dgewertz Absent Member.
Absent Member.
231 views

Has anyone used SIEM or Logger to track GPS location of a device?

Jump to solution

Pardon the simplistic question, but I am trying to understand if an Arcsight SIEM, Logger, or both could be configured to accept NMEA 2.0 GPS data, and then alert an end user or send an alert when the NMEA data either indicates that the lat/long coordinates have changed by some set amount, or if the NMEA data stops coming in altogether after some set time. The device can output NMEA data via IP (by telnetting in I believe).

Has anyone done this, or know if this can be done, and what in general is required to do this? I am a newbie to Arcsight, but trying to rapidly ramp up.

Greatly appreciate the insight from this board. I did a search on "GPS" and "NMEA" but didn't find much.

Labels (4)
Tags (3)
0 Likes
Reply
1 Solution

Accepted Solutions
eugene.afonin@h1 Frequent Contributor.
Frequent Contributor.

Re: Has anyone used SIEM or Logger to track GPS location of a device?

Jump to solution

Hi,

  1. You need ArcSight ESM or ArcSight Express because this logic requires advanced correlation capabilities which logger does not possess,
  2. You need to create a custom connector to get data from your GPS device into ArcSight,
  3. You need a rule to populate an active list with first position of a user,
  4. You need a rule to check current lat/long value in active list with position updates from a GPS device.

If rule detects a change in lat/long exceeding set treshold then using rule actions you could do anything - create case, send notification, execute OS script with event attributes.

So the answer is YES, it could be done. But the trick is you need some experience developing Arcsight content to do that. Start with User Guide and AESA course would be of great help in that.

View solution in original post

0 Likes
Reply
1 Reply
eugene.afonin@h1 Frequent Contributor.
Frequent Contributor.

Re: Has anyone used SIEM or Logger to track GPS location of a device?

Jump to solution

Hi,

  1. You need ArcSight ESM or ArcSight Express because this logic requires advanced correlation capabilities which logger does not possess,
  2. You need to create a custom connector to get data from your GPS device into ArcSight,
  3. You need a rule to populate an active list with first position of a user,
  4. You need a rule to check current lat/long value in active list with position updates from a GPS device.

If rule detects a change in lat/long exceeding set treshold then using rule actions you could do anything - create case, send notification, execute OS script with event attributes.

So the answer is YES, it could be done. But the trick is you need some experience developing Arcsight content to do that. Start with User Guide and AESA course would be of great help in that.

View solution in original post

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.