HP ArcSight

The data exporter for ArcSight is designed to deliver incidents from a single hostname to the SIEM, with links back to InsightIDR. The incidents are sent to the SIEM as InsightIDR generates them.

Message are in the following format:

Message Format
1
[RFC 3164 timestamp] [host] CEF:0|Rapid7|InsightIDR|1.0|[message id]|[title]|10|start=[timestamp] msg=[alert message] cat=[alert category] cs1=https://insight.rapid7.com/[url] cs1Label=insightIDR Link
Example Message
1
Nov 30 13:35:53 SERVER111 CEF:0|Rapid7|InsightIDR|1.0|123456789|NetworkAccessForThreat|10|start=Nov 30 13:34:37 msg=Account <i>jsmith</i> made a DNS query for www.google.com (tracked in Test Threat) from 192.168.0.1. cat=COMPROMISED cs1=https://insight.rapid7.com/#InsightIDR/incidents/1234 cs1Label=InsightIDR Link

Before You Begin

For information on configuring HP ArcSight to collect information from InsightIDR, you can read their documentation here: https://community.saas.hpe.com/t5/ArcSight-Connectors/HPE-ArcSight-SmartConnector-User-Guide/ta-p/1586784?nm.

Configure the data exporter

After you complete the prerequisite steps, you must add the data exporter in InsightIDR.

To configure the new data exporter in InsightIDR:

  1. From the left menu, go to Data Collection and click Data Exporters.
  2. Click Add Data Exporter.
  3. Select HP ArcSight as the Data Exporter Type.
  4. Choose your collector. You can also name your data exporter if you want.
  5. In the Hostname field, enter the hostname of the single asset or IP that will be exporting data.
  6. In the Port field, enter the port that this data exporter is listening on.
  7. Optionally, select the Alerts checkbox to export asset-specific alerts from InsightIDR.
  8. Click Save.