Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
gbajaj Absent Member.
Absent Member.
1764 views

IP reputation feed for Arcsight

Jump to solution

Hi, What all IP reputation services(Commercial or free) are supported by Arcsight out of box? and can we configure the ones which are not supported directly?

Labels (3)
Tags (2)
0 Likes
1 Solution

Accepted Solutions
shezaf1 Acclaimed Contributor.
Acclaimed Contributor.

Re: IP reputation feed for Arcsight

Jump to solution

RepSM is an HP ArcSight product that includes a special connector to get reputation data from HP DVlabs automatically and ArcSight content to utilize this information. 3rd party solutions are available which usually utilize event connectors and rule to populate the reputation data in ESM.

Three things to look into in any such offering are:

  • Quality of the feed.
  • Optimization of the import mechanism.
  • Quality of ArcSight content.

I will be happy to answer any RepSM question you have

Ofer Shezaf

Product Manager, ArcSight solutions

View solution in original post

0 Likes
13 Replies
Vini Acclaimed Contributor.
Acclaimed Contributor.

Re: IP reputation feed for Arcsight

Jump to solution

Well there are many ways to answer this question. The short answer is that only repsm is supported out of the box, or kind of. You still need to install things to make it work.

At the same you don't necessarily need to do much work to use other feeds. The hardest part would be to automate the data ingestion.

0 Likes
shezaf1 Acclaimed Contributor.
Acclaimed Contributor.

Re: IP reputation feed for Arcsight

Jump to solution

RepSM is an HP ArcSight product that includes a special connector to get reputation data from HP DVlabs automatically and ArcSight content to utilize this information. 3rd party solutions are available which usually utilize event connectors and rule to populate the reputation data in ESM.

Three things to look into in any such offering are:

  • Quality of the feed.
  • Optimization of the import mechanism.
  • Quality of ArcSight content.

I will be happy to answer any RepSM question you have

Ofer Shezaf

Product Manager, ArcSight solutions

View solution in original post

0 Likes
balahasan.v1 Acclaimed Contributor.
Acclaimed Contributor.

Re: IP reputation feed for Arcsight

Jump to solution

Hi Guys,

Are you saying the ArcOSI is no longer into the Picture now ?

I thought ArcOSI and Threatstream are Still Functional.

0 Likes
shezaf1 Acclaimed Contributor.
Acclaimed Contributor.

Re: IP reputation feed for Arcsight

Jump to solution

ThreatStream is one of the possible 3rd party solutions I mentioned. As far as I understand ArcOSI no longer exists.

0 Likes
StevenD Honored Contributor.
Honored Contributor.

Re: IP reputation feed for Arcsight

Jump to solution

I know this is an old thread, but it was top of the search list for IP-Rep feeds. I found another 3rd party (Alien Vault) that has done some ArcSight specific work. Even has a nifty walk-through and code attached to make it happen. I'm going to spin this up shortly and see how well it work.

http://www.alienvault.com/open-threat-exchange/blog/feeding-alienvaults-open-threat-exchange-otx-threat-information-to-a…

0 Likes
Outstanding Contributor.. andrew.dalbor Outstanding Contributor..
Outstanding Contributor..

Re: IP reputation feed for Arcsight

Jump to solution

Also check out BadHarvest's OSI.  EXTREMELY easy to setup.  Comes with a script that pretty much does the work for you.  Took me less than 30 mins to get everything flowing into ArcSight.

0 Likes
StevenD Honored Contributor.
Honored Contributor.

Re: IP reputation feed for Arcsight

Jump to solution

Yeah i've seen OSI, but it's no longer supported so I was hesitant about setting it up. How accurate/comprehensive is the feed?

0 Likes
Outstanding Contributor.. andrew.dalbor Outstanding Contributor..
Outstanding Contributor..

Re: IP reputation feed for Arcsight

Jump to solution

Well it is quite comprehensive as it includes both IPs and Domains which it pulls from a variety of intelligence sites.

On the downside with all the data it pulls in, you will need to tweak your rule/trend whichever route you go.  You can get quite a few hits from false positive sources.

0 Likes
Highlighted
dzuperku1 Absent Member.
Absent Member.

Re: IP reputation feed for Arcsight

Jump to solution

I might be wrong, but BadHarvest's OSI  is the free version of Threat Stream.

BadHarvest's is still working and pulling in a lot of sources, I seem to get a lot of false positives(google, Yahoo, Facebook IP's) when using this for correlation, I just highly recommend having a good vetting process in place before setting up alerts from this feed.

ThreatStream seems to do a vetting service on the feeds for it's commercial version. They also have a good deal of content created in a .arb file you can import, and they have a nice web interface where you can flag false positives.

URL correlation will help cut down a lot of false positives instead of using IP's form your firewall.

0 Likes
Outstanding Contributor.. andrew.dalbor Outstanding Contributor..
Outstanding Contributor..

Re: IP reputation feed for Arcsight

Jump to solution

No your right, it is their free version.

It does take some tuning/tweaking to get what you need but it is worth it in the end for a free product that is quite easy to get up and running.

0 Likes
chenselein1 Absent Member.
Absent Member.

Re: IP reputation feed for Arcsight

Jump to solution

I was trying the Alienvault OTX. Unfortunately the client can't seem to get an answer from its configured server (

https://reputation.alienvault.com/ ).

If I try the website manually in Browser it gives me a certificate error aswell - anyone got this running?

BR,

Christoph

0 Likes
StevenD Honored Contributor.
Honored Contributor.

Re: IP reputation feed for Arcsight

Jump to solution

I didn't have any issue with it, but I modified their CEF string to include the IP/website threat rating (1-5) in the device severity field and I moved the IP/Site threat type to the deivce event class ID categories. Both of these were set as static figures previously. I'll inclued the line(line 137) change to the code below:

cef = 'CEF:0|AlienvaultOTX|IP Reputation Feed|1.0|%s|Suspicious Host|%s|src=%s msg=%s' % (fs[3],fs[2],fs[0],("http://labs.alienvault.com/labs/index.php/projects/open-source-ip-reputation-portal/information-about-ip/?ip\\=%s" % fs[0]))

As fas as the direct feed, try going to the site below. Be aware that it's a large amount of data if you're trying to work around thier script and just use the data. Also AV's script appears to update incrementally based on a local versus advertised version number for the DB.

IP Rep Database: http://reputation.alienvault.com/reputation.data

IP Database Version: http://reputation.alienvault.com/reputation.rev

Incremental Update Format: http://reputation.alienvault.com/revisions/reputation.data_41741

http://reputation.alienvault.com/reputation.rev

0 Likes
chenselein1 Absent Member.
Absent Member.

Re: Re: IP reputation feed for Arcsight

Jump to solution

Hi Steven,

thanks for the Update and CEF parser.

We found an error in the Script with the Proxy Handler not supporting https:

proxy_support = urllib2.ProxyHandler({"http" : "http://%s:%s@%s:%d" % (user, password, proxy_host, proxy_port)})

Replacing the above line with:

proxy_support = urllib2.ProxyHandler({"https" : "http://%s:%d" % (proxy_host, proxy_port), "http" : "http://%s:%d" % (proxy_host, proxy_port)})

made it work for us.

BR,

Christoph

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.