For ArcSight intelligence to be able to run analytics to identify risky entities and behaviors, Sentinel event data must be forwarded to the Transformation Hub. Intelligence then runs analytics on the event data and generates the risk scores.
Sentinel provides an effortless method to configure the communication that carries out data ingestion to ArcSight Intelligence. This configuration facilitates forwarding of new incoming events as well as older Sentinel events to Transformation Hub.
You can configure one or more data sources to forward its events to ArcSight Intelligence. Currently, Sentinel supports four data source types (also called event types) to be forwarded to ArcSight Intelligence (Access, Active Directory, VPN, Web Proxy) which provide data of relevance to the Intelligence analytics models. The data source type of events that are forwarded to Intelligence can be selected from the Intelligence Integration tab under the Integration panel of the Sentinel UI.
Below mentioned are the criteria definition for the various supported data sources:
Access: The Access schema represents events collected from Identity and Access Management (IAM) solutions where users access resources such as servers or file shares.
Supported event types: Any Sentinel event for which,
• TargetDataName is defined and has a value OR • TargetDataContainer is defined and has a value
And for which one of the following criteria is fulfilled:
• VendorEventCode = 4656 and XDASOutcomeName = XDAS_OUT_SUCCESS or XDAS_OUT_FAILURE • VendorEventCode = 4663 and XDASOutcomeName = XDAS_OUT_SUCCESS • VendorEventCode = 4664 and XDASOutcomeName = XDAS_OUT_SUCCESS • VendorEventCode = 5140 and XDASOutcomeName = XDAS_OUT_SUCCESS • VendorEventCode = 5145 and XDASOutcomeName = XDAS_OUT_SUCCESS or XDAS_OUT_FAILURE
Active Directory: The Active Directory schema represents events collected from IAM solutions that identify successful and failed logins to authentication targets. These authentication targets include domain controllers/servers, resources, and file shares.
Supported event types: Any Sentinel event for which,
• VendorEventCode = 4624 and XDASOutcomeName = XDAS_OUT_SUCCESS • VendorEventCode = 4625 and XDASOutcomeName = XDAS_OUT_FAILURE • VendorEventCode = 4648 and XDASOutcomeName = XDAS_OUT_SUCCESS • VendorEventCode = 4768 and XDASOutcomeName = XDAS_OUT_SUCCESS or XDAS_OUT_FAILURE • VendorEventCode = 4769 and XDASOutcomeName = XDAS_OUT_SUCCESS or XDAS_OUT_FAILURE • VendorEventCode = 4771 and XDASOutcomeName = XDAS_OUT_FAILURE • VendorEventCode = 4776 and XDASOutcomeName = XDAS_OUT_SUCCESS or XDAS_OUT_FAILURE
VPN: The VPN schema represents events collected from IAM solutions or from other VPN devices such as Citrix Netscaler that identify VPN events.
Supported event types: Any Sentinel event for which,
• VendorEventCode = SSLVPN LOGIN or AAA LOGIN_FAILED • Product Name = Citrix Netscaler
Web Proxy: Web Proxy data are raw events that capture network traffic, primarily web surfing, from a collection of human users.
Supported event types: Any Sentinel event for which,
• Product Name = Blue Coat Web Proxy
Configure ArcSight Intelligence Integration in the Intelligence Integration tab under the Integration panel of the Sentinel UI to automatically forward new incoming events in Sentinel.
Use the following information to configure the integration:
Tenant: Select a tenant to associate it with the configuration. You cannot revert the tenant configuration unless you re-install Sentinel.
Enable: Check box to enable forwarding Sentinel events to specified Intelligence configuration.
Name: Specify a unique name for the configuration.
Master Hostname: Specify the Hostnames and port numbers of the Master Transformation Hub nodes.
Worker Hostname: Specify the Hostnames and port numbers of the Worker Transformation Hub nodes. In case of a single node setup, provide the same hostname as master.
IP Address or Hostname: Specify the IP addresses or host names and port numbers of the Transformation Hub nodes. You can specify a comma-separated list of multiple transformation Hub IP addresses or Hostnames. Sentinel forwards data to the first address it can connect to.
Selected Data Sources: Select one or more data source filters that serve as the criteria used to select events for processing/ingestion. Refer to the above section for more details.
Certificate Directory Path: Specify the path to the exclusive custom directory of the Sentinel Server created in the Generating External Certificate section containing Transformation Hub certificate, key, and Certification Authority (CA).
Once Arcsight Intelligence Integration is configured, older Sentinel events in the existing event data partitions can be forwarded using the data uploader tool by following the below steps:
Navigate to the directory <sentinel_installation_path>/opt/novell/sentinel/bin.
Switch to the novell user:
su novell
Run data uploader tool to forward data present in existing partitions to Transformation Hub with the required parameters.
Example:
./data_uploader.sh -from=<YYYYMMDD> -to=<YYYYMMDD> -masterurl=<hostname>:32081 -workerurl=<hostname>:9093 -certdir=<path to cert directory>
For more information on the parameters, see the Sentinel Installation Guide.
In order to ensure secure trusted communication between Sentinel and the Transformation Hub, encrypted communication with mutual SSL authentication is configured by default.
For the same, a server key pair needs to be generated by the Transformation Hub issuing CA, which can be later used by the Sentinel Server in order to initiate the communication.
To generate certificate for portals perform the below steps in the CDF Transformation Hub server:
Export the following access token dependencies, which you can remove later if not needed to invoke vault anymore.
export PASSPHRASE=$(kubectl get secret vault-passphrase -n core -o json 2>/dev/null | jq -r '.data.passphrase')
export ENCRYPTED_ROOT_TOKEN=$(kubectl get secret vault-credential -n core -o json 2>/dev/null | jq -r '.data."root.token"')
export VAULT_TOKEN=$(echo ${ENCRYPTED_ROOT_TOKEN} | openssl aes-256-cbc -md sha256 -a -d -pass pass:"${PASSPHRASE}")Request Vault to generate the certificate for your external access host.
/opt/arcsight/kubernetes/bin/vault write -tls-skip-verify -format=json RE/issue/coretech common_name=SENTINEL_HOST
From the output generated above, create three different files as explained below:
server.crt (create this .crt file by copying contents under the key "certificate":". Once done, the server.crt file should contain a string starting with -----BEGIN CERTIFICATE---- and ending with -----END CERTIFICATE----)
server.key (create this .key file by copying contents under the key "private_key": ". Once done, the server.key file should contain a string starting with -----BEGIN RSA PRIVATE KEY---- and ending with -----END RSA PRIVATE KEY----)
issuingca.crt (create this .crt file by copying contents under the key "issuing_ca":". Once done, the issuingca.crt file should contain a string starting with ----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE----)
Once created, copy these three files to any custom directory in Sentinel server.
In the Sentinel server go to the above created custom directory which contains the three files and run the commands below:
awk '{gsub(/\\n/,"\n")}1' server.key > tmp && mv -f tmp server.keysed -i 's/\\n//g' server.key
awk '{gsub(/\\n/,"\n")}1' issuingca.crt > tmp && mv -f tmp issuingca.crtsed -i 's/\\n//g' issuingca.crt
awk '{gsub(/\\n/,"\n")}1' server.crt > tmp && mv -f tmp server.crtsed -i 's/\\n//g' server.crt
The above commands formats the certificate files in that directory to the desire format. Now copy the entire directory and its content (server.crt, server.key, issuingca.crt) into the same directory path in the Collector Manager's server. It is important to recreate the same directory path for this folder in the Collector Manager as in the Sentinel server.
If Sentinel is in FIPS mode, the Transformation Hub’s issuing CA certificate needs to be added into the FIPS keystore of the Sentinel server and Remote Collector Managers (RCM).
NOTE:Connection to Intelligence in FIPS mode supports client-side authentication only. This requires Mutual Authentication to be disabled at the Intelligence cluster level. Communication does not happen when Sentinel is in FIPS mode with the Intelligence cluster. For more information on disabling Client Authentication in Intelligence, refer to the Transformation Hub tab under Configuring the Deployed Capabilities section in the Intelligence document.
Perform the following steps to add a CA certificate in the FIPS keystore.
Add the issuingca.crt certificate generated in the Generating External Certificate section to the FIPS keystore of the Sentinel server using the below command:
./convert_to_fips.sh -i <sentinel_installation_path>/<custom-directory-containing-cdf-generated-certificates>/issuingca.crt
Add the same issuingca.crtcertificate to the all the FIPS keystore of the RCM server using the below command:
./convert_to_fips.sh -i <rcm_installation_path>/<custom-directory-containing-cdf-generated-certificates>/issuingca.crt