SCM ArcSight Integration

Here the steps to integrate with ArcSight Logger. 

    • Store assessment events and reports = estimated 1.7MB per event
    • By default, the Core Services Configuration Utility does not display the Advanced tab.
  • Core Services Configuration (Advanced Tab Mode)
    • Close the utility (if open)
    • Run: installation_directory\Core Services\bin\config.bat
      • Core Services Configuration Utility opens
    • Select the Advanced tab
  • Enable Logging (Core Svcs - Advanced Tab Mode)
    • assessment/Thirdparty/SIEM/AppIntegration/Enabled = true
      • ArcSight / Splunk
    • assessment/Check/Include
      • Sentinel
    • Restart Core Services
  • Logging (CEF)
    • Forward Assessment Report (SIEM)
      • Forward Events of Assessment result = Enabled
      • Destination Server = Blanks
      • Destination Server Credentials = Blank
      • Forward Assessment Events: By Asset (Default)
      • Assessment Conditions to Forward: True / Low Risk / True
    • Core Services must know the connection settings for the SIEM server.
      • Open the thirdpartysiem.csv file, located by default in the NetIQ\Secure Configuration Manager\Core Services\etc folder.
      • Add entries to the file that specify the connection settings for each SIEM server to which you want to send event data. Use the following format:
        • IP_address:port,protocol
  • ArcSight Logger Configuration
    • Configuration > Receivers > Add
    • CEF TCP Recommended (CEF UDP works as well)
    • TCP 524 = SCM PDF Example
  • SCM: Run Policy Template
    • Forward Assessment Report to Destination Server
0 Replies
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.