Integrate an ArcSight REST Cloud Device

Configure an ArcSight REST FlexConnector cloud device to pull IOCs from Threat Command.

When IOCs are pulled, only new IOCs that were discovered since the last update (the delta) are pulled.

Pulled IOCs are accompanied by the following Rapid7 enrichment data:

• Alert ID
• Severity
• Last seen
• First seen
• Source name

IOC groups for this device can consist of domains, URLs, IP addresses, and file hashes (MD5 only). In addition, you can choose to pull the IOC event stream, including events such as add or delete.

The integration requires the following steps:

1. Add an ArcSight FlexConnector REST cloud device.
   Note: Only v7.10 is supported.
2. Configure an ArcSight FlexConnector REST cloud device to pull IOCs.
   At this point, you will need to choose whether to pull only enriched IOCs or to pull the event stream also.
3. Add a connector configuration file.

Add an ArcSight FlexConnector REST cloud device

Add a cloud device to Threat Command.

Prerequisites

• You have the credentials to access the device.
• You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.

To add a cloud device to Threat Command:

1. Log in to Threat Command at https://dashboard.ti.insight.rapid7.com 
2. From the main menu, select Automation -> Integrations.
3. From the Integrations page, click Cloud.
4. Click Add new device.
5. In the Add New Cloud Device dialog, type a user-defined name for the device.
   The name can contain a maximum of 50 letters, spaces, numbers, and underscores.
6. Select the Device type.
   The default device IOCs limit is displayed.
7. (Optional) You can change the IOCs limit.
8. Click Add.
9. To verify that the new device is added, refresh the Automation > Integrations page.
   The new device is added to the cloud integrations device list. Next to the device name, there is a red dot, indicating that communication has not yet been established. The dot will change to green when the device is synchronized. If the device cannot synchronize for more than 48 hours, an email warning is sent to the account administrator.

Configure an ArcSight FlexConnector REST device to pull IOCs

After a device has been added to the Threat Command virtual appliance, you must enable it to pull IOCs from Threat Command.

Prerequisites

• You have the device login credentials.
• The device has been added.
• You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.
• An IOC group for this device exists in Threat Command.
  Creating IOC groups is described in Create an IOC group

IOC groups for this device can consist of domains, URLs, IP addresses, and file hashes (MD5 only).

• You can download and execute the ArcSight Connector file (v7.10 only).
• You have the device hostname, username, and password.
• You have the certificate information (optional).
• You have the Threat Command account ID and appliance key.
• For more information about generating, revoking, and displaying these credentials, see API key, account ID, and appliance key.

To edit an existing connector configuration, see Change Existing ArcSight Configuration.

First, set up a connector, then add a connector configuration file. Some of the steps will differ depending on whether you are pulling only IOCs or IOCs and the event stream.

To set up a connector:

1. Download and run the ArcSight Connector executable file, which should resemble the following:

   

2. In the installation wizard Introduction screen, click Next.

3. In the Choose Install Folder screen, select a free folder for the ArcSight. 
   Remember the directory you use. For this example, C:\program files\IntsightsRestArcSightSmartConnectors is used.

4. Click Next.

5. In the Pick Shortcut Folder screen, select where to create a program icon, then click Next.

6. In the Pre-Install Summary screen, review the details, then click Install. 
   The ArcSight Connector setup begins. This process can take some time.

7. In the Connector Setup screen, select Add a Connector, and then click Next.

8. In the Connector to configure screen, select ArcSight FlexConnector REST, then click Next. In the Parameter details screen, enter the relevant details from the Threat CommandDevice Details screen for the defined ArcSights device, described in the next step.

9. Display the Threat Command device details:

   1. From the Threat Command main menu, select Automation > Integrations.
   2. From the On-Premises device list, select the ArcSight REST device that was added.
   3. Click the Device Details link at the top of the screen. 
   

   Use the device details in the next step.

10. In the ArcSight parameter details screen, type the information for your device:

    Field	Value	Description
    Port, User Name, and Password	As needed, per client	Optional
    Configuration File	intsights	Required.  - Type “intsights” in lowercase.  - This configuration file will be created after the connector is installed.
    Events/IOCs URL	Paste theAPI Root URLfrom the Threat CommandDevice Detailsscreen.	Example: https://api.intsights.com/tip/integrations/arcsight/5feb578325dc0b000732c04a/**iocs ** ?start_date=$START_AT_TIME&limit=5000 https://api.intsights.com/tip/integrations/arcsight/5feb578325dc0b000732c04a/**events ** ?start_date=$START_AT_TIME&limit=5000 Do not change $START_AT_TIME You can control the rate of events by specifying a different limit. For example, use limit=1000 to receive 1000 events at a time. - Example: https://api.intsights.com/tip/integrations/arcsight/5feb578325dc0b000732c04a/iocs?start\_date=$START\_AT\_TIME&limit=1000
    Authentication Type	Basic	Required
    User	Threat Command account ID	Required
    Password	Threat Command appliance key	Required
    OAuth2 Client Properties File		Optional
    Refresh Token		Optional

11. After typing the parameters, click Next.

12. In the destination type screen, select ArcSight Manager (encrypted), then click Next.
    The Connector Setup wizard begins.

13. In the connector details screen, type values for the Name, Location, Device Location, and a comment (optional).
    These user-defined details are used later to identify events emerging from this connector.

    

14. Click Next.

15. In the destination parameters screen, type the ArcSight Manager hostname, username, and password, and then click Next.

    

16. In the certificate screen, select whether to import a certificate, then click Next.
    The import process can take a while. When it is complete, the summary screen appears.

    

17. Click Next.

    

18. In the service or standalone**** screen, select an option, then click Next.1. At the Continue or Exit screen, select Exit, then click Next.

19. Click Done. 
    The integration is complete.

To add a connector configuration file:

1. Use a text editor to create intsights.jsonparser.properties in the**[INSTALL_FOLDER]\current\user\agent\flexagent** folder. 
   The filename must begin with the value that was entered in the Configuration file field in the ArcSight Parameter details screen.
2. Use one of the following for the file contents:

trigger.node.location=/iocs
token.count=9
token[0].name=kind
token[0].type=String
token[0].location=/kind
token[1].name=requestDate
token[1].type=String
token[1].location=/request_date
token[2].name=iocType
token[2].type=String
token[2].location=type
token[3].name=iocValue
token[3].type=String
token[3].location=value
token[4].name=bundle
token[4].type=String
token[4].location=bundle
token[5].name=updateTime
token[5].type=String
token[5].location=update_time
token[6].name=enrichment
token[6].type=String
token[6].location=enrichment
token[7].name=nextStartDate
token[7].type=String
token[7].location=/next_start_date
token[8].name=nextUrl
token[8].type=String
token[8].location=/next
event.deviceReceiptTime=__createOptionalTimeStampFromString(nextStartDate,"YYYY-MM-DDThh:mm:ss.SSSX")
event.deviceCustomString6=nextUrl
event.deviceVendor=__stringConstant("Intsights")
event.deviceProduct=__stringConstant("Intsights Virtual Appliance")
event.deviceCustomString1=iocType
event.deviceCustomString1Label=__stringConstant("IOC type")
event.deviceCustomString2=iocValue
event.deviceCustomString2Label=__stringConstant("IOC value")
event.deviceCustomString3=bundle
event.deviceCustomString3Label=__stringConstant("bundle")
event.deviceCustomString4=updateTime
event.deviceCustomString4Label=__stringConstant("IOC update time")
event.deviceCustomString5=enrichment
event.deviceCustomString5Label=__stringConstant("IOC enrichment")

trigger.node.location=/events
token.count=10
token[0].name=kind
token[0].type=String
token[0].location=/kind
token[1].name=requestDate
token[1].type=String
token[1].location=/request_date
token[2].name=iocType
token[2].type=String
token[2].location=type
token[3].name=iocValue
token[3].type=String
token[3].location=value
token[4].name=bundle
token[4].type=String
token[4].location=bundle
token[5].name=eventDate
token[5].type=String
token[5].location=event_date
token[6].name=eventType
token[6].type=String
token[6].location=event_type
token[7].name=enrichment
token[7].type=String
token[7].location=enrichment
token[8].name=nextStartDate
token[8].type=String
token[8].location=/next_start_date
token[9].name=nextUrl
token[9].type=String
token[9].location=/next
event.deviceReceiptTime=__createOptionalTimeStampFromString(nextStartDate,"YYYY-MM-DDThh:mm:ss.SSSX")
event.deviceCustomString6=nextUrl
event.deviceVendor=__stringConstant("Intsights")
event.deviceProduct=__stringConstant("Intsights Virtual Appliance")
event.deviceCustomString1=iocType
event.deviceCustomString1Label=__stringConstant("IOC Type")
event.deviceCustomString2=iocValue
event.deviceCustomString2Label=__stringConstant("IOC Value")
event.deviceCustomString3=bundle
event.deviceCustomString3Label=__stringConstant("Bundle")
event.deviceCustomDate1=__createOptionalTimeStampFromString(eventDate,"YYYY-MM-DDThh:mm:ss.SSSX")
event.deviceCustomDate1Label=__stringConstant("Event Date")
event.deviceCustomString4=eventType
event.deviceCustomString4Label=__stringConstant("Event Type")
event.deviceCustomString5=enrichment
event.deviceCustomString5Label=__stringConstant("IOC enrichment")
log.global.debug=true
log.channel.file.property.package.com.arcsight=0

Save and close the file.

To begin pulling IOCs:

1. Start the new connector.
2. Log in to the ArcSight console.
   Once IOCs are collected in the Threat Command IOC group, they are displayed in the ArcSights console:
3. If you also pulled the events stream, you can view them by creating a channel in the ArcSight console: