ArcSight

Integration version: 36.0

Security Events Connector Prerequisites

This connector works with the reports that are being automatically generated in ArcSight. The connector downloads the generated report, extracts event IDs, and then uses ArcSight API to get more details about events.

Configure Security Events Connector

  1. Log in to the ArcSight console.

  2. Navigate to the Reports tab and go to the Query section.

  3. To create a new query, enter the following query name: Google SecOps SOAR Security Events Connector Query.

    Pay attention to the Start Time and End Time parameters. It is recommended to query data in one-hour interval, but you can increase the interval, if necessary.

    Example configuration:

    • Name: Google SecOps SOAR Security Events Connector Query
    • Query On: Event
    • Start Time: $Now - 1h
    • End Time: $Now
    • Use as TimeStamp: End Time
    • Row Limit: 5000

  4. Define Fields for the query. In terms of fields, you need to have the following:

    • Event ID
    • Name
    • Start Time
    • End Time
    • Priority

    Make sure you have End Time ASC in the Order By column.

  5. Set Conditions. This is where you can provide your own filter.

  6. Save query.

  7. Go to the Reports section and create a new report. To specify the report, enter the following name: Google SecOps SOAR Security Events Connector Report. Use the same name for the Report Name parameter of the connector configuration.

  8. In the Data tab, select the query that was created in the previous steps as Data Source.

  9. In the Parameters tab, change the Report Format to csv to meet the connector requirements.

  10. Save report.

  11. Provide the name of the report in the connector configuration of the Report Name parameter.

  12. Do a test run to make sure that connector works as expected.

Forwarding connector prerequisites

Install and configure ArcSight Forwarding Connector

Before you begin

  1. To make all folders in SiemShare shareable, ensure that the following ports are open for TCP and UDP in both directions between the Google Security Operations SOAR server and ArcSight: 111, 1039, 1047, 1048, 2049.

  2. Download the cifs-utils package and install it:

    $ sudo yum install -y cifs-utils

Configure ArcSight Forwarding Connector

  1. Log in to the ArcSight console.

  2. Create an active list and call it Chronicle_SOAR_Correlations_Denylist. This active list will act as a denylist to correlations you select not to forward to Google Security Operations SOAR. By default, all correlations will be forwarded to Google Security Operations SOAR.

    Set the active list attributes as follows:

    • Name: Chronicle_SOAR_Correlations_Denylist
    • Optimize Data: clear checkbox
    • Capacity (x1000): 10
    • TTL Days: 1
    • TTL Hours: 0
    • TTL Minutes: 0

    In the Data section, select Event-based and add the Generator Name field.

  3. Create a new filter and call it Google Security Operations SOAR_Correlations_Filter. This filter will forward only the required correlations to Google Security Operations SOAR.

    Define the filter condition:

    • Event field name: Type
    • Logical operator: =
    • Conditions: Correlation

  4. Create a Chronicle_SOAR_App user group, with a Chronicle_SOAR_App user in it. This user will be used by ArcSight Forwarding Connector.

    1. Go to the Attributes tab and set the User Type attribute to Forwarding Connector.

    2. On the Resources tab, right-click the created user group.

    3. From the menu, choose Edit Access Control.

    4. In the Inspect/Edit window for the ACL Editor:

      1. In the Events tab, add the previously created filter Google Security Operations SOAR_Correlations_Filter.

      2. Use default settings for other tabs.

  5. Download and install ArcSight Forwarding Connector on Linux.

    For more information about how to install ArcSight Forwarding Connector, see ArcSight product documentation.

  6. Configure ArcSight Forwarding Connector, using CLI access to the ESM (direct access).

    Configure the connector general parameters:

    • ArcSight ESM Host/IP: Provide your local ESM hostname

    • ArcSight ESM Port: Provide your local ESM port (by default 8443)

    • User Name: Provide the previously created user (example: Google Security Operations SOAR_App)

    • Password: Provide the corresponding password

      As part of the ArcSight Forwarding Connector installation, provide the Google Security Operations SOAR user credentials.

    Configure the connector destination parameters:

    • File Type: CSV

    • Event Fields: Mandatory

      event.name,event.managerReceiptTime,event.eventId,event.startTime,event.endTime,event.deviceProduct,event.sourceAddress,event.sourceHostName,event.destinationAddress,event.destinationHostName,event.customerURI

    • File Rotation Interval: 30 (seconds)

    • Write Format Header: True

Configure the Google Security Operations SOAR shared folder for ArcSight

Google Security Operations SOAR server

  1. Find the UID and GID in the /etc/passwd file:

    cat /etc/passwd | grep scripting

    The example output of the command is as follows:

    scripting:x:1001:1001:/home/scripting:/bin/bash

    The UID is the third field and the GID is the fourth in the command output.

  2. Create the script:

    1. Create a file and call it configure_smp_nfs.sh.

    2. Copy the following content into that file.

      #!/bin/bash

#Declare the variables:
uid=SCRIPTING_USER_UID
gid=SCRIPTING_USER_GID
arcsight_ip=ARCSIGHT_IP

#Install nfs-utils
yum install nfs-utils -y
#Create the directory that will be shared
mkdir /opt/Correlations
#Change the permissions
chmod -R 755 /opt/Correlations/
chown -R scripting:scripting /opt/Correlations/
#Start the services and enable them to be started at boot time
systemctl enable rpcbind
systemctl enable nfs-server
systemctl enable nfs-lock
systemctl enable nfs-idmap
systemctl start rpcbind
systemctl start nfs-server
systemctl start nfs-lock
systemctl start nfs-idmap

#Edit the exports file as follows
echo "/opt/Correlations/ $arcsight_ip(rw,sync,all_squash,anonuid=$uid,anongid=$gid)">>/etc/exports
#Restart the NFS service and export the path
systemctl restart nfs-server
exportfs -a
#If FirewallD is running add the next rules:
firewall-cmd --permanent --zone=public --add-service=nfs
firewall-cmd --permanent --zone=public --add-service=mountd
firewall-cmd --permanent --zone=public --add-service=rpc-bind
firewall-cmd --reload
setsebool -P nfs_export_all_rw 1

    3. Declare the uid, gid, and arcisght_ip variables according to your environment.

    4. Grant the permissions:

      chmod +x configure_smp_nfs.sh

    5. Run the script:

      ./configure_smp_nfs.sh

ArcSight server

  1. Create the script:

    1. Create a file and call it configure_smp_nfs.sh.

    2. Copy the following content into that file.

      #!/bin/bash
#Declare the variables:
siemplify_ip=SIEMPLIFY_IP

#Install nfs-utils
yum install nfs-utils -y
#Start the services and enable them to be started at boot time
systemctl enable rpcbind
systemctl enable nfs-server
systemctl enable nfs-lock
systemctl enable nfs-idmap
systemctl start rpcbind
systemctl start nfs-server
systemctl start nfs-lock
systemctl start nfs-idmap
#If FirewallD is running add the next rules:
firewall-cmd --permanent --zone=public --add-service=nfs
firewall-cmd --permanent --zone=public --add-service=mountd
firewall-cmd --permanent --zone=public --add-service=rpc-bind
firewall-cmd --reload
#Create the NFS directory mount point
mkdir -p /mnt/nfs/var/SiemShare
#Add the values:
echo "$siemplify_ip:/opt/Correlations /mnt/nfs/var/SiemShare nfs defaults 0 0">>/etc/fstab
mount -a

    3. Declare the siemplify_ip variable according to your environment.

Note for the customers who use the old path

The hotfix installer overwrites the /opt/siemplify/Correlations folder permission to siemplifyadmin.

If you are using the old path and are applying the upgrade, then you need to change the permission back to the scripting user with the following steps:

  1. Before starting the upgrade, stop the NFS server service:

    _systemctl stop nfs-server_

  2. After the upgrade is complete, change the folder permissions:

    _chmod -R 755 /opt/siemplify/Correlations/_

    _chown -R scripting:scripting/opt/siemplify/Correlations/_

    _systemctl start nfs-server_

    _exportfs -a_

  3. To confirm that the NFS server is working correctly after the changes, check its status:

    _systemctl status nfs-server_

Create and configure a user for API access

  1. Log in to the ArcSight console.

  2. Create a Google Security Operations SOAR_API user group, with Google Security Operations SOAR_API user in it. This user will be used by Google Security Operations SOAR through ArcSight ESM API.

    1. Go to the Attributes tab and set the User Type attribute to Normal User.

    2. On the Resources tab, right-click the created user group.

    3. From the menu, choose Edit Access Control.

    4. In the Inspect/Edit window for the ACL Editor:

      1. In the Events tab, add the previously created filter Google Security Operations SOAR_Correlations_Filter. You can add any source filter for Google SecOps SOAR to have access to.

      2. Use default settings for other tabs.

      3. Click Add, select ArcSight System > Core, and select the All Events checkbox.

        It is important to verify that the All Events checkbox is selected. The minimum required is all the correlations' events that would be ingested into Google Security Operations SOAR.

        Filter Selector dialog

Google Security Operations SOAR uses the following main methods when using ArcSight ESM API:

  • Core Service: Login, GetSession

  • Manager Service: GetSecurityEvents

Network access with ArcSight ESM

Access from Google Security Operations SOAR to ArcSight ESM

Allow traffic over ports 443 (HTTPS) and 8443 (API over SSL), or as configured in your environment.

Access from ArcSight ESM to Google Security Operations SOAR

Allow traffic over ports 445 and 139 (SMB/SAMBA/CIFS), or as configured in your environment.

Function Ports Direction Protocol
NFS 111, 1039, 1047, 1048, and 2049 Outbound and inbound UDP
NFS 111, 1039, 1047, 1048, and 2049 Outbound and Inbound TCP

Configure ArcSight integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration configuration parameters

Use the following parameters to configure the integration:

Parameter name Type Default value Is mandatory Description
Instance Name String N/A No Name of the instance you intend to configure the integration for.
Description String N/A No Description of the instance.
API Root String https://{IP}:{PORT} Yes Server address of the ArcSight instance.
Username String N/A Yes Username of the ArcSight account.
Password Password N/A Yes Password of the ArcSight account.
Run Remotely Checkbox Unchecked No Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent).

Actions

Add Entries to Active List

Description

Provides a mechanism to get information from trends outside of, and in addition to, reports. Active lists updated by trends support summary views of information from multiple trends.

Parameters

Parameter name Type Default value Is mandatory Description
Columns String N/A Yes Example: Message;Username
Entries String N/A Yes Example: test1|Me1;Test|Me2
Active List UUID String N/A Yes Example: HCN75QGABABCZXCOdT9P51w==

Run on

This action runs on all entities.

Action results

Script result
Script result name Value options Example
is_succeed True or False is_succeed:False

Change Case Stage

Description

Change a case's stage. Valid stages are INITIAL, QUEUED, CLOSED, FINAL, and FOLLOW_UP.

Parameters

Parameter name Type Default value Is mandatory Description
Case Name String N/A Yes The name of the case to update.
Stage String N/A Yes The stage of the case. Example: CLOSED, INITIAL

Run on

This action runs on all entities.

Action results

Script result
Script result name Value options Example
success True or False success:False

Get Activelist Entries

Description

Retrieve ArcSight active list entries and return csv output.

Parameters

Parameter name Type Default value Is mandatory Description
Active list UUID String N/A Yes Example: HTcILQWABABCr553ieI0Xmw==

Run on

This action runs on all entities.

Action results

Script result
Script result name Value options Example
Success_Indicator N/A N/A
JSON result
[
"12346e4d96f0a72c42015d69aaf0e8ab ,
 file.txt",
 "0e0776034e5e096704cd28cbd40cdbb5 ,
 Test.config"
]

Get Query Results

Description

Get query results by query ID. A query can be used as the primary data source for a report, or a trend (based on one query) that can be used as the data source to another query that further refines the initial query result.

Parameters

Parameter name Type Default value Is mandatory Description
Query ID String N/A Yes The query ID.
Max Items To Return Integer 100 No Specify how many items to return in the response.

Use Cases

Add limitation for how many results to return.

Run on

This action runs on all entities.

Action results

Script result
Script result name Value options Example
success True or False success:False
JSON result
[
    {
        "Target User Name": "user",
        "Attacker Address": "1.1.1.1",
        "External ID": "127",
        "Name": "A Kerberos authentication ticket (TGT) was requested.",
        "Target Address": "1.1.1.1"
    },{
        "Target User Name": "user",
        "Attacker Address": "1.1.1.1",
        "External ID": "127",
        "Name": "A Kerberos authentication ticket (TGT) was requested.",
        "Target Address": "1.1.1.1"
    }
]

Get Report

Description

Get a report with dynamic fields. A report is an ArcSight resource that binds data from a query or trend to an existing report template. Once ran, the results of a report can be viewed in the ArcSight consoles viewer panel, saved (archived), and/or exported in a variety of formats. Reports can be scheduled to run at regular intervals and can be ran on-demand as needed.

Parameters

Parameter name Type Default value Is mandatory Description
Report Full Path (URI) String N/A Yes The relevant report uri.
Field 2 String N/A No The dynamic fields for the query to generate the report.
Field 3 String N/A No The dynamic fields for the query to generate the report.
Field 4 String N/A No The dynamic fields for the query to generate the report.
Field 6 String N/A No The dynamic fields for the query to generate the report.
Field 6 String N/A No The dynamic fields for the query to generate the report.
Field 7 String N/A No The dynamic fields for the query to generate the report.
Field 8 String N/A No The dynamic fields for the query to generate the report.
Field 9 String N/A No The dynamic fields for the query to generate the report.
Field 10 String N/A No The dynamic fields for the query to generate the report.

Run on

This action runs on all entities.

Action results

Script result
Script result name Value options Example
json_report N/A N/A

Is Value in Activelist Column

Description

Check if specific value is in active list .

Parameters

Parameter name Type Default value Is mandatory Description
Active list UUID String N/A Yes Active list uuid. Example: cuser.
Column name String N/A Yes The name of the column. Example: sourceUserName.

Run on

This action runs on all entities.

Action results

Script result
Script result name Value options Example
Success_Indicator N/A N/A

Ping

Description

Test Connectivity.

Parameters

Run on

This action runs on all entities.

Action results

Script result
Script result name Value options Example
is_succeed True or False is_succeed:False

Description

You can start a search at the ArcSight Command Center from the console event channel. Event Complete Search looks for the associated attribute, which is stored in several fields (for example, abc). The search for events searches for a value (for example, abc) stored in the field specified (for example, in the field of name only).

Parameters

Parameter name Type Default value Is mandatory Description
Search Query String N/A Yes The search query.
Max Items To Return Integer 100 No Specify how many items to return in the response.

Use Cases

Add limitation for how many results to return.

Run on

This action runs on all entities.

Action results

Script result
Script result name Value options Example
success True or False success:False
JSON result
[
    {
        "score": 1.2440307,
        "uuid": "TyJnM2jwBABCMzP5h6ZvXyQ==",
        "uri": "/All_Fields/ArcSight_Foundation/Variables_Library/IPv6/Attacker_IPv6_Address",
        "name": "Attacker IPv6 Address"
    }, {
        "score": 1.2440307,
        "uuid": "TyJnM2jwBABCMzP5h6ZvXyQ==",
        "uri": "/All_Fields/ArcSight_Foundation/Variables_Library/IPv6/Attacker_IPv6_Address",
        "name": "Attacker IPv6 Address"
    }
]

Connectors

Arcsight ESM Connector

Description

This topic illustrates the mechanism and configuration by which Google Security Operations SOAR connects to, and integrates with, ArcSight ESM along with supported working flows and actions taken within the platform.

This document refers to ArcSight ESM versions 6.9.1 and higher.

ESM Rule/Case Forwarding to Google Security Operations SOAR

Working with Triggered Rules/Correlations

You will be required to configure ArcSight ESM to forward the latest correlation objects to Google Security Operations SOAR while you configure Google Security Operations SOAR to function on ArcSight ESM as a SIEM provider, and also to provide API access to ArcSight ESM through an authorized user.

This feature allows Google Security Operations SOAR to retrieve any triggered rules within ArcSight ESM in near real-time and forward them to be translated and contextualized as alerts for cases.

Data Flow between Google Security Operations SOAR and ArcSight ESM

Google Security Operations SOAR automatically indexes and contextualizes correlations that were forwarded to Google Security Operations SOAR and were triggered in ArcSight ESM through ArcSight Forwarding Connector module and API access.

Connector's prioritization of severity

The connector assigns severity with the following prioritization values:

  • 1 and 2 - very low
  • 3 and 4 - low
  • 5 and 6 - medium
  • 7 and 8 - high
  • 9 and 10 - critical

Configure ArcSight ESM Connector in Google Security Operations SOAR

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Connector parameters

Use the following parameters to configure the connector:

Parameter name Type Default value Is mandatory Description
Environment DDL N/A Yes

Select the required environment, for example, Customer One.

In case that the alert's Environment field is empty, this alert will be injected to this environment.
Run Every Integer 0:0:0:10 No Select the time to run the connection.
Product Field Name String device_product No The field name used to determine the device product.
Event Field Name String name No The field name used to determine the event name (sub-type).
Script Timeout (seconds) String 500 No The timeout limit (in seconds) for the python process running the current script.
Server Address String N/A Yes https://{IP}:{PORT}
Username String N/A Yes Username of the ArcSight account.
Password Password N/A Yes The password of the ArcSight account.
Events Count Limit Integer 15 Yes Enter the maximum number of events to fetch per correlation. Limit the number of events, for example, 10.
Cases Folder Path String I:\SiemShare\CorrelationSource Yes

The location of the case files. For example: I:\SiemShare\CorrelationSource

Note: The Cases Folder Path parameter can be changed from one customer to another.

Full path. Example: C:\Desktop\CorrelationSource
Alerts Count Limit Integer 10 Yes The maximum number of alerts to process per connector cycle, for example, 10.
Environment Field Name String event.customerURI Yes The name of the field to get the case's environment, for example, event.customerUri.
Secondary Device Product Field String N/A No Replace the original product field (from the connector's DeviceProductField with the value from the secondary product field). Example: CustomDeviceString2
Alert Custom Fields Names String N/A No Pull custom field values from ArcSight into the alert, for examplle, baseEventCount,agent_address,device_assetId.
Done files retention days Integer 3 Yes How many days, to keep each DONE csv file.
Error files retention days Integer 14 Yes How many days, to keep each ERROR csv file.
Proxy Server Address String N/A No The address of the proxy server to use.
Proxy Username String N/A No The proxy username to authenticate with.
Proxy Password Password N/A No The proxy password to authenticate with.

Connector Rules

Proxy Support

The connector supports Proxy.

ArcSight - Security Events Connector

Description

Pull correlations from ArcSight. This connector is suitable for Saas deployment of Google Security Operations SOAR and is the recommended one for production use.

This connector requires completing the prerequisite steps.

Configure ArcSight - Security Events Connector in Google Security Operations SOAR

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Connector parameters

Use the following parameters to configure the connector:

Parameter Display Name Type Default Value Is Mandatory Description
Product Field Name String type Yes Enter the source field name in order to retrieve the Product Field name.
Event Field Name String name Yes Enter the source field name in order to retrieve the Event Field name.
Environment Field Name String "" No

Describes the name of the field where the environment name is stored.

If the environment field isn't found, the environment is the default environment.
Environment Regex Pattern String .* FALSE No

A regex pattern to run on the value found in the Environment Field Name field.

Default is .* to catch all and return the value unchanged.

Used to allow the user to manipulate the environment field via regex logic.

If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment.
Script Timeout (Seconds) Integer 360 Yes Timeout limit for the python process running the current script.
API Root String https://{ip} Yes API root of the ArcSight instance.
Username String N/A Yes Username of the ArcSight account.
Password Password N/A Yes Password of the ArcSight account.
Report Name String N/A Yes Name of the report that will be used to fetch events.
Fetch Base Events Checkbox Checked Yes If enabled, connector will also fetch base events.
Lowest Priority To Fetch Integer N/A No Lowest priority that will be used to fetch events. Possible values are in range 1 to 10. If nothing is provided, all events will be ingested.
Max Events To Fetch Integer 100 No How many alerts to process per one connector iteration. Maximum is 1000.
Use dynamic list as a blocklist Checkbox Checked Yes If enabled, dynamic list will be used as a blocklist.
Verify SSL Checkbox Unchecked Yes If enabled, verify the SSL certificate for the connection to the ArcSight server is valid.
Proxy Server Address String N/A No The address of the proxy server to use.
Proxy Username String N/A No The proxy username to authenticate with.
Proxy Password Password No The proxy password to authenticate with.

Connector Rules

Proxy Support

The connector supports Proxy.

Jobs

Close Cases

Job configuration parameters

Parameter name Type Default value Is mandatory Description
Server Address String x.x.x.x Yes N/A
Username String N/A Yes N/A
Password Password N/A Yes N/A