The data exporter for ArcSight is designed to deliver incidents from a single hostname to the SIEM, with links back to InsightIDR. The incidents are sent to the SIEM as InsightIDR generates them.
Message are in the following format:
1[RFC 3164 timestamp] [host] CEF:0|Rapid7|InsightIDR|1.0|[message id]|[title]|10|start=[timestamp] msg=[alert message] cat=[alert category] cs1=https://insight.rapid7.com/[url] cs1Label=insightIDR Link
1Nov 30 13:35:53 SERVER111 CEF:0|Rapid7|InsightIDR|1.0|123456789|NetworkAccessForThreat|10|start=Nov 30 13:34:37 msg=Account <i>jsmith</i> made a DNS query for www.google.com (tracked in Test Threat) from 192.168.0.1. cat=COMPROMISED cs1=https://insight.rapid7.com/#InsightIDR/incidents/1234 cs1Label=InsightIDR Link
Before You Begin
For information on configuring HP ArcSight to collect information from InsightIDR, you can read their documentation here: https://community.saas.hpe.com/t5/ArcSight-Connectors/HPE-ArcSight-SmartConnector-User-Guide/ta-p/1586784?nm.
How to Configure This Event Source
- From your dashboard, select Data Collection on the left hand menu.
- When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
- From the “Security Data” section, click the Data Exporter icon. The “Add Event Source” panel appears.
- Choose your collector and event source. You can also name your event source if you want.
- In the "Hostname" field, enter the Hostname of the single asset or IP that will be exporting data.
- In the "Port" field, enter the port this event source is listening on.
- Optionally choose to export asset-specific Alerts from InsightIDR by checking the Alerts box.
- Click Save.