SCM ArcSight Integration

Here the steps to integrate with ArcSight Logger. 

  • NOTES
    • Store assessment events and reports = estimated 1.7MB per event
    • By default, the Core Services Configuration Utility does not display the Advanced tab.
  • Core Services Configuration (Advanced Tab Mode)
    • Close the utility (if open)
    • Run: installation_directory\Core Services\bin\config.bat
      • Core Services Configuration Utility opens
    • Select the Advanced tab
  • Enable Logging (Core Svcs - Advanced Tab Mode)
    • assessment/Thirdparty/SIEM/AppIntegration/Enabled = true
      • ArcSight / Splunk
    • assessment/Check/Include
      • Sentinel
    • Restart Core Services
  • Logging (CEF)
    • Forward Assessment Report (SIEM)
      • Forward Events of Assessment result = Enabled
      • Destination Server = Blanks
      • Destination Server Credentials = Blank
      • Forward Assessment Events: By Asset (Default)
      • Assessment Conditions to Forward: True / Low Risk / True
    • Core Services must know the connection settings for the SIEM server.
      • Open the thirdpartysiem.csv file, located by default in the NetIQ\Secure Configuration Manager\Core Services\etc folder.
      • Add entries to the file that specify the connection settings for each SIEM server to which you want to send event data. Use the following format:
        • IP_address:port,protocol
        • 10.10.10.10:524,TCP
  • ArcSight Logger Configuration
    • Configuration > Receivers > Add
    • CEF TCP Recommended (CEF UDP works as well)
    • TCP 524 = SCM PDF Example
  • SCM: Run Policy Template
    • Forward Assessment Report to Destination Server