Sentinel customFieldMaps - ArcSight Parsing - Universal Common Event Format

Sentinel customFieldMaps - ArcSight Parsing - Universal Common Event Format

ArcSight SmartConnector -> Universal Common Event Format

*Most CEF events parse properly but as an ArcSight SME I needed a few more in Sentinel.


Two examples
- Cisco Firepower
- McAfee ePO

 

Get Raw Data

- Option 1: Sentinel webUI “Get Raw Data”
- Option 2: Go to Sentinel Control Center and right click on SyslogConnector to find an option “Edit” where they can copy raw data to a file.

Parser - CustomFieldMap

  1. Sentinel Control Center
    1. Right click Universal CEF Collector and stop
    2. Once stopped, Right click and then click “Debug”
    3. Click OK (Live Mode)
    4. Click “Upload/Download”
    5. Clicking Download will place file in default location (I just left mine at default)
    6. Leave this window open for step 3
  2. Workstation
    1. C:\Users\\.novell\sentinel\data\collector_workspace\Universal_Common-Event-Format\customFieldMaps
    2. Create Text File: Cisco_Firepower.map
      1. ~~Sentinel Event Field~~,~~Input Record Field~~
        CEFCustomNumber1,cef.extensions.cn1
        CEFCustomNumber2,cef.extensions.cn2
        CEFCustomNumber3,cef.extensions.cn3
        CEFCustomString1,cef.extensions.cs1
        CEFCustomString2,cef.extensions.cs2
        CEFCustomString3,cef.extensions.cs3
        CEFCustomString4,cef.extensions.cs4
        CEFCustomString5,cef.extensions.cs5
        CEFCustomString6,cef.extensions.cs6
        VendorOutcomeCode,cef.extensions.act
        InputBytes,cef.extensions["bytesIn"]
        OutputBytes,cef.extensions["bytesOut"]
    3. Create Text File: McAfee_ePolicy.Orchestrator.map
      1. ~~Sentinel Event Field~~,~~Input Record Field~~
        CEFCustomNumber1,cef.extensions.cn1
        CEFCustomNumber2,cef.extensions.cn2
        CEFCustomNumber3,cef.extensions.cn3
        CEFCustomString1,cef.extensions.cs1
        CEFCustomString2,cef.extensions.cs2
        CEFCustomString3,cef.extensions.cs3
        CEFCustomString4,cef.extensions.cs4
        CEFCustomString5,cef.extensions.cs5
        CEFCustomString6,cef.extensions.cs6
        VendorOutcomeCode,cef.extensions.act
        CEFOldFilePath,cef.extensions.filePath
        CEFOldFileName,cef.extensions.fname
    4. Create Text File: McAfee_Host.Data.Loss.Prevention.map
      1. ~~Sentinel Event Field~~,~~Input Record Field~~
        CEFCustomNumber1,cef.extensions.cn1
        CEFCustomNumber2,cef.extensions.cn2
        CEFCustomNumber3,cef.extensions.cn3
        CEFCustomString1,cef.extensions.cs1
        CEFCustomString2,cef.extensions.cs2
        CEFCustomString3,cef.extensions.cs3
        CEFCustomString4,cef.extensions.cs4
        CEFCustomString5,cef.extensions.cs5
        CEFCustomString6,cef.extensions.cs6
        VendorOutcomeCode,cef.extensions.act
  3. Sentinel Control Center
    1. Click Upload
    2. Start Event Source, Connector, and Universal CEF Collector
Labels (1)

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
1 of 1
Last update:
‎2019-07-18 20:07
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.