Example:

    https://api.intsights.com/tip/integrations/arcsight/5feb578325dc0b000732c04a/iocs?start_date=$START_AT_TIME&limit=1000
    Authentication TypeBasicRequired
    UserThreat Command account IDRequired
    PasswordThreat Command appliance keyRequired
    OAuth2 Client Properties FileOptional
    Refresh TokenOptional

  11. After typing the parameters, click Next.

  12. In the destination type screen, select ArcSight Manager (encrypted), then click Next.
    The Connector Setup wizard begins.

  13. In the connector details screen, type values for the Name, Location, Device Location, and a comment (optional).
    These user-defined details are used later to identify events emerging from this connector.
    temporary placeholder

  14. Click Next.

  15. In the destination parameters screen, type the ArcSight Manager hostname, username, and password, and then click Next.
    temporary placeholder

  16. In the certificate screen, select whether to import a certificate, then click Next.
    The import process can take a while. When it is complete, the summary screen appears.
    temporary placeholder

  17. Click Next.
    temporary placeholder

  18. In the service or standalone**** screen, select an option, then click Next.1. At the Continue or Exit screen, select Exit, then click Next.

  19. Click Done
    The integration is complete.

To add a connector configuration file:

  1. Use a text editor to create intsights.jsonparser.properties in the**[INSTALL_FOLDER]\current\user\agent\flexagent** folder. 
    The filename must begin with the value that was entered in the Configuration file field in the ArcSight Parameter details screen. temporary placeholder
  2. Use one of the following for the file contents:
Pull IOCs only
 
1
trigger.node.location=/iocs
2
token.count=9
3
token[0].name=kind
4
token[0].type=String
5
token[0].location=/kind
6
token[1].name=requestDate
7
token[1].type=String
8
token[1].location=/request_date
9
token[2].name=iocType
10
token[2].type=String
11
token[2].location=type
12
token[3].name=iocValue
13
token[3].type=String
14
token[3].location=value
15
token[4].name=bundle
16
token[4].type=String
17
token[4].location=bundle
18
token[5].name=updateTime
19
token[5].type=String
20
token[5].location=update_time
21
token[6].name=enrichment
22
token[6].type=String
23
token[6].location=enrichment
24
token[7].name=nextStartDate
25
token[7].type=String
26
token[7].location=/next_start_date
27
token[8].name=nextUrl
28
token[8].type=String
29
token[8].location=/next
30
event.deviceReceiptTime=__createOptionalTimeStampFromString(nextStartDate,"YYYY-MM-DDThh:mm:ss.SSSX")
31
event.deviceCustomString6=nextUrl
32
event.deviceVendor=__stringConstant("Intsights")
33
event.deviceProduct=__stringConstant("Intsights Virtual Appliance")
34
event.deviceCustomString1=iocType
35
event.deviceCustomString1Label=__stringConstant("IOC type")
36
event.deviceCustomString2=iocValue
37
event.deviceCustomString2Label=__stringConstant("IOC value")
38
event.deviceCustomString3=bundle
39
event.deviceCustomString3Label=__stringConstant("bundle")
40
event.deviceCustomString4=updateTime
41
event.deviceCustomString4Label=__stringConstant("IOC update time")
42
event.deviceCustomString5=enrichment
43
event.deviceCustomString5Label=__stringConstant("IOC enrichment")
Pull IOCs and event stream
 
1
trigger.node.location=/events
2
token.count=10
3
token[0].name=kind
4
token[0].type=String
5
token[0].location=/kind
6
token[1].name=requestDate
7
token[1].type=String
8
token[1].location=/request_date
9
token[2].name=iocType
10
token[2].type=String
11
token[2].location=type
12
token[3].name=iocValue
13
token[3].type=String
14
token[3].location=value
15
token[4].name=bundle
16
token[4].type=String
17
token[4].location=bundle
18
token[5].name=eventDate
19
token[5].type=String
20
token[5].location=event_date
21
token[6].name=eventType
22
token[6].type=String
23
token[6].location=event_type
24
token[7].name=enrichment
25
token[7].type=String
26
token[7].location=enrichment
27
token[8].name=nextStartDate
28
token[8].type=String
29
token[8].location=/next_start_date
30
token[9].name=nextUrl
31
token[9].type=String
32
token[9].location=/next
33
event.deviceReceiptTime=__createOptionalTimeStampFromString(nextStartDate,"YYYY-MM-DDThh:mm:ss.SSSX")
34
event.deviceCustomString6=nextUrl
35
event.deviceVendor=__stringConstant("Intsights")
36
event.deviceProduct=__stringConstant("Intsights Virtual Appliance")
37
event.deviceCustomString1=iocType
38
event.deviceCustomString1Label=__stringConstant("IOC Type")
39
event.deviceCustomString2=iocValue
40
event.deviceCustomString2Label=__stringConstant("IOC Value")
41
event.deviceCustomString3=bundle
42
event.deviceCustomString3Label=__stringConstant("Bundle")
43
event.deviceCustomDate1=__createOptionalTimeStampFromString(eventDate,"YYYY-MM-DDThh:mm:ss.SSSX")
44
event.deviceCustomDate1Label=__stringConstant("Event Date")
45
event.deviceCustomString4=eventType
46
event.deviceCustomString4Label=__stringConstant("Event Type")
47
event.deviceCustomString5=enrichment
48
event.deviceCustomString5Label=__stringConstant("IOC enrichment")
49
log.global.debug=true
50
log.channel.file.property.package.com.arcsight=0

Save and close the file.

To begin pulling IOCs:

  1. Start the new connector.
  2. Log in to the ArcSight console.
    Once IOCs are collected in the Threat Command IOC group, they are displayed in the ArcSights console:
    temporary placeholder
  3. If you also pulled the events stream, you can view them by creating a channel in the ArcSight console:
    temporary placeholder