Guidance on Implementing Data Enrichment through Third party threat intelligence Integration in ArcSight

I am working on a use case to integrate Third party threat intelligence with ArcSight. The goal is to accomplish the following tasks:

SIEM Data Enrichment

  • Ingest raw log events into ArcSight.
  • Create empty lookup files in ArcSight for each IOCs (hash, IP, domain, URL).
  • Set up an hourly query mechanism to extract IOCs from the ingested events in ArcSight.
  • Implement a process where ArcSight retrieves IOCs from the query results and sends them individually to the third-party threat intelligence endpoint.


Third Party Threat Intelligence - Data Collection

  • The third-party threat intelligence endpoint will return enriched data for each IOC.
  • Store the enriched data in the corresponding lookup files for each IOC.
  • Finally, create dashboards that visualize the enriched data from the lookup files.


I am familiar with the ingestion and dashboard creation processes. However, I need clarification on the data enrichment portion, specifically:

  • How can I retrieve IOCs from ArcSight on an hourly basis?
  • How can I trigger calls to the third-party threat intelligence endpoint whenever new IOCs arrive?
  • How can I store the returned results from the third-party threat intelligence into the lookup files every hour?


Could you provide guidance on which ArcSight components I should use to implement this requirement? Any advice on how to approach this implementation or best practices would be greatly appreciated.