Integrating SOAR with Intelligence

OpenText ArcSight Intelligence uses unsupervised machine learning to calculate probabilistic risk assessments based on behavioral analytics from millions of events, ultimately generating a short list of high value targets to allow security teams to detect, investigate, and respond to threats that might hide in the enterprise before any case occurs.

SOAR has the following integration capabilities with Intelligence:

Ingest Anomalies as Alert
Get Entity Details

Use Cases

Use Case #1: Prioritizing Cases

SOAR is integrated with Intelligence, to help prioritization and investigation of cases as well as remediation of cases. When an alert is received, a new case is created in the Case Management Service Desk of SOAR. SOAR then automatically checks the risk scores of entities and prioritizes the case based on these risk scores. Get Entity Details enrichment results return latest 1000 records maximum.

Use Case #2: Mitigating Account Compromise

SOAR ingests anomaly data from Intelligence and creates case tickets in the Case Management Service Desk. With its broad integration portfolio, orchestration, and automation capabilities, SOAR investigates, ascertains the case, and takes necessary actions to prevent the compromise.

The bidirectional integration of Intelligence and SOAR requires configuration at both the capabilities.

Configuration

Prerequisites

SOAR connects to OpenText ArcSight Intelligence API via HTTPS. By default, the interface works on 443/tcp port. Make sure that you have access permission to this port.
A user account for SOAR to connect to the Intelligence API.

Configuring ArcSight Intelligence

No specific configuration is needed on Intelligence.

Configuring SOAR

Click Configuration > Credentials > Create Credential.
If the use.basic.authentication configuration parameter value is False, then get the Client id and Client secret from Intelligence to ensure that the Intelligence Alert Source and Intelligence Integration work as expected.

Note: The default value of use.basic.authentication parameter is False.

To get the Client ID and Client Secret for OpenText Intelligence open a command prompt and:
1. Specify the name of the server on which Intelligence works.
2. Run the following command to get Client ID and Client Secret from Intelligence:
```
osp-client-id and osp-client-secret : kubectl get secret osp-secret -n arcsight-installer-tyoib -o yaml
```
  The output is displayed in the following format:
```
data:
osp-client-id: NTZjODkyYWE3NDMzZThiOTYzZGVkMjE5ZGIzODU3ZDg=
osp-client-secret:
ZjRiZDUzODBiZjQ2NTY5MWQ4NDAzMTFhZTJmMjY1ZGJlZGRjOWU0NDhlZmE3ZDhjN2Q5YzJlY2VjMDkzMmExNw==
```
3. Run the following command to decode the Client ID and Client Secret:
```
echo 'NTZjODkyYWE3NDMzZThiOTYzZGVkMjE5ZGIzODU3ZDg=' | base64 --decode
echo 'ZjRiZDUzODBiZjQ2NTY5MWQ4NDAzMTFhZTJmMjY1ZGJlZGRjOWU0NDhlZmE3ZDhjN2Q5YzJlY2VjMDkzMmExNw==' | base64 --decode
```
4. Run the following command to add the Client ID to the Alert Source / Integration configuration on Intelligence.
```
# Client id that defined in OSP
client.id=id
```

Specify the following parameter values in the Credential Editor:

Parameter	Value
Type	Internal Credential
Name	Display name of credential set (For example, Intelligence Credentials)
Username	Name of the SOAR user created on Intelligence.
Password	Password of the SOAR user created on Intelligence.
Private Key	Client secret that has been defined in OSP

Configuring Intelligence as an Alert Source

Click Configuration > Integrations > Create Alert Source.

Specify the following parameter values in the Configuration form:

Parameter	Value
Name	Display name of Intelligence Alert Source on SOAR.
Type	OpenText ArcSight Intelligence.
Address	Address of the Intelligence server (the format must be https://172.16.11.9).
Configuration	Specify the following configuration parameters: tenant.id= # ID of the proxy integration to use when connecting to current source. # If not provided, ArcSight SOAR will try to use a direct connection. #proxy.id=123 # configure how far (in minutes) into the past this enrichment will look. #cache.reusing.duration=20 # Base path of the OpenText Intelligence. SOAR adds it to end of the URL to access OpenText Intelligence. interset.context.path=/interset # Client id that defined in OSP client.id=id Note: By default,Intelligence uses 0 for tenant id. However, Intelligence - SOAR integration supports different tenants.
Credential	Name of the credential set you have created (For example, OpenText ArcSight Credentials)
Trust Invalid SSL Certificates	Select this if Web UI’s certificate is self-signed or is not recognized by browsers
Visible Alert Fields	You might define the alarm fields that will be displayed on the Case Management Service Desk

Click Save to complete the integration.
Click Test to test the integration.

Configuring Intelligence as Integration

Click Configuration > Integrations > Create Integration.

Specify the following parameter values in the Configuration form:

Parameter	Value
Name	Display name of Intelligence integration on SOAR.
Type	OpenText ArcSight Intelligence.
Address	Address of the Intelligence server (the format must be https://172.16.11.9).
Configuration	Specify the following configuration parameters: tenant.id= # ID of the proxy integration to use when connecting to current source. # If not provided, ArcSight SOAR will try to use a direct connection. #proxy.id=123 # configure how far (in minutes) into the past this enrichment will look. #cache.reusing.duration=20 # Base path of the OpenText Intelligence. SOAR adds it to end of the URL to access OpenText Intelligence. interset.context.path=/interset # Client id that defined in OSP client.id=id
Credential	Name of the credential set you have created (For example, OpenText ArcSight Credentials)
Trust Invalid SSL Certificates	Select this if Web UI’s certificate is self-signed or is not recognized by browsers
Require Approval From	Select user(s) from the list to request for approval before executing actions on this integration. Because SOAR only executes enrichments on Intelligence, leave it empty.
Notify	Select user(s) from the list to notify when SOAR performs an action on this integration. Because SOAR only executes enrichments on Intelligence, leave it empty.

Click Save to complete the integration.
Click Test to test the integration.

Additional Notes

The following configuration parameters can be used for fine tuning the integration. You must consult the SOAR field engineering team before editing them:
- MicroFocusIntelligenceListenerMaxRetrySeconds OpenText Interset listener queue max message retry in seconds 1800
- MicroFocusIntelligenceListenerQueueConcurrency Upper limit of OpenText Interset Listener consumer thread count 3
- MicroFocusIntelligenceSyncPeriod Period in seconds to sync OpenText Interset anomalies 60

Capabilities

Get Details

Enrichment capability to get the risk score of a given entity and related alert details.

The following table presents the Get Details capability details:

Input Parameter	Description	Type	Scope Rescticted (Yes/No)	Required (Yes/No)
Integration	Name of the third party integration.	Integration	N/A	Yes
Entity	Entity to be queried on ArcSight Intelligence.	Network Address Host File Name URL	Yes	Yes
Do not use cache	SOAR does not use cached results if this box is checked.	Checkbox	N/A	No

Input Parameter

Description

Type

Scope Rescticted (Yes/No)

Required (Yes/No)

Integration

Name of the third party integration.

Integration

N/A

Yes

Entity

Entity to be queried on ArcSight Intelligence.

Network Address

Host

File Name URL

Yes

Do not use cache

SOAR does not use cached results if this box is checked.

Checkbox

N/A

Output:

Case Scope:

Action	Type	Category/ Value
Add Scope Item Property	Integer	OpenText Intelligence Entity Risk
Add Scope Item Property	TEXT	OpenText Intelligence Entity Hash
Add Scope Item Property	TEXT	OpenText Intelligence Entity Type

Human Readable Output:

Risk tab:
Alerts tab: