Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
dctopper Absent Member.
Absent Member.
516 views

Auto ingest ArcSight saved searches

Jump to solution

Hello All,


Problem:

Given search parameters stored within an XML structure, how does one go about ingesting saved searches [Not events] into ArcSight ESM?


Background:

I am trying to help out a colleague of mine by making it simpler to automatically ingest the many potent saved searches / correlations that I have developed to guard over my enterprise environment.

I’d like to develop an XML parser to MySQL translator that can update the requisite database(s) accordingly.  My problem is that I don’t know ArcSight’s ‘insides’ well enough (e.g., which database(s), SQL statements or stored procedures to interface with)  If anyone can please tell me the pieces, I can write the software to make it work.  I am most happy to share the finished product with the group! Thanks in advance for sharing your expertise.


Kind Regards,

Dave

Labels (3)
0 Likes
1 Solution

Accepted Solutions
bondarets Absent Member.
Absent Member.

Re: Auto ingest ArcSight saved searches

Jump to solution

Here is a presentation (with video available) describing some inner structure of CORR Engine:

https://protect724.arcsight.com/docs/DOC-9327

Here is also some documents/topics which may help you to achieve your goal without dirty 'hacks':

Also you could contact support and request more detailed/up-to-date documentation on API and other integration options.

0 Likes
3 Replies
bondarets Absent Member.
Absent Member.

Re: Auto ingest ArcSight saved searches

Jump to solution

1) ESM does not have saved searches, only Logger does. Well, of course, built-in logger in new ESM 6.x does, if you mean this. But saved searches are not (yet?) used in ESM anyway.

2) Direct connections and modifications of database is not supported, it is not allowed

3) ESM and Logger have standard procedures of importing content (filters, searches, rules, reports, etc.) and you should use those procedures. They are described in admin and user guides for each product.

0 Likes
Highlighted
dctopper Absent Member.
Absent Member.

Re: Auto ingest ArcSight saved searches

Jump to solution

Thanks for the response, Ivan.  I'll take a look through the admin guides and see if I can find anything useful.  I'd still like to develop a translator app though - part of my learning curve on most software tools usually entails developing custom, 'non-supported' add-on capabilities...I'm looking to do the same thing here.  It helps keep my interest and also looks good come performance time, if you know what I mean.  That said, if you're willing/able to help me delve into the inner workings of the database(s) and their manipulation, I would greatly appreciate it.  I understand the risk involved - thanks again for weighing in.

0 Likes
bondarets Absent Member.
Absent Member.

Re: Auto ingest ArcSight saved searches

Jump to solution

Here is a presentation (with video available) describing some inner structure of CORR Engine:

https://protect724.arcsight.com/docs/DOC-9327

Here is also some documents/topics which may help you to achieve your goal without dirty 'hacks':

Also you could contact support and request more detailed/up-to-date documentation on API and other integration options.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.