Idea ID: 2878810

Adding a feed database to ArcSight (on the example of AlienVault OTX)

Status: New Idea

Hello, I think from the title it is already clear what I need your help with.

I'm relatively new to this field and ArcSight, so I'm really hoping you can

point me to some text or video resources detailing how to connect a feed

base to ArcSight using AlienVault as an example.

Thank you in advance

  • Hi Bohdan,

    would you mind tagging it answered or voting it up so that others can see this as an actual answer to your inquiry?

    Thanks,

    MS

    Sr. Product Line Manager |  ArcSight Threat Intelligence
    OpenText Cybersecurity

  • Hi Markus

    It's a very helpful information. Thank you so much !

    Bohdan

  • Hi Bohdan,

    thanks for reaching out. The way your threat intelligence integration works is two-fold:

    • There are out-of-the-box options you can integrate CTI by (ArcSight ThreatHub Feed) which requires an ArcSight connector.
      • You can find more information on that topic here
    • You can integrate with other CTI sources using our FlexConnectors which is a three-step process
      1. Identify your source of CTI and how that source provides you the data (file, db, api...)
      2. Take the corresponding FlexConnector and write a parser
      3. Write a set of rules to take the events form the FlexConnector and add them to an active list (use lightweight rules for that)
      4. Use the active list populated in step (3) in your rules

    Second option is very flexible but requires a bit of a learning curve.

    You can reach out to your presales contacts asking for some more technical guidance or even go into a PS engagement. Those guys are really quick in such integrations and can help if you dont have the capacity to do it yourself.

    HTH,

    MS

    Sr. Product Line Manager |  ArcSight Threat Intelligence
    OpenText Cybersecurity