Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
aniruddh.shriva Absent Member.
Absent Member.
284 views

TRM Connector Commands Execution

Jump to solution

 

Hi Bala,

Please provide your inputs on sending commands to smart connectors.

Labels (1)
0 Likes
1 Solution

Accepted Solutions
balahasan.v1 Acclaimed Contributor.
Acclaimed Contributor.

Re: TRM Connector Commands Execution

Jump to solution

Hi Anirudh,

I thought you were asking the Connector Command from Rule. Your requirement is CounterACT connectors

TRM are mostly developed and shared by the vendors under cost.Like Mandiant, AV, DLP, Firewall and IPDS.

The basic ones are configured under the ArcSight Administration, which can be referenced

Capture.JPG

Don't have any particular samples with me. But I have created a document earlier from my test setup. Refer below

Multiple Script Commands sent across to the same CounterACT Connector.

From what I understand you are looking for the CounterACT Connector Command not just Connector Command

The CounterAct will be under Flex requiement. U need to Install the CounterACT Connector to pass on the Commands. So for your earlier Script Execution the same can be used as well.

Please refer the CounterACT Connector section in the attached document link:

Scenario  which I meant in the Message is below

Connector 01: Primary Destination -> Logger and Secondary Fail over Destination -> Logger 2/ESM. Register in ESM.

Capture.JPG

Rule 01:

For any Logger Forwarding Connector doesn't report/Shutdown event. Add the entry to an Active List(Set AL entry expiry in 5 mins).

Only Sample Snap

Capture.JPG

Rule 02:

For any Logger Forwarding Connector report/Start up event. Remove the entry from the Active List.

Only Sample Snap

Capture.JPG

Rule 03:

If the Logger Forwarding Connector doesn't report within 5 - 10 minutes(Upto you) the ActiveList entry will expire.So create an alert condition for that


Capture.JPG


Capture.JPG Capture.JPG

0 Likes
2 Replies
balahasan.v1 Acclaimed Contributor.
Acclaimed Contributor.

Re: TRM Connector Commands Execution

Jump to solution

Hi Anirudh,

I thought you were asking the Connector Command from Rule. Your requirement is CounterACT connectors

TRM are mostly developed and shared by the vendors under cost.Like Mandiant, AV, DLP, Firewall and IPDS.

The basic ones are configured under the ArcSight Administration, which can be referenced

Capture.JPG

Don't have any particular samples with me. But I have created a document earlier from my test setup. Refer below

Multiple Script Commands sent across to the same CounterACT Connector.

From what I understand you are looking for the CounterACT Connector Command not just Connector Command

The CounterAct will be under Flex requiement. U need to Install the CounterACT Connector to pass on the Commands. So for your earlier Script Execution the same can be used as well.

Please refer the CounterACT Connector section in the attached document link:

Scenario  which I meant in the Message is below

Connector 01: Primary Destination -> Logger and Secondary Fail over Destination -> Logger 2/ESM. Register in ESM.

Capture.JPG

Rule 01:

For any Logger Forwarding Connector doesn't report/Shutdown event. Add the entry to an Active List(Set AL entry expiry in 5 mins).

Only Sample Snap

Capture.JPG

Rule 02:

For any Logger Forwarding Connector report/Start up event. Remove the entry from the Active List.

Only Sample Snap

Capture.JPG

Rule 03:

If the Logger Forwarding Connector doesn't report within 5 - 10 minutes(Upto you) the ActiveList entry will expire.So create an alert condition for that


Capture.JPG


Capture.JPG Capture.JPG

0 Likes
alonzo.ramos Absent Member.
Absent Member.

Re: TRM Connector Commands Execution

Jump to solution

Thank you , that's what I was looking for.  We have a script that gets triggered by certain rules in Arcsight/CounterAct and relays back to execute a /32 address. It works with 1 ip address. I just wanted to know if this action with a custom script be able to block a /23 for example. I understand that the script would have to match the correct variables and functions.

Thanks

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.