ArcSight ESM - RSA NetWitness Suite Integration Guide

Document created by Evan Pols Employee on Feb 3, 2017
Version 1Show Document
  • View in full screen mode

The 'NetWitness-ArcSight_Integrations' Zipped archive will contain documentation, required references and import files to create integrations between ArcSight ESM and NetWitness. It is broken down into three main integrations:

  1. Right-Click lookup functionality from ArcSight allowing an analyst to pivot to NetWitness and perform an investigation using one of the following queries:
    • Filename
    • SessionID
    • Source Address (IP)
    • Destination Address (IP)
    • Source Address (IP) and Destination Address (IP) Combination
    • Source Address (IP) and Destination Hostname Combination
    • Source Address (IP) and Destination TCP/UDP Port Combination
    • ESA Alert originating event callback (using Decoder ID, RID & SessionID)
  2. A Custom CEF Formatted ESA Notification Template and associated Global Notification Configuration to stream alert information to an ArcSight Syslog SmartConnector. This template will use the following mapping table:
  3. A Reporting Engine Alert CEF Syslog Template
2 people found this helpful