[HOWTO] Integrate you ArcSight Events with Google Maps
First of all, i want to thank Mr Ray Cotten from HP Security to make this possible, and for allowing me to share his code.
Also, all the rights on this scripts belong to him.
All your thanks below also belong to him
I know you all guys want to plot your events on Google Maps, since it is a good instrument to analyze network situation and attacks on your external/internal perimeters.
Secondary, it is pretty good to show to management, isn't it?
NOW it's is possible and very simple. Let me show.
ALL YOU NEED:
1) ArcSight Manager installation (we have ESM 6.5, however, i believe it doesn't matter what the version is, because it is based on reporting engine, which behaves the same on all versions).
2) Simple skills on ArcSight Reporting (editing filters and queries)
3) Google Maps integration pack (see attachment)
4) Access to google.com (don't be scared, only client access, no use to open it to manager, which makes it quite easy to deploy!)
HOW IT PERFORMS:
1) Report (/All Reports/ArcSight Solutions/Google Maps Plugin/Google Maps Plugin - Firewall Deny) runs every 5 minutes, generates csv based on your customized query (/All Queries/ArcSight Solutions/Google Maps Plugin/Google Maps Plugin - Firewall Deny) and archives it to /opt/arcsight/manager/reports/archive/Archived Reports.Meta.Group/ArcSight Solutions/Google Maps Plugin/output.csv
2) When you run gmap_parse.sh, it executes csv2.kml perl script, which then moves to background and runs every 60 seconds. Notice that you don't have to add it to cron or other schedulers.
3) CSV2KML.pl scripts converts CSV output (generated by report) to a Google-Like KML GEO Format and puts result file to /opt/arcsight/manager/webpages/kml/map.kml
4) GMDASH.html, which includes some js scripts (like gmaps api v3) presents the final result to an end user.
1) install make and CPAN (yum install make, yum install CPAN). For windows systems use Google. Go to step 2
2) Install Text::CSV perl module using freshly installed CPAN (cpan -i Text::CSV)
3) Create "kml" dir in /opt/arcsight/manager/webpages/. Full path will be looking like this: /opt/arcsight/manager/webpages/kml
4) Install Google_Maps_Plugin.arb to you ArcSight System.
5) Customize query ((/All Queries/ArcSight Solutions/Google Maps Plugin/Google Maps Plugin - Firewall Deny) to include all events you need to show on the map. You can also create as many queries and reports as you want.
6) Upload files:
4.1) csv2kml.pl to /opt/arcsight/manager/bin/scripts. Make it executable (chmod +x csv2kml.pl)
4.2) gmdash.html to /opt/arcsight/manager/webpages
4.3) all contents of "images" dir to /opt/arcsight/manager/webpages/images
4.4) executable script (gmap_parse.sh) to anywhere you want, for example you /home directory
7) Changes that you need:
7.1) Create your dashboard title image (use photoshop etc to edit title.png image in "images" directory). Now this is your personal dashboard name.
7.2) Change ZOOM level and map center coords in gmdash.html, according to your monitor settings, your wishes etc
7.3) If you need map controls (zoom level adjustement and joystick) - just set disableDefaultIUI in gmdash.html to false
7.4) Edit csv2kml.pl in any of your text editors and modify icons path (just replace your-manager-host with your hostname)
😎 Add gmap_parse to autorun (for example, create a symlink in /etc/rc3.d, ln -s /home/arcsight/scripts/gmap_parse.sh /etc/rc3.d/S99gmap)
9) Run gmap_parse.sh
10) Open Web Page https://your-manager-host:8443/arcsight/web/gmdash.html
IF YOU'VE DONE ALL CORRECTLY, YOU SHOULD SEE THIS:
Now buy big Plazma TV (50' minimum ), grab some beer and analyze incidents in a new way.
Good luck everyone! Feedback is welcome.
Good Stuff Nicolay!
I like this approach
Maybe rewriting csv2kml.pl to python is a good idea as not everyone has cpan access on his server to install Text::CSV
You also have to change the link to your own esm and the google API key to tour own in gmdash.html
<link rel="icon" type="image/png" href="https://<your esm here>:8443/arcsight/web/images/arc_icon.png" />
thanx for sharing!
For the API key you need a google account and go to API Console - Google Code
Enable a google Maps APIv3, copy the key into the html code
It's limited to 25.000 request per day for free though.
Thank you Ray for putting this together as it's pretty much the coolest thing ever. After some tweaking it is working wonderfully and will definitely have that wow-factor when it's up on the 60" soon.
And thanks for sharing Nikolay!
Thanks for your information provided above.
I have some concerns which I think you might be able to help resolve.
As you know ArcSight appliance's Red Hat linux are completely stripped down version of Linux.I would like if you can clarify step 1 to 3 above,maybe in a rookie terms.
Also,it is worth mentioning that installing software that is not pre-bundled with ArcSight appliance invalidate your Guarantee and Support from HP ArcSight,hence making it almost impossible to implement above recommendation.
Another thing which I have discovered is that it will help a lot if you could put together your process in more simplified steps for more understanding of it (for rookies).I am still struggling to grasp some steps and would require additional information from you to accomplish this task.