Highlighted
pbrettle Acclaimed Contributor.
Acclaimed Contributor.
1560 views

Creating your own FlexConnector Custom Operations

This is method of creating your own Java functions for a FlexConnector so you can build your own libraries and methods to process events and enrich them. Please note the following:

  1. I didn't write this - I am merely providing it to the community - please post HERE for questions / feedback
  2. IT IS NOT SUPPORTED - Let me just reiterate that - ITS NOT SUPPORTED. Use at your own risk
  3. Did I mention its not supported?
  4. Basically, you can create your own methods in Java, so it goes without saying that you need to know how to do things in Java and how to build it all together, though a guide is attached.
  5. Test, be careful and did I mention its not supported?
  6. Credit where credit is due - thanks to Ian Fitzgerald for this!

Introduction

The ArcSight FlexConnector framework provides a rich library of operations which can be used to build FlexConnectors that meet most requirements.  There may be a number of reasons why an ArcSight Engineer may wish to extract and process data from a particular source in a manner that is more complex than can be achieved using the current Flex Framework.

It would be nice if those of us with a programming background could roll our own functions to meet some of these more demanding requirements. This paper suggests a method by which new custom operations can be created and plugged into the FlexConnector framework. It includes a description of the build environment, code for the sample operation, a functioning compilation script, a sample FlexConnector, a sample log file, and screenshots of the result in ESM.

Requirements

The following requirements were used when developing this solution:

  • Demonstrate how to create a new Flex operation
  • Ensure that the method would be compatible with functions such as ArcMC repository backup/restore
  • The solution must survive a connector upgrade with no additional work necessary
  • The solution should not require external source code that PS staff would not normally have access to
  • No modifications or customizations of any SmartConnector installation files or scripts.

The Custom Operation Example

To demonstrate how to build a custom Flex operation, we will develop the Flex function “__csvIntersection(a,b,…)”. The function will:

  • Take an arbitrary number of arguments (each a comma separated list of strings)
  • Return the intersection of all provided lists, also as as a comma separated list
  • Throw an exception of zero arguments are provided
  • Work if only one is provided, even though an intersection usually involves 2 or more data sets.

Updates

  • windowsNtFiletimeToEpochOperation.java: From Sean Davies. Java file attached
  • csvIntersectOperation.java:  Intersects strings present in 1 or more comma separated larger strings (per original example)
  • resolveUacOperation.java: converts Windows New/OldUacValue bitsets into corresponding comma separated strings. As it happens this is not really required as if you grab the UserAccountControl string using an override, it tells you numerous things that were changed during the account change (much the same result as calculating the old and new UAC strings using resolveUac).  Another decent example though, see attached files.
[pdf-att]/home/lithium/migration/hp_protect724/mnt/jive_persist/binstore/scan_jivesbs/a26440.bin[/pdf-att]
3 Replies
rhope Acclaimed Contributor.
Acclaimed Contributor.

Re: Creating your own FlexConnector Custom Operations

Can't tell you how many times I've wanted to do something like this. It'd be nice if there was a supported plugin model for this I.e. The mechanism is supported and documented but the custom function is not or is supported by the developer 

0 Likes
bkilroe Super Contributor.
Super Contributor.

Re: Creating your own FlexConnector Custom Operations

Thanks for sharing this Paul!!

0 Likes
nhamann
New Member.

Re: Creating your own FlexConnector Custom Operations

Is anyone still actively using this approach?

I try to create a custom operation for VirusTotal-Checks, but I am stuck calling a custom operation from my flexconnector. I always get

...

Caused by: java.lang.ClassNotFoundException: com.arcsight.agent.parsers.operation.virusTotalScoreOperation

...

Even the attached samples from Paul aren't working. My Connector sits on a Windows Server 2012 R2 machine, so I had to adapt the make.bash to work with cmd/powershell. javac is compiling the class without any complaints.

Anyone has an idea, or experienced the same difficulties? I am using arcsight-parserramework-2.0.0.release.67.jar and JDK 1.8.

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.