HP ArcSight
The data exporter for ArcSight is designed to deliver incidents from a single hostname to the SIEM, with links back to SIEM (InsightIDR). The incidents are sent to the SIEM as SIEM (InsightIDR) generates them.
Message are in the following format:
[RFC 3164 timestamp] [host] CEF:0|Rapid7|SIEM (InsightIDR)|1.0|[message id]|[title]|10|start=[timestamp] msg=[alert message] cat=[alert category] cs1=https://insight.rapid7.com/[url] cs1Label=insightIDR LinkNov 30 13:35:53 SERVER111 CEF:0|Rapid7|SIEM (InsightIDR)|1.0|123456789|NetworkAccessForThreat|10|start=Nov 30 13:34:37 msg=Account <i>jsmith</i> made a DNS query for www.google.com (tracked in Test Threat) from 192.168.0.1. cat=COMPROMISED cs1=https://insight.rapid7.com/#SIEM (InsightIDR)/incidents/1234 cs1Label=SIEM (InsightIDR) LinkBefore You Begin
For information on configuring HP ArcSight to collect information from SIEM (InsightIDR), you can read their documentation here: https://community.saas.hpe.com/t5/ArcSight-Connectors/HPE-ArcSight-SmartConnector-User-Guide/ta-p/1586784?nm .
Configure the data exporter
After you complete the prerequisite steps, you must add the data exporter in SIEM (InsightIDR).
To configure the new data exporter in SIEM (InsightIDR):
- From the left menu, go to Data Collection and click Data Exporters.
- Click Add Data Exporter.
- Select HP ArcSight as the Data Exporter Type.
- Choose your collector. You can also name your data exporter if you want.
- In the Hostname field, enter the hostname of the single asset or IP that will be exporting data.
- In the Port field, enter the port that this data exporter is listening on.
- Optionally, select the Alerts checkbox to export asset-specific alerts from SIEM (InsightIDR).
- Click Save.