Integrate an ArcSight REST On-Premises Device

Configure an ArcSight REST FlexConnector on-premises device to pull IOCs from Threat Command.

The following table shows device-specific integration characteristics:

CharacteristicDescription
Method of pullAll new IOCs that were discovered since the previous update are pulled.
IOC types supportedDomains, MD5 file hashes, IP addresses, and URLs. In addition, you can choose to pull the IOC event stream, including events such as add or delete.
IOC group limitationAll IOC types can be pulled in the same group.
Device IOC limitThe device is limited to 300,000 IOCs.

Pulled IOCs are accompanied by the following Rapid7 enrichment data:

  • Alert ID
  • Severity
  • Last seen
  • First seen
  • Source name

(Enrichment data is sent when using the Threat Command virtual appliance, from v 3.8 and later. In earlier versions, only the IOC is sent.)

To integrate the device, perform these steps (described in the following sections):

  1. Add an ArcSight FlexConnector REST on-premises device.
    Note: Only v7.10 is supported.
  2. Configure an ArcSight FlexConnector REST device to pull IOCs.
    At this point, you will need to choose whether to pull only enriched IOCs or to pull the event stream also.
  3. Add a connector configuration file.

Add an ArcSight REST on-premises device

The procedure to add the device to Threat Command is different depending on the version of the Threat Command virtual appliance in your environment. To determine which version is running, see Determine the Version of Virtual Appliance.

Add the on-premises device

Add the device in virtual appliance v3.9

Prerequisites:

  • The Threat Command virtual appliance web interface is configured and you can access it.
  • You have the credentials to access the device.
  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.

To add the device to Threat Command:

  1. From an internet browser, navigate to https://<virtual appliance IP address>
  2. Log in to the virtual appliance using the web access username and password.
  3. From the Devices page, click Devices (Pull).
  4. Click Add new device.
  5. In the Devices (Pull) screen, set up the new device:
    1. Type a user-defined, unique device name.
    2. Select the device type.
    3. Click Create.
  6. Verify that the new device was added:
    1. Log in to Threat Command at https://dashboard.ti.insight.rapid7.com
    2. From the main menu, select Automation > Integrations.
      If this window is already open, refresh it by selecting Automation > Integrations from the menu.
      The new device is displayed in the On-Premises tab.
      TC
Add the device in virtual appliance v4.0

Prerequisites:

  • You have the credentials to access the Threat Command virtual appliance web interface.
  • You have the credentials to access the device.
  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.

To add the device to Threat Command:

  1. Log in to Threat Command at https://dashboard.ti.insight.rapid7.com
  2. From the main menu, select Automation > Integrations.
  3. From the Integrations page, click On-Premises.
  4. Click Add new device.
  5. In the Add New On-Premises Device dialog, type a user-defined name for the device.
    The name can contain a maximum of 50 letters, spaces, numbers, and underscores.
  6. Select the Device type.
    The default device IOCs limit is displayed.
  7. (Optional) You can change the IOCs limit.
  8. Click Add.
  9. To verify that the new device is added, refresh the Automation > Integrations page.

Next to the device name, there is a red dot, indicating that communication has not yet been established. The dot will change to green when the device is synchronized. If the device cannot synchronize for more than 48 hours, an email warning is sent to the account administrator.

Configure an ArcSight REST device to pull IOCs

After a device has been added to the Threat Command virtual appliance, you must enable it to pull IOCs from Threat Command.

Configuration for on-premises devices

When configuring an on-premises device, it is important to know which version of the Threat Command virtual appliance is running in your environment. This will affect which Rapid7 URL is displayed in the Device Details screen and also which URL to copy into the device management console.

tc

When running version 4.0 or later, the Legacy URL should be used only with Rapid7 support.

To determine which version of the virtual appliance is running, see Determine the version of virtual appliance.

Prerequisites

  • You have the device login credentials.
  • The device has been added.
  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.
  • An IOC group for this device exists in Threat Command.
    Creating IOC groups is described in Create an IOC group
  • You can download and execute the ArcSight Connector file (v7.10 only).
  • You have the device hostname, username, and password.
  • You know whether you want to pull only IOCs or IOCs and the event stream.
  • For on-premises devices, you know which version of the virtual appliance is running in your environment.
  • You have the certificate information (optional).

To edit an existing connector configuration, see Change Existing ArcSight Configuration.

First, set up a connector, then add a connector configuration file. Some of the steps will differ depending on whether you are pulling only IOCs or IOCs and the event stream.

To set up a connector:

  1. Download and run the ArcSight Connector executable file, which should resemble the following:
    temporary placeholder

  2. In the installation wizard Introduction screen, click Next.

  3. In the Choose Install Folder screen, select a free folder for the ArcSight. Remember the directory you use. For this example, C:\program files\IntsightsRestArcSightSmartConnectors is used.

  4. Click Next.

  5. In the Pick Shortcut Folder screen, select where to create a program icon, then click Next.

  6. In the Pre-Install Summary screen, review the details, then click Install
    The ArcSight Connector setup begins. This process can take some time.

  7. In the Connector Setup screen, select Add a Connector, and then click Next.

  8. In the Connector to configure screen, select ArcSight FlexConnector REST, then click Next. In the Parameter details screen, enter the relevant details from the Threat Command Device Details screen for the defined ArcSights device, described in the next step.

  9. Display the Threat Command device details:

    1. From Threat Command, select Automation > Integrations.
    2. From the On-Premises device list, select the ArcSight REST device that was added.
    3. Click the Device Details link at the top of the screen. 
      temporary placeholder
      Use the device details in the next step.

  10. In the ArcSight parameter details screen, type the information for your device, including relevant information from the Threat Command Device Details dialog:

    FieldValueDescription
    Port, User Name, and PasswordAs needed, per clientOptional
    Configuration FileintsightsRequired.  - Type "intsights" in lowercase.  - This configuration file will be created after the connector is installed.
    Events URL
    (For virtual appliance v3.9 or earlier, click the link and copy the relevant LegacyURL.)    		To pull IOCs only, use the REST IOCs URL from the Threat Command Device Details screen.











    To pull the IOCs and the event stream, use theREST IOC Events URLfrom the Threat CommandDevice Detailsscreen.    		Example
    https://rest.intsights.com/arcsight/events/5abcef01234567890abcdef0?start_date=$START_AT_TIME&limit=5000
    Do not change $START_AT_TIME

    You must replace [APPLIANCE IP/URL] with the actual Threat Command virtual appliance IP address.

    You can control the rate of events by specifying a different limit. For example, use limit=1000 to receive 1000 events at a time.

    Example: https://rest.intsights.com/arcsight/events/5bfe93cbf5ea810645c33a?start\_date=$START\_AT\_TIME&limit=1000

    Example
    https://rest.intsights.com/arcsight/eventstreams/5abcef01234567890abcdef0?start_date=$START_AT_TIME&limit=5000
    Do not change $START_AT_TIME

    You must replace [APPLIANCE IP/URL]  with the actual Threat Command virtual appliance IP address or URL (in this case https://rest.intsights.com).

    You can control the rate of events by specifying a different limit. For example, use limit=1000 to receive 1000 events at a time.

    Example: https://rest.intsights.com/arcsight/eventstreams/5bfe93cbf5ea810645c33a?start_date=$START_AT_TIME&limit=1000
    Authentication TypeBasicRequired
    User NameFrom the Threat Command Device DetailsRequired
    PasswordFrom the Threat Command Device DetailsRequired
    OAuth2 Client Properties FileOptional
    Refresh TokenOptional

  11. After typing the parameters, click Next.

  12. In the destination type screen, select ArcSight Manager (encrypted), then click>Next.
    The Connector Setup wizard begins.
    temporary placeholder

  13. In the destination parameters screen, type the ArcSight Manager hostname, username, and password, and then click Next.
    temporary placeholder

  14. In the connector details screen, type values for the Name, Location, Device Location, and a comment (optional).
    temporary placeholder
    These user-defined details are used later to identify events emerging from this connector.

  15. Click Next.
    temporary placeholder

  16. In the certificate screen, select whether to import a certificate, then click Next.
    The import process can take a while. When it is complete, the summary screen appears.
    temporary placeholder

  17. Click Next.
    temporary placeholder

  18. In the service or standalone screen, select an option, then click Next.

  19. At the Continue or Exit screen, select Exit, then click Next.

  20. Click Done
    The integration is complete.

To add a connector configuration file:

  1. Use a text editor to create intsights.jsonparser.properties in the [INSTALL_FOLDER]\current\user\agent\flexagent\ folder. 
    The filename must begin with the value that was entered in the Configuration file field in the ArcSight Parameter details screen. temporary placeholder
  2. Use one of the following for the file contents:
Pull IOCs only
 
1
trigger.node.location=/iocs
2
token.count=9
3
token[0].name=kind
4
token[0].type=String
5
token[0].location=/kind
6
token[1].name=requestDate
7
token[1].type=String
8
token[1].location=/request_date
9
token[2].name=iocType
10
token[2].type=String
11
token[2].location=type
12
token[3].name=iocValue
13
token[3].type=String
14
token[3].location=value
15
token[4].name=bundle
16
token[4].type=String
17
token[4].location=bundle
18
token[5].name=updateTime
19
token[5].type=String
20
token[5].location=update_time
21
token[6].name=enrichment
22
token[6].type=String
23
token[6].location=enrichment
24
token[7].name=nextStartDate
25
token[7].type=String
26
token[7].location=/next_start_date
27
token[8].name=nextUrl
28
token[8].type=String
29
token[8].location=/next
30
event.deviceReceiptTime=__createOptionalTimeStampFromString(nextStartDate,"YYYY-MM-DDThh:mm:ss.SSSX")
31
event.deviceCustomString6=nextUrl
32
event.deviceVendor=__stringConstant("Intsights")
33
event.deviceProduct=__stringConstant("Intsights Virtual Appliance")
34
event.deviceCustomString1=iocType
35
event.deviceCustomString1Label=__stringConstant("IOC type")
36
event.deviceCustomString2=iocValue
37
event.deviceCustomString2Label=__stringConstant("IOC value")
38
event.deviceCustomString3=bundle
39
event.deviceCustomString3Label=__stringConstant("bundle")
40
event.deviceCustomString4=updateTime
41
event.deviceCustomString4Label=__stringConstant("IOC update time")
42
event.deviceCustomString5=enrichment
43
event.deviceCustomString5Label=__stringConstant("IOC enrichment")
Pull IOCs and event stream
 
1
trigger.node.location=/events
2
token.count=10
3
token[0].name=kind
4
token[0].type=String
5
token[0].location=/kind
6
token[1].name=requestDate
7
token[1].type=String
8
token[1].location=/request_date
9
token[2].name=iocType
10
token[2].type=String
11
token[2].location=type
12
token[3].name=iocValue
13
token[3].type=String
14
token[3].location=value
15
token[4].name=bundle
16
token[4].type=String
17
token[4].location=bundle
18
token[5].name=eventDate
19
token[5].type=String
20
token[5].location=event_date
21
token[6].name=eventType
22
token[6].type=String
23
token[6].location=event_type
24
token[7].name=enrichment
25
token[7].type=String
26
token[7].location=enrichment
27
token[8].name=nextStartDate
28
token[8].type=String
29
token[8].location=/next_start_date
30
token[9].name=nextUrl
31
token[9].type=String
32
token[9].location=/next
33
event.deviceReceiptTime=__createOptionalTimeStampFromString(nextStartDate,"YYYY-MM-DDThh:mm:ss.SSSX")
34
event.deviceCustomString6=nextUrl
35
event.deviceVendor=__stringConstant("Intsights")
36
event.deviceProduct=__stringConstant("Intsights Virtual Appliance")
37
event.deviceCustomString1=iocType
38
event.deviceCustomString1Label=__stringConstant("IOC Type")
39
event.deviceCustomString2=iocValue
40
event.deviceCustomString2Label=__stringConstant("IOC Value")
41
event.deviceCustomString3=bundle
42
event.deviceCustomString3Label=__stringConstant("Bundle")
43
event.deviceCustomDate1=__createOptionalTimeStampFromString(eventDate,"YYYY-MM-DDThh:mm:ss.SSSX")
44
event.deviceCustomDate1Label=__stringConstant("Event Date")
45
event.deviceCustomString4=eventType
46
event.deviceCustomString4Label=__stringConstant("Event Type")
47
event.deviceCustomString5=enrichment
48
event.deviceCustomString5Label=__stringConstant("IOC enrichment")
49
log.global.debug=true
50
log.channel.file.property.package.com.arcsight=0
  1. Save and close the file.

To begin pulling IOCs:

  1. Start the new connector.
  2. Log in to the ArcSight console.
    Once IOCs are collected in the Threat Command IOC group, they are displayed in the ArcSights console:
    temporary placeholder
  3. If you also pulled the events stream, you can view them by creating a channel in the ArcSight console:
    temporary placeholder