Skip to Content
Threat Command- Integrate an ArcSight REST Cloud Device

Integrate an ArcSight REST Cloud Device

Configure an ArcSight REST FlexConnector cloud device to pull IOCs from Threat Command.

When IOCs are pulled, only new IOCs that were discovered since the last update (the delta) are pulled.

Pulled IOCs are accompanied by the following Rapid7 enrichment data:

  • Alert ID
  • Severity
  • Last seen
  • First seen
  • Source name

IOC groups for this device can consist of domains, URLs, IP addresses, and file hashes (MD5 only). In addition, you can choose to pull the IOC event stream, including events such as add or delete.

The integration requires the following steps:

  1. Add an ArcSight FlexConnector REST cloud device.
    Note: Only v7.10 is supported.
  2. Configure an ArcSight FlexConnector REST cloud device to pull IOCs.
    At this point, you will need to choose whether to pull only enriched IOCs or to pull the event stream also.
  3. Add a connector configuration file.

Add an ArcSight FlexConnector REST cloud device

Add a cloud device to Threat Command.

Prerequisites

  • You have the credentials to access the device.
  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.

To add a cloud device to Threat Command:

  1. Log in to Threat Command at https://dashboard.ti.insight.rapid7.com
  2. From the main menu, select Automation -> Integrations. add cloud device
  3. From the Integrations page, click Cloud.
  4. Click Add new device.
  5. In the Add New Cloud Device dialog, type a user-defined name for the device.
    The name can contain a maximum of 50 letters, spaces, numbers, and underscores.
  6. Select the Device type.
    The default device IOCs limit is displayed.
  7. (Optional) You can change the IOCs limit.
  8. Click Add.
  9. To verify that the new device is added, refresh the Automation > Integrations page.
    The new device is added to the cloud integrations device list. Next to the device name, there is a red dot, indicating that communication has not yet been established. The dot will change to green when the device is synchronized. If the device cannot synchronize for more than 48 hours, an email warning is sent to the account administrator.

Configure an ArcSight FlexConnector REST device to pull IOCs

After a device has been added to the Threat Command virtual appliance, you must enable it to pull IOCs from Threat Command.

Prerequisites

  • You have the device login credentials.
  • The device has been added.
  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.
  • An IOC group for this device exists in Threat Command.
    Creating IOC groups is described in Create an IOC group

IOC groups for this device can consist of domains, URLs, IP addresses, and file hashes (MD5 only).

  • You can download and execute the ArcSight Connector file (v7.10 only).
  • You have the device hostname, username, and password.
  • You have the certificate information (optional).
  • You have the Threat Command account ID and appliance key.
  • For more information about generating, revoking, and displaying these credentials, see API key, account ID, and appliance key.

To edit an existing connector configuration, see Change Existing ArcSight Configuration.

First, set up a connector, then add a connector configuration file. Some of the steps will differ depending on whether you are pulling only IOCs or IOCs and the event stream.

To set up a connector:

  1. Download and run the ArcSight Connector executable file, which should resemble the following:

    temporary placeholder
  2. In the installation wizard Introduction screen, click Next.

  3. In the Choose Install Folder screen, select a free folder for the ArcSight. 
    Remember the directory you use. For this example, C:\program files\IntsightsRestArcSightSmartConnectors is used.

  4. Click Next.

  5. In the Pick Shortcut Folder screen, select where to create a program icon, then click Next.

  6. In the Pre-Install Summary screen, review the details, then click Install
    The ArcSight Connector setup begins. This process can take some time.

  7. In the Connector Setup screen, select Add a Connector, and then click Next.

  8. In the Connector to configure screen, select ArcSight FlexConnector REST, then click Next. In the Parameter details screen, enter the relevant details from the Threat CommandDevice Details screen for the defined ArcSights device, described in the next step.

  9. Display the Threat Command device details:

    1. From the Threat Command main menu, select Automation > Integrations.
    2. From the On-Premises device list, select the ArcSight REST device that was added.
    3. Click the Device Details link at the top of the screen. 
    temporary placeholder

    Use the device details in the next step.

  10. In the ArcSight parameter details screen, type the information for your device:

    FieldValueDescription
    Port, User Name, and PasswordAs needed, per clientOptional
    Configuration FileintsightsRequired.  - Type “intsights” in lowercase.  - This configuration file will be created after the connector is installed.
    Events/IOCs URLPaste theAPI Root URLfrom the Threat CommandDevice Detailsscreen.Example:

    https://api.intsights.com/tip/integrations/arcsight/5feb578325dc0b000732c04a/**iocs** ?start_date=$START_AT_TIME&limit=5000

    https://api.intsights.com/tip/integrations/arcsight/5feb578325dc0b000732c04a/**events** ?start_date=$START_AT_TIME&limit=5000

    Do not change $START_AT_TIME

    You can control the rate of events by specifying a different limit. For example, use limit=1000 to receive 1000 events at a time.
    -

    Example:

    https://api.intsights.com/tip/integrations/arcsight/5feb578325dc0b000732c04a/iocs?start\_date=$START\_AT\_TIME&limit=1000
    Authentication TypeBasicRequired
    UserThreat Command account IDRequired
    PasswordThreat Command appliance keyRequired
    OAuth2 Client Properties FileOptional
    Refresh TokenOptional
  11. After typing the parameters, click Next.

  12. In the destination type screen, select ArcSight Manager (encrypted), then click Next.
    The Connector Setup wizard begins.

  13. In the connector details screen, type values for the Name, Location, Device Location, and a comment (optional).
    These user-defined details are used later to identify events emerging from this connector.

    temporary placeholder
  14. Click Next.

  15. In the destination parameters screen, type the ArcSight Manager hostname, username, and password, and then click Next.

    temporary placeholder
  16. In the certificate screen, select whether to import a certificate, then click Next.
    The import process can take a while. When it is complete, the summary screen appears.

    temporary placeholder
  17. Click Next.

    temporary placeholder
  18. In the service or standalone**** screen, select an option, then click Next.1. At the Continue or Exit screen, select Exit, then click Next.

  19. Click Done
    The integration is complete.

To add a connector configuration file:

  1. Use a text editor to create intsights.jsonparser.properties in the**[INSTALL_FOLDER]\current\user\agent\flexagent** folder. 
    The filename must begin with the value that was entered in the Configuration file field in the ArcSight Parameter details screen. temporary placeholder
  2. Use one of the following for the file contents:

Pull IOCs only

trigger.node.location=/iocs token.count=9 token[0].name=kind token[0].type=String token[0].location=/kind token[1].name=requestDate token[1].type=String token[1].location=/request_date token[2].name=iocType token[2].type=String token[2].location=type token[3].name=iocValue token[3].type=String token[3].location=value token[4].name=bundle token[4].type=String token[4].location=bundle token[5].name=updateTime token[5].type=String token[5].location=update_time token[6].name=enrichment token[6].type=String token[6].location=enrichment token[7].name=nextStartDate token[7].type=String token[7].location=/next_start_date token[8].name=nextUrl token[8].type=String token[8].location=/next event.deviceReceiptTime=__createOptionalTimeStampFromString(nextStartDate,"YYYY-MM-DDThh:mm:ss.SSSX") event.deviceCustomString6=nextUrl event.deviceVendor=__stringConstant("Intsights") event.deviceProduct=__stringConstant("Intsights Virtual Appliance") event.deviceCustomString1=iocType event.deviceCustomString1Label=__stringConstant("IOC type") event.deviceCustomString2=iocValue event.deviceCustomString2Label=__stringConstant("IOC value") event.deviceCustomString3=bundle event.deviceCustomString3Label=__stringConstant("bundle") event.deviceCustomString4=updateTime event.deviceCustomString4Label=__stringConstant("IOC update time") event.deviceCustomString5=enrichment event.deviceCustomString5Label=__stringConstant("IOC enrichment")

Pull IOCs and event stream

trigger.node.location=/events token.count=10 token[0].name=kind token[0].type=String token[0].location=/kind token[1].name=requestDate token[1].type=String token[1].location=/request_date token[2].name=iocType token[2].type=String token[2].location=type token[3].name=iocValue token[3].type=String token[3].location=value token[4].name=bundle token[4].type=String token[4].location=bundle token[5].name=eventDate token[5].type=String token[5].location=event_date token[6].name=eventType token[6].type=String token[6].location=event_type token[7].name=enrichment token[7].type=String token[7].location=enrichment token[8].name=nextStartDate token[8].type=String token[8].location=/next_start_date token[9].name=nextUrl token[9].type=String token[9].location=/next event.deviceReceiptTime=__createOptionalTimeStampFromString(nextStartDate,"YYYY-MM-DDThh:mm:ss.SSSX") event.deviceCustomString6=nextUrl event.deviceVendor=__stringConstant("Intsights") event.deviceProduct=__stringConstant("Intsights Virtual Appliance") event.deviceCustomString1=iocType event.deviceCustomString1Label=__stringConstant("IOC Type") event.deviceCustomString2=iocValue event.deviceCustomString2Label=__stringConstant("IOC Value") event.deviceCustomString3=bundle event.deviceCustomString3Label=__stringConstant("Bundle") event.deviceCustomDate1=__createOptionalTimeStampFromString(eventDate,"YYYY-MM-DDThh:mm:ss.SSSX") event.deviceCustomDate1Label=__stringConstant("Event Date") event.deviceCustomString4=eventType event.deviceCustomString4Label=__stringConstant("Event Type") event.deviceCustomString5=enrichment event.deviceCustomString5Label=__stringConstant("IOC enrichment") log.global.debug=true log.channel.file.property.package.com.arcsight=0

Save and close the file.

To begin pulling IOCs:

  1. Start the new connector.
  2. Log in to the ArcSight console.
    Once IOCs are collected in the Threat Command IOC group, they are displayed in the ArcSights console: temporary placeholder
  3. If you also pulled the events stream, you can view them by creating a channel in the ArcSight console: temporary placeholder