Purpose
This document provides setup information on the ArcSight integration.
Introduction
ArcSight is a Syslog service developed by HP and is available in the systems that offer the Syslog feature. To date that is only HIAB.
Before enabling ArcSight in the HIAB, the ArcSight server needs to be set up and configured.
Set Up ArcSight
To enable ArcSight:
-
Go to Menu > Settings > Integrations.
-
Select the Syslog tab.
-
Check the Arcsight: checkbox as shown in the figure.
-
Click Save.
When ArcSight is enabled, the Syslog message is built differently to fit into the ArcSight protocol.
Using ArcSight
When a Syslog event is activated, an ArcSight message is built instead of the ordinary Syslog message.
The Syslog message is sent to the ArcSight logger or the connector. When the logger shows the message, it is divided into columns that is easier to work with than the raw data.
No ArcSight specific errors should occur. If the ArcSight server has errors it is due to the Syslog implementation, not the ArcSight implementation.
It is recommended that the customer uses ArcSight together with TLS. If the logger cannot work with the TLS messages, a connector is recommended to be able to do so.
There is no maintenance needed for ArcSight, but the logger or the Syslog settings must be updated if IP numbers or other information are switched.
Examples:
A Syslog Message
Risk: Script Name: "Unencrypted Remote Authentication Available - POP3" Script Id: "219784" Target: "192.168.202.6" Port: "110" BugTraq: "No bugtraq" CVSS: "6.8" New: "0" CVE: "No CVE" Family: "pop3" First Seen: "2016-11-21 11:08" Last Seen: "2016-11-24 18:06" Product: "Unencrypted Remote Authentication" Has Exploits: "false" – Medium
An ArcSight Message
dvc=192.168.202.6 spt=110 cs1Label=Script Name cs1=Unencrypted Remote Authentication Available - POP3 cs4Label=BugTraq cs4=No bugtraq cs2Label=CVE cs2=No CVE deviceCustomDate1Label=First Seen deviceCustomDate1=Nov 21 2016 11:08:00 deviceCustomDate2Label=Last Seen deviceCustomDate2=Nov 24 2016 18:08:00 msg=Script Id: 219784 New: 0 Family: pop3 Product: Unencrypted Remote Authentication Has Exploits: false
Related Articles
- Windows 10/Windows 2019 Server
- HIAB Updates
- General Information about SMB/WinRM Scanning
- Change Risk Levels
- Removing an Agent from Windows
- ServiceNow - Legacy
- Windows 8.1
- Netsec Filters
- Discovering the Agent in OUTSCAN
- Technical Specification
- Account Settings
- How to Test SMB Authentication
- Windows 2016 Server
- Identity Provider Settings
- HIAB Server Settings
- Installing a Linux Agent
- Okta Identity Provider Configuration
- Scanning-Less Scanning
- Check Connectivity to Agent Server
- Scan Scheduling Errors
- Overview
- Event Notification Module
- HIAB Maintenance Settings
- HIAB Deployment Guide
- Database Connector (HIAB only)
- Azure AD Identity Provider Configuration
- Add Comments
- Target Groups
- Checking if Agent is Running
- Core Installation
- Windows 2008 R2 Server
- Agent Installation Introduction
- Automatic Asset Joining With Netsec
- Manage Users
- Firewall Setup for Agents
- Scanning Range
- SNMP (HIAB only)
- ADFS Identity Provider Configuration
- Splunk
- Agent Call Home
- Advanced Report Filters
- Accept Risks
- SMB Authentication from OUTSCAN/HIAB
- Virtual HIAB Appliance
- Using the Agent Info Command
- Amazon
- User Roles
- Removing an Agent from Linux
- Retrieving the Agent UUID
- Atlassian Jira
- Understanding Scanner and Scheduler
- Finding the Agent Version
- Create and Edit Event Notifications
- Installing a macOS Agent
- Syslog (HIAB only)
- Setting Up an Agent Using System Proxy
- ServiceNow - App
- Thycotic
- DNS Lookup in UI and in Console
- HIAB Console
- Auditing Guide
- Adding Agent Attributes
- HIAB Distribution Settings
- Run Verification Scans
- Agent Latest Version
- Finding New Agents In OUTSCAN
- Setting up a HIAB as an Appsec Scale Scanner
- Checking Schedules from OUTSCAN in Agent
- Hardening the HIAB
- Performing a PCI DSS Scan
- Two Factor Authentication
- Attributes
- Firewall Rules
- HIAB Enrollment
- Supported Platforms for Authenticated SSH Scanning
- Authenticated Scanning Using WinRM
- OneLogin Identity Provider Configuration
- Windows 7
- HIAB Remote Support
- Compliance Scanning
- Manage Targets
- Assign Tasks
- Authenticated Scanning Using SSH
- Tickets Quick Start Guide
- Retrieving Results From the Agent in OUTSCAN
- Appliance Logs
- Converting Normal with Webapp Scans (Netsec) to Portal Workflows
- Updating the Agent
- Troubleshooting SMB Authentication
- Agent Licensing
- Mark as False Positives
- Installing a Windows Agent
- Using Farsight in Netsec
- Testing Target System for Open TCP Ports
- HIAB Restore
- Scan Stages
- Request Clarifications
- HIAB Setup Guide
- Updating Agent Attributes
- CyberArk
- LDAP/AD
- Checking if the Agent has Produced Results
- ArcSight (HIAB only)
- HIAB E-mail Whitelisting
- Adjust Identity Provider SAML Metadata File
- Scanning Critical Industrial Devices/Machines
- Reporting Tools
- Scan Scheduling
- Scanning Performance and Impact Tuning
- PCI Compliance Scanning
- Configuring and Accessing the HIAB console using SSH
- User Groups
- Create Users
- HIAB Remote SSH Guide
- Download Agents
- Create Targets
- Windows 2012 R2 Server
- HIAB Backup
- Report Scheduling
- Access Tokens
- O24AUTH
- Complementary Authenticated Scan on Default Credentials
- Authenticated Scanning Using SMB
- Dynamic Target Group