OpenText product name changes coming to the community soon! Learn more.

Wikis - Page

Sentinel customFieldMaps - ArcSight Parsing - Universal Common Event Format

0 Likes

ArcSight SmartConnector -> Universal Common Event Format

*Most CEF events parse properly but as an ArcSight SME I needed a few more in Sentinel.


Two examples
- Cisco Firepower
- McAfee ePO

 

Get Raw Data

- Option 1: Sentinel webUI “Get Raw Data”
- Option 2: Go to Sentinel Control Center and right click on SyslogConnector to find an option “Edit” where they can copy raw data to a file.

Parser - CustomFieldMap

  1. Sentinel Control Center
    1. Right click Universal CEF Collector and stop
    2. Once stopped, Right click and then click “Debug”
    3. Click OK (Live Mode)
    4. Click “Upload/Download”
    5. Clicking Download will place file in default location (I just left mine at default)
    6. Leave this window open for step 3
  2. Workstation
    1. C:\Users\\.novell\sentinel\data\collector_workspace\Universal_Common-Event-Format\customFieldMaps
    2. Create Text File: Cisco_Firepower.map
      1. ~~Sentinel Event Field~~,~~Input Record Field~~
        CEFCustomNumber1,cef.extensions.cn1
        CEFCustomNumber2,cef.extensions.cn2
        CEFCustomNumber3,cef.extensions.cn3
        CEFCustomString1,cef.extensions.cs1
        CEFCustomString2,cef.extensions.cs2
        CEFCustomString3,cef.extensions.cs3
        CEFCustomString4,cef.extensions.cs4
        CEFCustomString5,cef.extensions.cs5
        CEFCustomString6,cef.extensions.cs6
        VendorOutcomeCode,cef.extensions.act
        InputBytes,cef.extensions["bytesIn"]
        OutputBytes,cef.extensions["bytesOut"]
    3. Create Text File: McAfee_ePolicy.Orchestrator.map
      1. ~~Sentinel Event Field~~,~~Input Record Field~~
        CEFCustomNumber1,cef.extensions.cn1
        CEFCustomNumber2,cef.extensions.cn2
        CEFCustomNumber3,cef.extensions.cn3
        CEFCustomString1,cef.extensions.cs1
        CEFCustomString2,cef.extensions.cs2
        CEFCustomString3,cef.extensions.cs3
        CEFCustomString4,cef.extensions.cs4
        CEFCustomString5,cef.extensions.cs5
        CEFCustomString6,cef.extensions.cs6
        VendorOutcomeCode,cef.extensions.act
        CEFOldFilePath,cef.extensions.filePath
        CEFOldFileName,cef.extensions.fname
    4. Create Text File: McAfee_Host.Data.Loss.Prevention.map
      1. ~~Sentinel Event Field~~,~~Input Record Field~~
        CEFCustomNumber1,cef.extensions.cn1
        CEFCustomNumber2,cef.extensions.cn2
        CEFCustomNumber3,cef.extensions.cn3
        CEFCustomString1,cef.extensions.cs1
        CEFCustomString2,cef.extensions.cs2
        CEFCustomString3,cef.extensions.cs3
        CEFCustomString4,cef.extensions.cs4
        CEFCustomString5,cef.extensions.cs5
        CEFCustomString6,cef.extensions.cs6
        VendorOutcomeCode,cef.extensions.act
  3. Sentinel Control Center
    1. Click Upload
    2. Start Event Source, Connector, and Universal CEF Collector

Labels:

Support Tips/Knowledge Docs
Support Tip
Comment List
Related
Recommended