Integration of third party tool with Arcsight
One advice - be very very specific in your questions or people might not bother to answer
Like external threats - what kind of threats
third party tools - what kind of tools
Thanks, the main intention is to make Arcsight tool more intelligent from collecting the data from various sources to make the monitoring and investigation in a deeper way, the external threats as suspicious traffic from malicious IP's,domains,attacks,injecting command to webserver,DOS attacks, traffic towards c&c servers etc, regarding tools i am asking the inputs,suggestions which enables to detect the above attacks, it may also the scripts,URL's,websites from which will get the relevant information
For threat intelligence - either you can write a script which contains the list of URL`s where you can find the database of malicious IP/domains etc., So the script will fetch the data from give URL`s to import into arcsight and do correlation with network/security device logs etc.
Or manually get a copy of list of malicious IP/domains from reputation sites such as - Zeustracker, Sans, malcode, etc., and import it to active list via xl.sheet - but this needs some manual effor that list should be updated frequently.
Otherwise - go for Arcsight RepSM which is a separate module does the same thing above but with well real-time information from HP`s own reputation site.
Hope this helps.
I have some scripts to download data, sources to get bad ip and bad domain and arcsight custom parser to get the data into arcsight, will share it with you tomorrow
I have been working on something. Instead of using the script, i have hosted a site for Threat Intelligence data. You can download bad ip and bad domain details in csv or txt format. Have some connectors which you can use to get the data directly to Arcsight.
Site access is restricted. Please PM me if you need access.