1 / 25

How to Write HP ArcSight FlexConnectors

How to Write HP ArcSight FlexConnectors. Aaron Kramer, CISSP, CEH June 25, 2014 Aaron.Kramer@hp.com. Agenda. Logistics SmartConnector Capabilities FlexConnectors Sources of Help FlexConnector Toolkit Demo Questions and Answers. Logistics. Lots of Material

melodie-owens
Download Presentation

How to Write HP ArcSight FlexConnectors

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How to Write HP ArcSight FlexConnectors Aaron Kramer, CISSP, CEH June 25, 2014 Aaron.Kramer@hp.com

  2. Agenda • Logistics • SmartConnector Capabilities • FlexConnectors • Sources of Help • FlexConnector Toolkit Demo • Questions and Answers

  3. Logistics • Lots of Material • Submit Questions via the Questions section in this Virtual Room • My background • Over 20 years in Network, Application, and Computer Security (CISSP, CEH) • currently a Global Field Support Engineer for HP ArcSight • >9 years of ArcSight experience • Presented at previous ArcSight Protect User Conference on FlexConnectors, Logger, ESM • Regular contributor to the Protect724 User Community

  4. SmartConnector Capabilities

  5. SmartConnector Event Collection

  6. SmartConnector Event Collection

  7. Connectors: Robust Collection Encrypted & Compressed Centralized Updates/Upgrades Bandwidth Management ArcSight Connector Heartbeat Connection HP ArcSight Logger HP ArcSight ESM/Express Follows NIST 800-92 Log Aggregation Guidelines

  8. Why FlexConnectors? My device or Application or Source is NOT one of the 350+ listed Supported sources?  Enter the HP ArcSight FlexConnector

  9. HP ArcSight FlexConnectors

  10. HP ArcSight FlexConnectors • Has same capabilities as SmartConnectors (Caching, Batching, Compression, etc) • The FlexConnector Developer Toolkit is the same Toolkit that Developers use to write the 350+ SmartConnectors • The Toolkit is a fully-supported and documented offering • The FlexConnector Development Kit is a licensed item; must be purchased. • GOAL: Produce the Properties File

  11. FlexConnector Types HP ArcSight FlexConnectors can be written for various Files and Formats and Sources • Regularly-formatted Files • Files processed better by use of Regular Expressions

  12. FlexConnector Types HP ArcSight FlexConnectors can be written for various Files and Formats and Sources • JSON Files • XML Files

  13. FlexConnector Types HP ArcSight FlexConnectors can be written for various Files and Formats and Sources • Read from Databases • Various sources in a Syslog Stream

  14. FlexConnector Types HP ArcSight FlexConnectors can be written for various Files and Formats and Sources • SNMP • Over a RESTful API • REST API endpoints • https://abc.com/events?created_after=<>&maxEvents=<>... • JSON output • OAuth2

  15. Where do FlexConnectors Run? • Windows • Linux • Solaris • AIX • Connector Appliance

  16. ArcSight FlexConnector Wizard on Connector Appliance

  17. flexagentwizard regex Flex Connector Helpers

  18. ArcSight Flex Connectors • GOAL: Produce the Properties File, with 3 sections • Parsing • Tokens, types, and formats • Mapping • Delimited File: Delimiter, Tokens, Mappings • Regular Expression: Words, Tokens, Mappings • Database: Query, Tokens, Mappings • … and so on

  19. HP ArcSight FlexConnector Further Capabilities • Follow File Rotations and Follow Folders • Consume Multiline events • Advanced functions to parse, manipulate, convert • __concatenate(String1,String2….) • __extractNTDomain(“AMERICAS\WABC123”)  yields AMERICAS • __regexToken(TOKEN,regex) • __simpleMAP(TOKEN,Case1,Case2…) • __safeToLong(TOKEN) • Lots n lots more • Pull pieces of filename or filepath • Chaining – where one type of Flex Connector calls another • A text file of events, where each event has a field that is XML in structure • Can read compressed files directly

  20. Sources of Help • Documentation • FlexConnector Developer’s Guide • REST FlexConnector Developer’s Guide • http://Protect724.HP.Com Forums • Question and Answer • Previous HP Protect Content • Tech Support – supporting the FlexConnector Developer Toolkit, not the FlexConnector itself • HP Partners • HP ArcSight Education • 3-day course • HP ArcSight User Gatherings

  21. How To Write a FlexConnector

  22. How To Write a FlexConnector • Confirm that your organization is licensed for the FlexConnector Developer Toolkit • Research to see if a FlexConnector was already written by someone else, somewhere else • Gather Sample Log events and/or files • Decide on which FlexConnector is best (File reader, database reader, Syslog subagent) • Consult the FlexConnector Developer Guide for step-by-step example

  23. Switch to Live Demo

  24. Questions and Answers For more information, and future webinars, please visit: https://protect724.hp.com/community/events/enterprise-security-webinars

  25. Thank you

More Related