Archer SecOps integration
I have installed SecOps on my Archer 5.5 sp3 Environment and tried to integrate with Security Analytics and Arcsight but we are not able to get data/alerts. Can someone suggest me what may be the possible reasons. what are the primarily check points which i need to insure in place.
Any suggestions are invited.
- Community Thread
- Forum Thread
- RSA Archer
- RSA Archer Suite
- sa arccher integration
- sec ops
can you please be a little bit more specific as to what exactly you want to achieve? We have built an interface between Archer and ArcSight using the RSA Connector Framework with a mapping file in which we specified which fields from ArcSight are mapped to the fields in the Archer Security Events application in SecOps. Is that what you´re trying to do as well?
I am trying to achieve the same with minor change.
Instead of arcsight i am trying to integrate rsa sa first.
I have not tried it with arcsight yet but will integrate this as well after integration with sa success full.
Please let me know if you require any other info.
Any kind of help would be highly appreciated.
Good morning Arvind,
so as far as I know the integration with SA is straight forward as a lot of the fields already exist. Here´s the link to the SecOps 126.96.36.199 page where you can find all the documents and files that you need: https://community.rsa.com/docs/DOC-44272
I hope that helps,
Thanks for your support and co operation.
I have successfully completed integration with sa.
My next task is to integrate with arcsight.
Can you provide me some step by step guide for beginner or some common check point which i need to ensure during integration.
Any kind of help would be appreciated.
And thank you again.
there´s not much I can point you to apart from what you find it the guides I´m afraid. Once you installed the Collector Framework, the endpoints and the syslog server you should have an endpoint listening on port 514. You will have to spend some thoughts around the mapping of fields coming from ArcSight and adjust the XML mapping file on Archer side (in the plugins folder) accordingly. Apart from that you obviously have to allow communication between your ArcSight and Archer server.
In our case, everything that comes from ArcSight goes directly into the security events application. From there, the events get aggregated into one or many security incidents (based on defined aggregation criteria).
I have tried the same.
Ucf is listening but i am getting an error in ucf logs like
1. Message received.
2. Invalid message. Aggregationcriteria is not found.
So i think the messages we are getting have something missing.i have discuss the same arcsight team they have no idea how to define aggregation criteria.
If you have any guide to set aggregation criteria or any example please share with me.
so the aggregation criteria is basically a field that´s being sent over from ArcSight. In ArcSight, you probably have different use-cases. For each use-case, different aggregation criteria might be helpful.
As an example, if a phishing wave hits the company,100 employees click on the same link and infect their workstations with malware this would (depending on your detection mechanisms) potentially resolve in 100 "events" that should be aggregated under one single incident. So here the aggregation criteria could be the destination IP. If that is the same for this specific use-case, the events should be aggregated under one incident. But only as long as the incident is "New" for example.
That part is defined in the mapping file in Archer. So it´s a combination of work that has to be done in ArcSight (defining use-cases, aggregation, etc.) and Archer (mapping fields, implementing aggregation of events to incidents) but there is no guide I´m afraid because this is something which is very environment-specific.