Anonymizing forwarding logger data
for testing purposes I would like to send anonymized data from out Arcsight Logger to an ESM. To anonymize the data I would like to replace the following field with jabberish before forwarding it.
Agent Zone Resource
Device Host Name
Device Zone Resource
Attacke Zone Resource
Attacker Asset Resource
Attacker Translated Zone Resource
Target Host Name
Target Zone Resource
Target Asset Resource
Target Translated Zone Resource
So far I've set up an CEF Forwarder to the ESM, which is working just fine. Though, I've not been able to find the location where the connector on the ESM where the connector is installed. When I'm able to locate these I should be able to alter the data, correct? I'm looking for someone who has configured the same or similar situation and would like to help me out.
I think you are looking for the "fields to obfuscate" setting.
From your ESM Console Navigator > Connectors > loggerConnector > right click > Configure >default
Scroll down and you'll find the option under processing, you can only obfuscate string fields though, so heads up on that.
Thansk you for assisting me. It is close to what I'm looking for except I would like to replace the fields with different string instead of obfuscating them.
Wouldn't you be sending the same event over and over again then??
If you're looking to do that, you can use a replay(test alert) connector and you can customize exactly what the outgoing events looks like. The other option is to update the field mappings.
<whatever you want>