New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Captain Captain
Captain
1760 views

Azure Log Integration for ArcSight - Multiple JSON parsers?

Hello,

While following the documentation for Azure log integration with SIEM (link), i've created a JSON connector and added the AzureRM json parser. This works great, but RM only parses the Resource Manager itself.
I've wanted to make sure that, next to the Resource Manager information, also the other information (AD and Security Center) would get in our SIEM.

Allthough write a parser would not be a big problem, the issue i'm experiencing, is that i need to create multiple "JSON Flex Connectors", instead of being able to use 1 software connector that can read multiple directories and parse them using multiple JSON parsers for the specific files.

Does anyone else experience this issue and/or has a solution for this?


Thank you in advance.

Roy

Labels (3)
0 Likes
4 Replies
Highlighted
Cadet 1st Class
Cadet 1st Class

Yes you have to install separate connectors and create separate parsers for it, as the log format of "AD and Security center" is different.

0 Likes
Highlighted
Captain Captain
Captain

Hello,


Í've been creating some flexparsers, But do you know if there are any supported versions for Security Center or AD?
Do you have any flexparsers available?

 

Thnx.

 

0 Likes
Highlighted
Cadet 1st Class
Cadet 1st Class

Hello,

Even i tried to install the flex connector for JSON file from Azure. following the link https://blogs.msdn.microsoft.com/azuresecurity/2016/08/23/azure-log-siem-configuration-steps/

When ever any new json file arrives in the folder, i receive an update 

1. File processing started

2. File processing ended: Success

But .cant find any azure events.

Please suggest if i m missing anything

0 Likes
Highlighted
Fleet Admiral
Fleet Admiral

These posts are quite old now, so the information is a bit out of date.

It is highly recommended that users of Azure utilizes the Event Hubs, not only for SIEM, but in general all new Azure log collection happens on this layer.

It is possible to configure any/most of the Azure products and applications including AD to log towards one or more EventHubs, which you can then connect the connectors towards.

For connector specific information, please refer to the relevant documentation:

https://community.softwaregrp.com/t5/ArcSight-Connectors/SmartConnector-for-Microsoft-Azure-Monitor-Event-Hub/ta-p/1671292

-----------------------------------------------------------------------------------------
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
//Marius
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.