HP ArcSight
Copy link

The data exporter for ArcSight is designed to deliver incidents from a single hostname to the SIEM, with links back to SIEM (InsightIDR). The incidents are sent to the SIEM as SIEM (InsightIDR) generates them.

Message are in the following format:

[RFC 3164 timestamp] [host] CEF:0|Rapid7|SIEM (InsightIDR)|1.0|[message id]|[title]|10|start=[timestamp] msg=[alert message] cat=[alert category] cs1=https://insight.rapid7.com/[url] cs1Label=insightIDR Link
Nov 30 13:35:53 SERVER111 CEF:0|Rapid7|SIEM (InsightIDR)|1.0|123456789|NetworkAccessForThreat|10|start=Nov 30 13:34:37 msg=Account <i>jsmith</i> made a DNS query for www.google.com (tracked in Test Threat) from 192.168.0.1. cat=COMPROMISED cs1=https://insight.rapid7.com/#SIEM (InsightIDR)/incidents/1234 cs1Label=SIEM (InsightIDR) Link

Before You Begin
Copy link

For information on configuring HP ArcSight to collect information from SIEM (InsightIDR), you can read their documentation here: https://community.saas.hpe.com/t5/ArcSight-Connectors/HPE-ArcSight-SmartConnector-User-Guide/ta-p/1586784?nm.

Configure the data exporter
Copy link

After you complete the prerequisite steps, you must add the data exporter in SIEM (InsightIDR).

To configure the new data exporter in SIEM (InsightIDR):

  1. From the left menu, go to Data Collection and click Data Exporters.
  2. Click Add Data Exporter.
  3. Select HP ArcSight as the Data Exporter Type.
  4. Choose your collector. You can also name your data exporter if you want.
  5. In the Hostname field, enter the hostname of the single asset or IP that will be exporting data.
  6. In the Port field, enter the port that this data exporter is listening on.
  7. Optionally, select the Alerts checkbox to export asset-specific alerts from SIEM (InsightIDR).
  8. Click Save.