• JSON parser

    HI Your help is needed. I came across this JSON event format: { "results": [ { "id": "667e8d33156b6c38232c9043", "name": "SQL Injection attack (S3)", "description": "SQL Injection attack hitting the server at HTTPS. Same IP should not appear more…
  • Problem with CEF that has IPV6

    I have a specific problem when there are IPv6 events originating from the 365 Defender technology (Native Connector). When events contain ipv4, the IP is mapped perfectly in the destinationAddress field, but when there is ipv6 it does not appear. But…
  • Syslog subagent.parsers

    Hello, I dont understand what "syslog.subagent.parsers=" in agent.propersties is for: I can enable custom subagents list where I can use my own parsers, but what subagent.parsers do ? agents[0].customsubagentlist=generic_syslog ??agents[0].syslog.subagent…
  • Syslog Connector Not Parse Pulse Secure

    Arcsight syslog connector does not parse current Ivanti Pulse Connect Secure logs. I wonder if a parser will be added in new versions regarding this issue? Is there a portal where we can track future product parsers?
  • Syslog NG NULL Events

    Hello, I am trying collect syslog with Syslog NG, but connector cant parser data. Syslog should be fine and I can see application data in wireshark, but nothing in connector. unparsed events: true custom parser: true (made completely basic parser to…
  • flex connector properties file not working

    I'm having some troubles with the flexconnector. I did the parser file but everytime I run the flexconn and I send some SSH Logs the parser do not work. My parser file is called Vendor_syslog.subagent.sdkrfilereader.properties. I modified in agent…
  • Need unobfuscated parsers for all devices supported by ArcSight

    Hi All, Hope you all are doing well amid this pandemic. I need help on the unobfuscated parsers for all supported devices. I believe from 7.14 or 8.0 support has started providing the unobfuscated parsers. Please reply with the parser files if you…
  • Hi, I have a flex DB connector. Time is mapped to event.startTime field as a timestamp. Can I somehow store time as a string in some additional field like deviceCustomString?. Thanks.

    timestamp to string conversion
  • Detecting Actual Rogue Systems versus Rogue Sensor Source Servers

    Hello experts! Is it possible that the parser is querying the wrong epo Table Name, or could I just need newer parser version? Attempting to 'fire alerts' for McAfee Rogue Systems from "RSD Version 5.0.5" yet it seems that all events captured reflect…
  • ArcSight FlexConnector cannot parsing syslog

    Hi everyone I have a issue about FlexConnector. In my environment, there is a SC to collects syslog (including Fortigate, CentOS, CISCO switch, and the source device "Array" where this problem occurred). At the beginning, I created a regex parser…
  • WiNC custom parser help

    I've tried going through the other discussions on this topic but I can't seem to get mine to work. Referencing post community.microfocus.com/.../2818088 I have recently enabled the insecure RPC communication events on our domain controllers with new event…
  • CEF parser Override for PaloAlto System messages

    Hello, I am facing an issue to create a parser subagent for CEF syslog messages. 1- I created a subagent file and placed it under ..\current\user\agent\flexagent\syslog 2- I named the file PaloAlto_syslog.subagent.sdkrfilereader.properties 3- I modified…
  • Oracle WebLogic SmartConnector v12.2

    Hello! Who has any experience with SmartConnector for Oracle WebLogic Server File for WebLogic Access v. 12.2.1.3? Seems like standart parser is not working correctly. In Configuration Guide I see mappings to ArcSight Fields only for WebLogic Access v12…
  • Centrify Suite 2017 - Flex

    Hi All, I am sharing my Flex for Centrify. I also opened a ticket with ArcSight a year ago to have this added to the list of CEF Connectors, and still no updates Ticket: SD02349662 - Feature Request: CON-21924 So posting it here for the benefit of everyone…
  • Sigma rules guide: threat hunting for ESM, ArcSight Command Center and Logger

    Hello dear community, As you know ArcSight ESM is only as smart as the content that we build there. After sharing hundreds of rules through last 2 years in response to WannaCry, NotPetya, Bad Rabbit etc. we quickly came to realization that there is a…
  • How can i HASH or encrypt a field value in ArcSight Flex Connector?

    Dear All I have a syslog parser with very important information like PIN and PAN Credit card Number. is there anybody have an experience for change clear integer number in a field to encrypted value with unique formulla ? for example i have a Credit card…
  • WINC Conditional Mappings

    I have a problem mapping more info from event ID 400 (PowerShell Version). Raw Event : {"System":{"EventId":"400","Version":"","Channel":"Windows PowerShell","ProviderName":"PowerShell","Computer":"COMPUTERNAME","EventRecordID":"3628","Keywords":"Classic…
  • Windows Event 4625 - Missing Information

    Hello, The windows event 4625 - An account failed to logon - Is missing an important field in ArcSight. This event is generated when a user holds down shift and right clicks a program to run it as a different user and inputs an inccorect username or password…
  • How can i create a lookup custom file list with 2 column "Code" & "Description" in ArcSight ESM ?

    Dear All I can create a lookup file in the ArcSight Logger very Simple. but how can i create a custom field with static value corresponding with parsed field? in this case i want to create a lookup file in ArcSight ESM for http_status Codes and also want…
  • RE: How can i create parser for java application log?

    dear can i have a multiple line.exclude.regex ? if yes ,how can i put all exclusion lines on the parser? Parser : do.unparsed.events=true ################################################################################# ############# Included and Excluded…
  • How can i create parser for java application log?

    Dear All I have a sample log from java application with SSO authentication contents. but in this file i have many log line that i does not needed for indexing in parser. how can i except the selection of log line in parser flex connector creation? BR…
  • Regular Expression for TimeStamp Fields Extraction Problem!

    Dear All I have a line log started with this : "v002xxxxdate=2017-11-01 time=14:07:42" how can i extract Time field for this with uniq Regex? in other word i must extract a Standard TmeStamp link this: "2017-11-01 14:07:42" (yyyy-MM-dd HH:mm:ss) in the…
  • OpenVPN Regex File Parser

    Here's an OpenVPN regex-based flexconnector file reader. I was sifting through Protect in hopes that someone would have had one listed already, alas there was only some on request. Since I don't like waiting, I decided to write one myself. Simply rename…
  • scom2007.sdkibdatabase.properties

    scom2007.sdkibdatabase.properties rotation.next.tableid.query=declare @questionmark char(50); set @questionmark=?; if ((select PartitionId from dtPartition where PartitionId = @questionmark) is NOT NULL ) select TOP 1 PartitionId from dtPartition where…