ArcSight ESM
Connector Category: Security Information and Event Management (SIEM) Tool
About Integration
ArcSight Enterprise Security Manager (ESM) is an SIEM tool that collects security log data from an enterprise’s security technologies, operating systems, applications, and other log sources. It analyzes the security log data for signs of compromise, attacks, or other malicious activity.
The ArcSight ESM internal application in Intel Exchange supports the following actions:
Action Name | Description |
|---|---|
Update Active List | This action updates the active list of ArcSight ESM with the threat intel retrieved from Intel Exchange. |
Use Cases
Add real-time threat intelligence to ArcSight event data.
Continuously gather, categorize, and risk rank threat intel (for severity and confidence) in CTIX.
Deliver real-time intelligence to the ArcSight instance for monitoring and detection of security threats in the enterprise infrastructure.
Allow security and threat intelligence teams to recognize high-priority threats to the business.
To configure ArcSight ESM as an internal application in CTIX, do the following:
Configure ArcSight ESM App in CTIX
Configure ArcSight ESM as an internal application in CTIX to update Active Lists in ArcSight ESM with threat data from CTIX. ArcSight ESM uses the Active Lists updated with information from CTIX to correlate, investigate, and report incidents in an organization's network.
An ArcSight active list is an ESM resource that stores event data or fields (not entire events) for a definite or indefinite period.
Before you Start
You must have the base URL, username, and password to configure the ArcSight ESM application.
You must have the View & Update Tool Integration, and View Tool Integration permissions.
Steps
Sign in to CTIX.
Navigate to Administration, select Integration Management, and select Internal Applications under Tool Integrations.
Select Security Information and Event Management System, and select ArcSight.
Click Add Instance.
Enter the instance name, base URL, username, and password.
To verify and secure the connection between the ArcSight ESM and CTIX servers, select Verify SSL.
Click Save.
Enable the Update Active List Action
After configuring the application, enable the action to update the ArcSight ESM active list.
Steps
Navigate to Administration, select Integration Management, and select Internal Applications under Tool Integrations.
Select Security Information and Event Management System, and select ArcSight.
Click the ellipsis on the top right corner and select Manage.
Click Manage Action(s).
Select the action and enable the toggle switch.
Click Save.
Create a Rule to Update the ArcSight ESM Active List
Create a rule in CTIX to automatically update the fields of the selected active list in the ArcSight ESM platform.
Before you Start
You must have the Create Rule, View & Update Rule, and View Rule permissions.
Steps
Navigate to Main Menu, and select Rules under Actions.
Click New Rule, and enter a rule title.
Click Add.
Select a source and collection from which CTIX will poll data and define a condition.
Choose the following to define the action:
Select Update Active List as the action.
Select ArcSight as the application to implement the rule.
Select an account to identify the instance to run the rule.
Select the reference ID of the active list in which the fields will be updated.
Select the fields, such as TLP score, labels, and more to update the active list on the ArcSight ESM app.
Ensure that the field names are exactly the same on ArcSight's platform. These fields are case-sensitive and may not pick data going from CTIX if the name and number of fields do not match.
Click Save.
After the rule is run, you can view the active list on the ArcSight platform with the updated fields.