ArcSight HTTP Event SmartConnector

Idea ID 2850399

ArcSight HTTP Event SmartConnector

Dear All,

 

As you might be aware, lots of modern/cloud solutions allows you to export audit logs to a remote HTTP/HTTPS endpoint (aka webhooks). This is push data collection which is fast and efficient and quite extended nowadays, available on another SIEMs (i.e. Splunk provides the HEC).

 

ArcSight Agents misses this feature and as a result, we just can't collect such data feeds. Note that usually the format used at data source level is JSON, if the arcsight agent provides a way to perform such Json2CEF mapping out of the box we'd be talking about huge enhancement data data collection level.

 

Let me illustrate this with a real life example: GCP Security Audit Logs which are concentrated into a PubSub Service and can be delivered at real time to a remote HTTP Endpoint: the ArcSight SmartConnector (SIEM Data Collection Agent )

 

Since the data collection takes place at L7 we can also use modern L7 LBs, not only to ingest data but also not advertising the agent's directly. The tricky part may be actually the authentication, since we can rely on ANONimous, Basic (user/pass) or external (using an IdP).

 

To finish, let me also highlight that we can use 3rd party solutions to do this, but at the end of the day, the data collection should be performed by the siem agents, not intermediate middleware/components/additional products, which adds complexity to the data pipeline. 

 

Best regards,

 

Karl.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.