Highlighted
Outstanding Contributor.
Outstanding Contributor.
2544 views

Integration of FireEye with ArcSight


Hi,

We are in the process of integrating FireEye with ArcSight. Can someone tell me which connector to be used for this integration.

We are forwarding the malware logs from FireEye via Rsyslog CEF format. The default ArcSight connector document is not that helpful and didn't talk about the integration mechanism.

Regars,

Anirudh

Labels (3)
0 Likes
8 Replies
Highlighted
Contributor.
Contributor.

Re: Integration of FireEye with ArcSight

If it is CEF, you don't need any configuration, just send it via syslog to the syslog smart connector

0 Likes
Contributor.
Contributor.

Re: Integration of FireEye with ArcSight

Also discussed here:

0 Likes
Highlighted
New Member.

Re: Integration of FireEye with ArcSight

This is an old post but I wanted to bump this to something current. If you have fireeye, make sure you DON'T use syslog/cef, you will miss important log elements

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Integration of FireEye with ArcSight

That's interesting, what Fireeye product are you referring to?

And what important elements are missed?

0 Likes
Highlighted
Super Contributor.
Super Contributor.

Re: Integration of FireEye with ArcSight

I am interested to know as well.

0 Likes
Highlighted
New Member.

Re: Integration of FireEye with ArcSight

We collect threat IOC's from the FE log messages(and send to MISP, then Arcsight) that are not present in the cef/syslog format, Far as I know, its only available in the json and xml format. We have additional content working the rest of the IOC's you do not get in the syslog/cef message

If you reference the FireEye Documentation AN_7.7.0.pdf  you can see what you are missing. (page 80-94 or so)

Sample CEF Event and one page of the XML details (page 83-91 shows the webinfection counter part in xml) won't let me upload here...

.fireeye-cef.png

fireeye-xml.png

0 Likes
Highlighted
Visitor..
Visitor..

Re: Integration of FireEye with ArcSight

How you're receiving the output from MISP to Arcsight afterwards?

0 Likes
Highlighted
New Member.

Re: Integration of FireEye with ArcSight

Well, I have evolved things a bit, I am still using MISP, there is an automation component that drops a file that arcsight can import through a file connector.  Lately I have converted just about everything over to STIX/TAXII using soltra edge. Soltra seems to be fairly stable nowdays. The only problem is expanding the default partition from 60gb to a TB was the only fun. I pull the data to MISP, then push to Soltra, from there I can feed Arcsight, McAfee (TAXII) thru their TIE Server, which pushes the threat intel data down to the workstations very quickly.  I am looking to see if FE has has a stix taxii option.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.