New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Absent Member.
Absent Member.
2502 views

[HOWTO] Integrate you ArcSight Events with Google Maps

Hello, community!

First of all, i want to thank Mr Ray Cotten from HP Security to make this possible, and for allowing me to share his code.
Also, all the rights on this scripts belong to him.

All your thanks below also belong to him

I know you all guys want to plot your events on Google Maps, since it is a good instrument to analyze network situation and attacks on your external/internal perimeters.
Secondary, it is pretty good to show to management, isn't it?

NOW it's is possible and very simple. Let me show.

ALL YOU NEED:

1) ArcSight Manager installation (we have ESM 6.5, however, i believe it doesn't matter what the version is, because it is based on reporting engine, which behaves the same on all versions).
2) Simple skills on ArcSight Reporting (editing filters and queries)

3) Google Maps integration pack (see attachment)

4) Access to google.com (don't be scared, only client access, no use to open it to manager, which makes it quite easy to deploy!)

HOW IT PERFORMS:

1) Report (/All Reports/ArcSight Solutions/Google Maps Plugin/Google Maps Plugin - Firewall Deny) runs every 5 minutes, generates csv based on your customized query (/All Queries/ArcSight Solutions/Google Maps Plugin/Google Maps Plugin - Firewall Deny) and archives it to /opt/arcsight/manager/reports/archive/Archived Reports.Meta.Group/ArcSight Solutions/Google Maps Plugin/output.csv

2) When you run gmap_parse.sh, it executes csv2.kml perl script, which then moves to background and runs every 60 seconds. Notice that you don't have to add it to cron or other schedulers.
3) CSV2KML.pl scripts converts CSV output (generated by report) to a Google-Like KML GEO Format and puts result file to /opt/arcsight/manager/webpages/kml/map.kml
4) GMDASH.html, which includes some js scripts (like gmaps api v3) presents the final result to an end user.

QUICK GUIDE:

1) install make and CPAN (yum install make, yum install CPAN). For windows systems use Google. Go to step 2
2) Install Text::CSV perl module using freshly installed CPAN (cpan -i Text::CSV)
3) Create "kml" dir in /opt/arcsight/manager/webpages/. Full path will be looking like this: /opt/arcsight/manager/webpages/kml
4) Install Google_Maps_Plugin.arb to you ArcSight System.
5) Customize query ((/All Queries/ArcSight Solutions/Google Maps Plugin/Google Maps Plugin - Firewall Deny) to include all events you need to show on the map. You can also create as many queries and reports as you want.
6) Upload files:
     4.1) csv2kml.pl to /opt/arcsight/manager/bin/scripts. Make it executable (chmod +x csv2kml.pl)
     4.2) gmdash.html to /opt/arcsight/manager/webpages    

     4.3) all contents of "images" dir to /opt/arcsight/manager/webpages/images
     4.4) executable script (gmap_parse.sh) to anywhere you want, for example you /home directory

7) Changes that you need:
     7.1) Create your dashboard title image (use photoshop etc to edit title.png image in "images" directory). Now this is your personal dashboard name.

     7.2) Change ZOOM level and map center coords in gmdash.html, according to your monitor settings, your wishes etc

22.01.png

     7.3) If you need map controls (zoom level adjustement and joystick) - just set disableDefaultIUI in gmdash.html to false

     7.4) Edit csv2kml.pl in any of your text editors and modify icons path (just replace your-manager-host with your hostname)
😎 Add gmap_parse to autorun (for example, create a symlink in /etc/rc3.d, ln -s /home/arcsight/scripts/gmap_parse.sh /etc/rc3.d/S99gmap)

9) Run gmap_parse.sh

10) Open Web Page https://your-manager-host:8443/arcsight/web/gmdash.html

IF YOU'VE DONE ALL CORRECTLY, YOU SHOULD SEE THIS:


22.01.png

Congratulations!
Now buy big Plazma TV (50' minimum ), grab some beer and analyze incidents in a new way.

Good luck everyone! Feedback is welcome.

Labels (2)
9 Replies
Highlighted
Fleet Admiral
Fleet Admiral

Hi Nikolay,

This looks like some Cool Stuff just like AlienVault OSSIM ... Cheers

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Thanks for sharing!

I've been waiting for this since Protect2013 (I've visited that session, where this solution was presented).

0 Likes
Reply
Highlighted

Good Stuff Nicolay!

I like this approach

Maybe rewriting csv2kml.pl to python is a good idea as not everyone has cpan access on his server to install Text::CSV

You also have to change the link to your own esm and the google API key to tour own in gmdash.html


<link rel="icon" type="image/png" href="https://<your esm here>:8443/arcsight/web/images/arc_icon.png" />

and

<script type="text/javascript" src="https://maps.googleapis.com/maps/api/js?key=<your google API key here>&sensor=false"></script>

thanx for sharing!

cheers,

/Steven

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Being completely ignorant to this, which type of maps API key do you use here?

0 Likes
Reply
Highlighted

ninja_tea,

For the API key you need a google account and go to API Console - Google Code

Enable a google Maps APIv3, copy the key into the html code

It's limited to 25.000 request per day for free though.

/steven

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Thanks. Hooked it up today.

-trav

Travis Aldrich

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Thank you Ray for putting this together as it's pretty much the coolest thing ever.  After some tweaking it is working wonderfully and will definitely have that wow-factor when it's up on the 60" soon.

And thanks for sharing Nikolay!

0 Likes
Reply
Highlighted
Cadet 3rd Class
Cadet 3rd Class

Hi Nikolay,

Thanks for your information provided above.

I have some concerns which I think you might be able to help resolve.

As you know ArcSight appliance's Red Hat linux are completely stripped down version of Linux.I would like if you can clarify step 1 to 3 above,maybe in a rookie terms.


Also,it is worth mentioning that installing software that is not pre-bundled with ArcSight appliance invalidate your Guarantee and Support from HP ArcSight,hence making it almost impossible to implement above recommendation.

Another thing which I have discovered is that it will help a lot if you could put together your process in more simplified steps for more understanding of it (for rookies).I am still struggling to grasp some steps and would require additional information from you to accomplish this task.

Thanks

Matt

0 Likes
Reply
Highlighted
Captain Captain
Captain

DId anyone get this kind of visualisation working for ESM 6.8+ ? 
Still hoping to get away from that awefull JAVA map...

 

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.