HP ArcSight

The data exporter for ArcSight is designed to deliver incidents from a single hostname to the SIEM, with links back to InsightIDR. The incidents are sent to the SIEM as InsightIDR generates them.

Message are in the following format:

Message Format
1
[RFC 3164 timestamp] [host] CEF:0|Rapid7|InsightIDR|1.0|[message id]|[title]|10|start=[timestamp] msg=[alert message] cat=[alert category] cs1=https://insight.rapid7.com/[url] cs1Label=insightIDR Link

Example Message
1
Nov 30 13:35:53 SERVER111 CEF:0|Rapid7|InsightIDR|1.0|123456789|NetworkAccessForThreat|10|start=Nov 30 13:34:37 msg=Account <i>jsmith</i> made a DNS query for www.google.com (tracked in Test Threat) from 192.168.0.1. cat=COMPROMISED cs1=https://insight.rapid7.com/#InsightIDR/incidents/1234 cs1Label=InsightIDR Link

Before You Begin

For information on configuring HP ArcSight to collect information from InsightIDR, you can read their documentation here: https://community.saas.hpe.com/t5/ArcSight-Connectors/HPE-ArcSight-SmartConnector-User-Guide/ta-p/1586784?nm.

How to Configure This Event Source

1. From your dashboard, select Data Collection on the left hand menu.
2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
3. From the “Security Data” section, click the Data Exporter icon. The “Add Event Source” panel appears.
4. Choose your collector and event source. You can also name your event source if you want.
5. In the "Hostname" field, enter the Hostname of the single asset or IP that will be exporting data.
6. In the "Port" field, enter the port this event source is listening on.
7. Optionally choose to export asset-specific Alerts from InsightIDR by checking the Alerts box.
8. Click Save.