I am working on a use case to integrate Third party threat intelligence with ArcSight. The goal is to accomplish the following tasks:
SIEM Data Enrichment
- Ingest raw log events into ArcSight.
- Create empty lookup files in ArcSight for each IOCs (hash, IP, domain, URL).
- Set up an hourly query mechanism to extract IOCs from the ingested events in ArcSight.
- Implement a process where ArcSight retrieves IOCs from the query results and sends them individually to the third-party threat intelligence endpoint.
Third Party Threat Intelligence - Data Collection
- The third-party threat intelligence endpoint will return enriched data for each IOC.
- Store the enriched data in the corresponding lookup files for each IOC.
- Finally, create dashboards that visualize the enriched data from the lookup files.
I am familiar with the ingestion and dashboard creation processes. However, I need clarification on the data enrichment portion, specifically:
- How can I retrieve IOCs from ArcSight on an hourly basis?
- How can I trigger calls to the third-party threat intelligence endpoint whenever new IOCs arrive?
- How can I store the returned results from the third-party threat intelligence into the lookup files every hour?
Could you provide guidance on which ArcSight components I should use to implement this requirement? Any advice on how to approach this implementation or best practices would be greatly appreciated.