Idea ID 2850399
As you might be aware, lots of modern/cloud solutions allows you to export audit logs to a remote HTTP/HTTPS endpoint (aka webhooks). This is push data collection which is fast and efficient and quite extended nowadays, available on another SIEMs (i.e. Splunk provides the HEC).
ArcSight Agents misses this feature and as a result, we just can't collect such data feeds. Note that usually the format used at data source level is JSON, if the arcsight agent provides a way to perform such Json2CEF mapping out of the box we'd be talking about huge enhancement data data collection level.
Let me illustrate this with a real life example: GCP Security Audit Logs which are concentrated into a PubSub Service and can be delivered at real time to a remote HTTP Endpoint: the ArcSight SmartConnector (SIEM Data Collection Agent )
Since the data collection takes place at L7 we can also use modern L7 LBs, not only to ingest data but also not advertising the agent's directly. The tricky part may be actually the authentication, since we can rely on ANONimous, Basic (user/pass) or external (using an IdP).
To finish, let me also highlight that we can use 3rd party solutions to do this, but at the end of the day, the data collection should be performed by the siem agents, not intermediate middleware/components/additional products, which adds complexity to the data pipeline.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.