To enable Sentinel to receive the analysed entities from Intelligence, you need to install and configure the ArcSight REST FlexConnector. The REST FlexConnector provides a configurable method to collect events from Intelligence and send them to Sentinel. It uses the OAuth2 authentication to get permission to receive events from Intelligence. The events collected by the FlexConnector are in JSON format. With the help of JSON parser files, these events are converted into a format that can be understood and received by Sentinel.
You need to install REST FlexConnector to communicate with ArcSight Intelligence and to retrieve back the risk score data.
Complete the prerequisites steps mentioned in the ArcSight Intelligence document, before you begin with REST FlexConnector installation and configuration.
To install and configure a REST FlexConnector, see ArcSight FlexConnector REST Developer Guide.
Ensure the following when you install and configure the REST FlexConnector:
Select ArcSight FlexConnector REST as the Connector Type.
Import the OSP certificate in the REST FlexConnector. Refer to Importing the OSP Certificate in the REST FlexConnector.
When adding the parameters information, specify the following:
For the Configuration File field, specify entities to collect and parse the entities data.
For the Events URL field, specify https://<ip address or hostname of Intelligence>/interset/api/search/0/topRisky?count=100 to collect and parse the entities data.
For the Authentication Type field, select OAuth2.
For the OAuth2 Client Properties File field, browse to the location where you have created and saved the OAuth2.properties file, then select the file.
When configuring the destination, select CEF Syslog as the destination.
When adding the parameters information, specify Ip/Host and Port of the Sentinel’s Syslog server (Protocol and port will be changed as per TCP, UDP, and SSL).
Make Preserve Raw Event to Yes in the Smart Connector by modifying the destination settings to Processing.
Click Done for the Smart Connector installation.
In order to ensure secure trusted communication between the REST FlexConnector and the Transformation Hub, the OSP issuer certificate (CA) needs to be imported in the REST FlexConnector.
To import the OSP certificate in the REST FlexConnector:
Navigate to the exclusive custom certificate directory created in the Generating External Certificate section where the issuingca.crt is present.
Copy the contents of the issuingca.crt file in a new file, name the file as issuingca.cer, and save it in the desired location of the Smart connector machine (for example, C:\Users\<user_name>\Desktop\).
Do the following to import the OSP CA certificate to the FlexConnector truststore cacerts:
Open a command window and navigate to the following location:
cd $ARCSIGHT_HOME\current\jre\bin\
Execute the following command:
keytool -importcert -file "<location_of_issuingca.cer>\issuingca.cer" -keystore "$ARCSIGHT_ HOME\current\jre\lib\security\cacerts" -storepass changeit
When you run this command, you are prompted to provide your input for the following message: Trust this certificate [no]: Specify Yes.
After you install and configure the FlexConnector and before you run the FlexConnector, perform the following steps to format the data to be received, so that it can be understood by Sentinel.
Add a value in the property agents[0].queryfrequency in file <SmartConnector Installation location>\ArcSightSmartConnectors\current\user\agent.properties to fetch the entity details from Intelligence server. By default, it is 30000 milliseconds. User can change it as per their requirement.
Create a new JSON parser file as entities.jsonparser.properties in the ARCSIGHT_HOME\user\agent\flexagent location and copy the following content to the file.
trigger.node.location=/data
token.count=12
token[0].name=entityHash
token[0].type=String
token[0].location=entityHash
token[1].name=entityType
token[1].type=String
token[1].location=entityType
token[2].name=entityName
token[2].type=String
token[2].location=entityName
token[3].name=risk
token[3].type=Integer
token[3].location=risk
token[4].name=riskChange
token[4].type=Integer
token[4].location=riskChange
token[5].name=storyCount
token[5].type=Integer
token[5].location=storyCount
token[6].name=lastActivity
token[6].type=String
token[6].location=lastActivity
token[7].name=tags
token[7].type=String
token[7].format=__uri()
token[7].location=tags
token[8].name=otherName
token[8].type=String
token[8].location=../../tags/name
token[9].name=source
token[9].type=String
token[9].location=../source
token[10].name=desc
token[10].type=String
token[10].location=../tags/description
token[11].name=scrollId
token[11].type=String
token[11].location=/scrollId
event.name=__stringConstant("Interset Risky User Information")
event.deviceEventClassId=__stringConstant("IRU")
event.deviceVendor=__stringConstant("Micro Focus")
event.deviceProduct=__stringConstant("Interset")
event.deviceSeverity=2
#Agent Severity
severity.map.low.if.deviceSeverity=2