Highlighted
Outstanding Contributor.. Outstanding Contributor..
Outstanding Contributor..
427 views

Import Content into AL from external source

Jump to solution

Good Morning All,

Had a random question that I was hoping someone could help me with.

Is it possible to import data into an AL via an external source? Say perhaps importing C2 server info into an AL then setting up a rule/notification from that?

So essentially just an import of either dns names or IP's.

Any suggestions?

Thanks!

Andrew

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Absent Member.
Absent Member.

Andrew,

It's entirely possible. If it is a one time import and you can get the data into a CSV file, you can create the AL and then right click on it in the navigator panel and choose "Import CSV File...".

If this is an import that happens over and over again, for example you will add/remove IOCs as you find new ones, and old ones are defunct, then you can follow a slightly more complex process.

1) Get the data in your favorite format. Again, I recommend a CSV file for ease of use.

2) Have that file live in a permanent location on a host where you can install a connector.

3) Install a flex connector that can read the CSV file and import it into ArcSight

4) Make sure to change startatend to == false in the agent.properties

5) Create an AL to hold your data

6) Create a real time rule that looks for data from that flex connector and adds that data to the Active List

Those are the broad strokes. Let me know if you need something cleared up.

Thanks,

Mike

View solution in original post

0 Likes
2 Replies
Highlighted
Absent Member.
Absent Member.

Andrew,

It's entirely possible. If it is a one time import and you can get the data into a CSV file, you can create the AL and then right click on it in the navigator panel and choose "Import CSV File...".

If this is an import that happens over and over again, for example you will add/remove IOCs as you find new ones, and old ones are defunct, then you can follow a slightly more complex process.

1) Get the data in your favorite format. Again, I recommend a CSV file for ease of use.

2) Have that file live in a permanent location on a host where you can install a connector.

3) Install a flex connector that can read the CSV file and import it into ArcSight

4) Make sure to change startatend to == false in the agent.properties

5) Create an AL to hold your data

6) Create a real time rule that looks for data from that flex connector and adds that data to the Active List

Those are the broad strokes. Let me know if you need something cleared up.

Thanks,

Mike

View solution in original post

0 Likes
Highlighted
Outstanding Contributor.. Outstanding Contributor..
Outstanding Contributor..

I figured a flex connector would be involved somehwere along the line lol.

Thanks a ton Michael for the response.  That seems to be the best course of action.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.