Creating and Integrating a Smart Connector into the Existing ArcSight Infrastructure

Hello,

I’m new to the ArcSight platform and I’m looking to integrate a third-party threat intelligence feed with ArcSight. The feed data will be provided through an API, and I want to ingest this data into ArcSight for threat analysis.

ArcSight already offers various smart connectors (like syslog) for ingesting data. I would like to create a smart connector for this third-party threat intelligence source and integrate it into ArcSight’s existing smart connector infrastructure.

Could anyone guide me on the procedure or best practices for creating and integrating a smart connector for a third-party threat intelligence feed?

Thank you!

  • 0

    The REST SmartConnector is part of the ArcSight SmartConnector suite, enabling the ingestion of event data from RESTful APIs provided by various applications, services, or platforms. It facilitates seamless integration with third-party systems by pulling event logs through RESTful API endpoints and normalizing them into ArcSight's Common Event Format (CEF).

    Key Features:

    1. API Integration:

      • Connects to third-party systems exposing REST APIs.
      • Supports both HTTP and HTTPS protocols.
    2. Data Collection:

      • Pulls data using GET, POST, or other HTTP methods.
      • Handles paginated responses efficiently.
    3. Customizable:

      • Users can define mappings between JSON fields in the API responses and the ArcSight CEF fields.
      • Flexibility to work with various data formats (e.g., JSON, XML).
    4. Event Normalization:

      • Transforms raw event data into structured CEF for use within ArcSight ESM, Logger, or other ArcSight products.
    5. Authentication Support:

      • Supports multiple authentication methods, such as basic authentication, API tokens, or OAuth.
    6. Error Handling:

      • Logs errors for troubleshooting and retries failed requests based on configuration.

    Use Cases:

    • Cloud Monitoring: Integrate with cloud services like AWS, Azure, or Google Cloud that provide REST APIs for log data.
    • Custom Applications: Collect logs or event data from custom-developed software or platforms.
    • IoT Devices: Gather logs from IoT management systems or platforms that use REST APIs.

    Prerequisites:

    • Access credentials (e.g., API keys or tokens) for the target API.
    • Knowledge of the API documentation for endpoint URLs, authentication, and request/response structures.

    Deployment Steps:

    1. Install the SmartConnector:

      • Install on a supported platform (Windows/Linux) as per the ArcSight SmartConnector Installation Guide.
    2. Configure API Details:

      • Provide the API endpoint URL, authentication details, and request method in the configuration file.
    3. Map Fields:

      • Use the ArcSight Configuration Wizard or manual configuration to map API response fields to ArcSight CEF fields.
    4. Test and Deploy:

      • Validate connectivity and data parsing, then deploy the SmartConnector to production.

    Best Practices:

    • API Limits: Be aware of rate limits imposed by the target API and configure appropriate polling intervals.
    • Secure Credentials: Store API credentials securely and limit permissions to only required access.
    • Error Monitoring: Monitor connector logs for errors or performance issues and resolve promptly.
  • 0 in reply to 

    Hi  ,

    I would like to add a my own connector (e.g., "xyz") to the existing list of Smart Connectors. Specifically, I want to create a connector that calls APIs and is then published so that it is available for use directly from the Smart Connector dropdown list for all users.

    Could you guide me on how to create my own Smart Connector and publish it so that others can access it from the dropdown list?

    Thank you for your help!