• Guidance on Implementing Data Enrichment through Third party threat intelligence Integration in ArcSight

    I am working on a use case to integrate Third party threat intelligence with ArcSight . The goal is to accomplish the following tasks: SIEM Data Enrichment Ingest raw log events into ArcSight. Create empty lookup files in ArcSight for each IOCs…
  • Syslog header - custom parsing

    Has anyone here encountered the possibility of custom parsing the syslog header? Would you advise me how to do it? One source is sending me syslog messages with the wrong header (changing the order of timestamp and hostname), so I would like to parse…
  • The flex connector displays the Ukrainian language incorrectly in the arcsight console

    Hello. I've tested many options from other articles on this topic, but I still haven't been able to solve this problem. My flex connector parses events where the entire text in Ukrainian looks like this when output to the ArcSight console: Maybe…
  • use regex in xml xpath flex connector | help in xpath and xquery

    I have an XML file for the SAG Alliance Gateway, and I'm using an XML flex connector to process it. The connector works, but I'm having trouble with a nested element in the XML. Specifically, I need to extract the value of "RequestRef" using XPath, but…
  • RegEx FlexConnector Not Parsing.

    Below I have posted a small set of sample logs, the code for my flexagent parser, and the entry I have in the agents.properties file for a custom syslog parser. Is there anything that stands out as to why the data is not being parsed? If I look in the…
  • Syslog Subagent parser - VASCO Multiline events -

    Dear All, I hope all is well. Kindly, we have a Syslog Message that consists of multiple lines like the one below: <133>1 2023-12-24T09:48:09+00:00 Hostname ikeyserver 19848 - [meta sequenceId="367"] {Success}, {Replication}, {S-003002}, {A Replication…
  • Unable to map timestamp column from DB to any timestamp field in ArcSight

    Hello All, Hope you all are doing well. I have created a time-based DB flex connector and one of the field is not getting mapped. Below are the columns I am querying. ``` query=select LOCAL_DATE_TIME,to_timestamp(LOCAL_DATE_TIME,'yymmddhh24missff3…
  • ArcSight logUnparsedEvent Error

    Hello everyone. I have a problem with the parsing of a smart connector, version 8.4. I'm sending Logs from a Linux machine, with the rsyslog service. I have installed a "syslog Daemon" as the type. I have configured the following entries in the agent…
  • Multiple Database FlexConnector

    Dear All I am struggling to read events from one SQL database using Multiple Database flex connector. I am getting event as "Device connection down" with the message "Operand type clash: datetime2 is incompatible with bigint" My config file is as…
  • How to find smart connector name in which file of smart connnector

    Hi , There is many type of connector installed. I didn't find out connector name. Please provide file name or file path of smart connector. However we find out smart connector name.
  • Unable to load JDBC driver mysql

    Hi, I'm trying to get an ArcSight SmartConnector (FLEX) to connect to a MYSQL databse to pull some data from a table. I have followed the guide from the FelxConnector ev guide, and copied the latest release of the MySQL jdbc driver to the /opt/arcsight…
  • Need help in multiline parsing

    Hello everyone, I'm writing multiline parsing, but get error: Message did not match the common regular expression Does anyone got this error before? And how to fix it? Please help me! There are some information:
  • issue in Parsing Multiline syslog's

    Dear team, I created Multiline parser for an application log that has single line and multiline logs. the single line is geting parsed but not the multiline. Please review my parser and help to resolve. attaching parser and logs here. "<131>1…
  • FlexConnector Database : Unknown initial character set index '255' received from server

    Hi All, Trying to create ID Based Database Flex Connector Environment: - SmartConnector 8.30 - Database target : MySQL 8.0.25-15 After configuring the flex , the following error appeared in the log file java.sql.SQLException: Unknown initial…
  • send logs from smart connector to another smart connector

    Hello, thank you for giving me an idea on the instructions to follow to achieve the following diagram: 1- collect logs from the AD server to a server_X located at the same private VlAN. 2- collect AD logs from server_X to another server in public…
  • CSV File Connector Reading CSV Continously

    Hello All I have deployed a CSV file connector. The data is getting successfully parsed however, I don't see any event saying "File Processing Ended" or "File Processing Completed". Below properties have been set. agents[0].onrotation=RenameFileInTheSameDirectory…
  • flex connector properties file not working

    I'm having some troubles with the flexconnector. I did the parser file but everytime I run the flexconn and I send some SSH Logs the parser do not work. My parser file is called Vendor_syslog.subagent.sdkrfilereader.properties. I modified in agent…
  • ArcSight Use Cases

    Require help on creating reports/rules/dashboard/alerts on below Use Cases in Arcsight ESM 1. DNS attacks 2. SQL injection 3. WAF 4. DDO S
  • Arcsight Flex JSON Folder Follower parser

    Hello, I have the following json log: "srcip": "X.X.X.X", "metadata": [ { "request": { "server": "detectportal.firefox.com", "method": "GET", "host": "detectportal.firefox.com", "index": 1, "uri": "/success.txt", "user_agent": "Mozilla/5.0 (X11; Ubuntu;…
  • Parsing Timestamp

    I'm trying to parse a timestamp in a JSON parser, but I'm not having any luck despite trying various things in the dev guide. Format: "2022-05-16 19:54:25 +0000 UTC" My token: token[2].name=backend_timestamp token[2].type=String token[2].location…
  • Multiple Filreader.exe Processes Abandoned and locked Persistence Files

    Good day. I have created an sdkrfilereader to parse some Cold Fusion Apache Logs from Seven different servers via File Shares. Works well for a period of time then some just stop sending events. I checked and found several hundred FileReader.exe processes…
  • Cisco Firepower bad mapping

    Hello community, today I got ESM alert about MALWARE-CNC Win.Backdoor.Chopper web shell connection. But fields has swapped mapping attacker IP and target IP were swapped and because swapped mapping the rule were triggered. I have no error or parsing…
  • Kafka Flex Connector and Shared Access Signature Authentication

    Hi all. Has anyone managed to get the Kafka Flex Connector working with SAS authentication? It's is mentioned in the Kafka Flex Connector guide along with some sample parameters but it does not show where to store/configure these parameters. The…
  • JSON Flex Connector handling sub-array

    I am developing a JSON Flex Connector for Symantex SES. The data consists of Incidents, and each Incident may have 0-many associated Events in a sub-array on the Incident. This Events array is not keyed, so it does not seem a candidate for processing…
  • Use event field as message id for submessage

    Is there any way to use event field value instead token to identify event pattern and process it by submessage. Unfortuntantly this trick doesn't work: submessage.messageid.token=event.deviceEventClassId