The data exporter for ArcSight is designed to deliver incidents from a single hostname to the SIEM, with links back to InsightIDR. The incidents are sent to the SIEM as InsightIDR generates them.
Message are in the following format:
1[RFC 3164 timestamp] [host] CEF:0|Rapid7|InsightIDR|1.0|[message id]|[title]|10|start=[timestamp] msg=[alert message] cat=[alert category] cs1=https://insight.rapid7.com/[url] cs1Label=insightIDR Link
1Nov 30 13:35:53 SERVER111 CEF:0|Rapid7|InsightIDR|1.0|123456789|NetworkAccessForThreat|10|start=Nov 30 13:34:37 msg=Account <i>jsmith</i> made a DNS query for www.google.com (tracked in Test Threat) from 192.168.0.1. cat=COMPROMISED cs1=https://insight.rapid7.com/#InsightIDR/incidents/1234 cs1Label=InsightIDR Link
Before You Begin
For information on configuring HP ArcSight to collect information from InsightIDR, you can read their documentation here: https://community.saas.hpe.com/t5/ArcSight-Connectors/HPE-ArcSight-SmartConnector-User-Guide/ta-p/1586784?nm.
Configure the data exporter
After you complete the prerequisite steps, you must add the data exporter in InsightIDR.
To configure the new data exporter in InsightIDR:
- From the left menu, go to Data Collection and click Data Exporters.
- Click Add Data Exporter.
- Select HP ArcSight as the Data Exporter Type.
- Choose your collector. You can also name your data exporter if you want.
- In the Hostname field, enter the hostname of the single asset or IP that will be exporting data.
- In the Port field, enter the port that this data exporter is listening on.
- Optionally, select the Alerts checkbox to export asset-specific alerts from InsightIDR.
- Click Save.