Our development team added support for another SIEM solution. Now, not only Splunk and ElasticSearch, but also ArcSight NetFlow Integration is available to Plixer’s customers.

New to ArcSight?

HP ArcSight SIEM solution is a threat detection and compliance management platform with a flexible architecture. It is designed to identify security threats and track incident response activities. It also allows for simplifying audit and compliance activities.

ArcSight’s tools combine log information from a variety of sources such as firewalls and IDS/IPS.   The collected data enables them to record and report on security incidents that take place on the network. The ArcSight’s library of Connectors provides support for leading security commercial products. Its Data Platform can be placed either on-site or inside the cloud environment.

ArcSight’s key features include

  • Real-Time Event Correlation
  • Secure and Efficient Data Storage
  • Instant Detection of Activities
  • Compliance Insight Packages.

Even though SIEMs may claim that they look at flow and packet data, it is only a tertiary function. In other words, they only do it so much as to investigate something they uncover with the logs.

ArcSight’s integration with Scrutinizer leverages the traditional sources of SIEM data with flow-based information.  Customers can now dig deeper into the network to see where threats are originating and how the network is being used. The benefits of integration include reducing the Mean Time to Know (MTTK) and streamlining IT’s Mean Time to Repair (MTTR) the issue.

How to Set up the ArcSight NetFlow Integration?

I will focus on the simplest integration today. We are going to create a way for the user to click on an IP address in Scrutinizer and select the HP ArcSight menu option. By selecting ‘HP ArcSight,’ it will pass the time frame and IP address variables in a URL string.

First things first, let’s install ArcSight to a virtual machine with the IP address of 10.30.10.223 in Plixer’s test lab.

To launch the ArcSight interface from Scrutinizer NetFlow Analyzer, we have to place the above URL below in a file called applications.cfg . The file can be found the /files/ directory of the Scrutinizer installation:

HP Arc, https://10.30.10.223/logger/search.ftl?ehr=1&ausm_query=%i&from=%hs&to=%he, HP Arc

Pay attention, a space is required between the comma and https! Notice above that the URL is preceded by [HP ArcSight, ] and appended with [, HP Arcsight]. These values declare the name of the option in the menu as it appears in the image below when you click on an IP address in Scrutinizer.  Alternatively, you can name it ‘ArcSight’.

Now it’s time to save the changes to the application.cfg file and put our integration with ArcSight to a test.

See it in Action!

As a result of the ArcSight NetFlow Integration work we did, we can now go from an IP address found in NetFlow to the ArcSight system. The SIEM will then display the events for the host for the selected time frame.

Let’s take a look at our recently set up integration. I’m going to run a default report on our of our core router’s interfaces. Then I’ll click on any source or destination host IP address in the report table, go to the “Other Options” Menu and select HP Arc.

ArcSight NetFlow Integration

By selecting the above option, a browser is launched as shown below.

ArcSight interface

Notice the URL at the top, it’s the same IP address of 10.1.4.20  that we selected in Scrutinizer. Now we can see its event times, device and  logger information in the ArcSight interface as well. Pretty handy, isn’t it?

What’s Next?

Need assistance with setting up integration with ArcSight?  Please don’t hesitate to reach out to the members of our support team.

Anna McElhany

Anna McElhany

Anna is a Technical Support Engineer at Plixer. She is dedicated to resolving any product-related issues, assisting with device configurations, and making sure customers are getting the most out of Scrutinizer. Anna holds a degree in Computer Technology, the AWS Certified SysOps Administrator - Associate, CCNA R&S, CCNA Security, and CompTIA Network + and Security + certifications, as well as NSTISSI Security INFOSEC Professional recognition. In her free time, Anna enjoys spending time with friends and family, flying drones, and hiking.

Related