Sentinel can integrate with ArcSight Intelligence version 6.3 by enabling the configuration in Sentinel's web UI. For this to happen, it is important to install Intelligence version 6.3 in your environment, for more information refer to Intelligence Documents. Once ArcSight Intelligence has been installed, go to the Integration section in the web UI, under which you can find Intelligence Integration tab.
ArcSight Intelligence is a user and entity behavioral analytics solution that uses data science and advanced analytics to identify the top risky entities and behaviors occurring in your organization. Intelligence first establishes the normal behavior for your organizational entities and then uses advanced analytics, to identify the anomalous behaviors by any entities and provides an appropriate risk score to each such entities.
Sentinel provides a way to Integrate with ArcSight Intelligence. Sentinel supports integration with ArcSight Intelligence 6.3. This integration facilitates Sentinel's event logs to be processed against the ArcSight Intelligence analytics engine. The analytics engine will then use advance unsupervised machine learning algorithms to compute risk scores of the analyzed entities and users from their anomalous activities. Sentinel will be able to pull this risk score data for further processing in its own environment.
This data adds a lot of contextual value to Sentinel, specially in the use case of correlation, reports, and event views. Sentinel also provides out-of-the-box widgets and dashboards which project these analytics data as readable information.
To perform the integration, you must install Transformation Hub, Vertica, and ArcSight Intelligence for the data ingestion to ArcSight Intelligence. Refer to Intelligence document.
Make sure that the below versions of collector and connector are deployed in Sentinel:
Blue-Coat_ProxySG-Appliances_2011.1r6
Microsoft_Active-Directory-and-Windows_2011.1r8
Citrix_NetScaler_2011.1r5
Syslog-2021.1r1