Highlighted
eptw Absent Member.
Absent Member.
501 views

Exporting Aggregated Events to External System

I'm currently working on a project to upstream a subset of events from ArcSight to external systems (one of which is Intellitactics) and am curious to know if any of you have done this in the past and could share some of your experience.  Would it be best to generate a new case based on whatever thresholds we set using rules, or have you done it differently? ArcSight can export in CEF, but is there another format (maybe some other XML) that is more efficient?

Thanks.

Labels (2)
0 Likes
Reply
2 Replies
manjunath.singh Absent Member.
Absent Member.

Re: Exporting Aggregated Events to External System

we too are looking form something same, we need the ArcSight to send the coreleated events to our external ticketing system in a perticular format (CSV,XML) such that we write a application at the other end such that the application maps the ArcSight events to format that our system understand and created a case and trigers mail to support team automatically.

Please let me know if anyone has tried or achieved the same with anyother custome application.

0 Likes
Reply
eptw Absent Member.
Absent Member.

Re: Exporting Aggregated Events to External System

We ended up using "Export to External System" as an action for the rules we export events from. If you are using a forwarding connector instead of XML output, the trick to getting base and correlated events is to use the key eventstream.cfc in the server.properties configuration file (the steps for creating this key can be found in the Forwarding Connector documentation.

ArcSight was very unhelpful when it came to parsing the XML output, but we had some developers do that for us using an XSLT they developed.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.