Threat Mapping/Geolocation

Hi All,

Pardon me to border you, I am looking at using our current ArcSight ESM Express set up without having to procure additional application to achieve set of attached above but it looks like steps are missing from some of the ArcSight documentation I have researched or  the one suggested by Hp ArcSight support team - .(ESM Console User’s Guide ArcSight ExpressTm v3.0 Featuring ESM with CORR Engine Storage).

The plan is to achieve these:

  • Attack pattern/Geo-location – similar to attached above

        - Allowing access to Google map for interpreting of the attacker IP address,Malware location etc).

  • Asset view/ Network discovery  – similar to above

I would be glad if someone could help from their wealth of experiences or point me to appropriate documentation(s) or videos.

Many thanks


  • ESM ArcSight has built-in geo-location. Whenever it receives an event with populated IP address fields (like sourceAddress, deviceAddress, destinationAddress), it generates geo information and fills appropriate fields like sourceCountryName, etc.

    For network mapping, the ESM has pretty complex network asset modeling. It is explained in the ArcSight Administration course. Asset network modeling includes:

    • assets (hosts)
    • network zones
    • networks
    • categories
    • locations
    • vulnerabilities

    Also it is able to take into account multiple private network zones within large organization, for example if you have two identical networks in different countries.

    But if you are looking for network maps visualization... well, it is very limited though ESM allows to put some background images to dashboards.


  • Hi Alex,

    Thanks for your reply.It is quite educative.

    Do you mind pointing me to the ESM_Admin or user Guide that explains most importantly how to generate the threat geolocation map I attached above or point me to resource where I could find what I need to do to achieve it?

    Many thanks


  • Hi Matt,

    I hope you have threat feed from External sources.. Since ur threat feeds which is populating in an active list and ur incoming events have Geolocation info based on the Ip addresses... All u need is to create content to get the matching incoming Events communicating to the threat IP existing in the activelist to plot it in the Dashboard(Google Earth).

    Please refer the content below on how to set it up.

  • Hi Balahasan,

    I am implementing steps expalined by Steven - on a locked down ArcSight appliance.Do I need to open it for internet connection most especially to the Google site?

    And if it is required,should it be limited to get request?

    I would also need additional information about creating webserver.ArcSight appliance are locked down to some services.Do you advice I should install apache webserver?

    I would appreciate if you could get back to asap.



  • Hi Matt,

    I haven't worked on it either. Since I was trying the same in my lab setup. But u need to connect to google maps i guess to plot the real time graph.And what do u mean by Locked down some services.. U won't any additional web servers to be configured for this requirement as long as the existing servers are running. And so It will be better if you ping the peoples like steven, jbur who delpoyed and worked on this.

  • Thanks Balahasan.I will get I am already in contact with Steven.

  • Hi Alex

    I have a similar question about how we can check whether i am getting the updated geo-location and public address spaces from Hp Arc sight.

    Can you explain how i can check whether my Arc Sight is getting the updates from Hp with the updated Geo-Locations and IPS.

    Thanks in Advance