PacketMotion - ArcSight Connector Configuration Guide

Summary:

The "PacketSentry 3.2 Configuration Guide" provides a detailed step-by-step process for setting up PacketSentry to send syslog messages formatted as Common Event Format (CEF) to an ArcSight system. This setup facilitates the capture and transmission of detailed network activity information correlated with identity, which is crucial for alerting when rules are violated. Key features include configuring multiple syslog servers for CEF-formatted messages, setting alert severity levels based on PacketSentry's rule engine, mapping device event data fields to ArcSight's SmartConnector, and specifying technical notes including IP addresses, MAC addresses, and protocol details relevant to the mapping process. This configuration is essential for maintaining interoperability between security devices and efficiently transmitting detailed network data correlated with identity information for analysis by ArcSight.

Details:

The "PacketSentry 3.2 Configuration Guide" outlines the process for configuring PacketSentry 3.2 to send syslog messages formatted as Common Event Format (CEF) to an ArcSight system. This setup allows for detailed network activity information, correlated with identity, to be captured and sent via syslog alerts when rules are violated. The guide provides a step-by-step method for adding new syslog logging servers in PacketSentry, specifying the minimum severity level of alert events, and mapping device event data fields to ArcSight's SmartConnector for further processing. Key features of this configuration include: 1. **Syslog Server Configuration**: Multiple syslog servers can be configured with options to use either standard or CEF formatted messages. 2. **Alert Administration**: Alerts are sent via a signature value of 50000, and the severity level mapping is synchronized with the rules set in PacketSentry's rule engine. 3. **Event Mapping**: Vendor-specific event definitions are mapped to ArcSight data fields through the SmartConnector. The guide provides detailed mappings for both CEF header and extension fields. 4. **Technical Notes**: Contains proprietary information such as device specifications, IP addresses, MAC addresses, and protocol details relevant to mapping events accurately between PacketSentry and ArcSight systems. This configuration is crucial for maintaining interoperability between different security devices and ensuring that detailed network data can be efficiently transmitted and correlated with identity information for analysis by the ArcSight system. This document outlines various fields included in a CEF (Common Event Format) message sent to ArcSight from a client device, which triggers an alert due to security concerns. The fields are as follows: 1. **Domain Name**: "zurich.domain.com" - Indicates the domain name associated with the event. 2. **Port Number**: A number between 0 and 65535, representing the destination port involved in causing the alert. 3. **File Path**: The full path to a file, including its name if applicable, such as when dealing with a rule related to files. 4. **Request**: In cases involving HTTP requests (related rules), this field contains the URL accessed; it should include the protocol like "http://" or "https://". 5. **Source IP Address**: Identifies the source of an event in an IP network, formatted as an IPv4 address ("192.168.10.1"). 6. **Source Host (FQDN)**: The fully qualified domain name associated with the source IP that triggered the alert. 7. **Timestamp**: Indicates when the activity related to the event started; it can be in the format of "MMM dd yyyy HH:mm:ss" or as milliseconds since January 1, 1970. 8. **Source User ID (suid)**: Identifies the user by their unique identifier on the client device that caused the alert. For UNIX systems, this could be root's user ID 0. 9. **Source Username (suser)**: Indicates the source username which is mapped from an email address associated with the triggering user of the client device. 10. **Custom Field cs1**: Formatted as "#", providing information about the specific ArcSight packet sentry rule and ruleset that triggered the alert. 11. **Custom Field cs6**: Indicates the Active Directory Organizational Unit (OU) name associated with the user who caused a rule violation, which is used in custom alerts for AD OU management. These fields are crucial for understanding the details of an event reported by a device to ArcSight, providing critical information about the source, destination, and nature of the alert within the context provided by these specific attributes.