Here the steps to integrate with ArcSight Logger.
- NOTES
- Store assessment events and reports = estimated 1.7MB per event
- By default, the Core Services Configuration Utility does not display the Advanced tab.
- Core Services Configuration (Advanced Tab Mode)
- Close the utility (if open)
- Run: installation_directory\Core Services\bin\config.bat
- Core Services Configuration Utility opens
- Select the Advanced tab
- Enable Logging (Core Svcs - Advanced Tab Mode)
- assessment/Thirdparty/SIEM/AppIntegration/Enabled = true
- ArcSight / Splunk
- assessment/Check/Include
- Sentinel
- Restart Core Services
- assessment/Thirdparty/SIEM/AppIntegration/Enabled = true
- Logging (CEF)
- Forward Assessment Report (SIEM)
- Forward Events of Assessment result = Enabled
- Destination Server = Blanks
- Destination Server Credentials = Blank
- Forward Assessment Events: By Asset (Default)
- Assessment Conditions to Forward: True / Low Risk / True
- Core Services must know the connection settings for the SIEM server.
- Open the thirdpartysiem.csv file, located by default in the NetIQ\Secure Configuration Manager\Core Services\etc folder.
- Add entries to the file that specify the connection settings for each SIEM server to which you want to send event data. Use the following format:
- IP_address:port,protocol
- 10.10.10.10:524,TCP
- Forward Assessment Report (SIEM)
- ArcSight Logger Configuration
- Configuration > Receivers > Add
- CEF TCP Recommended (CEF UDP works as well)
- TCP 524 = SCM PDF Example
- SCM: Run Policy Template
- Forward Assessment Report to Destination Server