When you want to add external information to Active Lists in ArcSight as a solution, you have to build a custom flex connector, parse the data, and create a pre-persistent rule that will add the information to the Active List.
This solution takes a lot of resources, requires development time, and takes EPS from the system.
So, what if you want an easy solution that will add your info directly to the ArcSight Active List with no development and with minimal resource usage?
The CyberSIEM team has developed a tool that adds rows of CSV file directly to an Active List.
What do you need?
- Active List
- CSV file with the same columns as the Active List
- Downloading and installing our tool with the next steps
Installing the tool:
First, download the zip file from [here] and unzip it into a new folder on your computer.
There will be three files in it:
- Make sure that the machine you are running the tool on has open communication to the ArcSight ESM server on port 8443.
- Run the installer.exe file, and follow the instructions on the screen.
Fill the ArcSight ESM hostname, port, user, password, ActiveList Resource ID and CSV file path.
The installer should be executed again only if the Active List is changed or if a different password is set for the ArcSight user.
The installer will create a file called “CyberSIEM.properties,” which will contain the hash of the password you entered. We recommend giving read permissions to this file only to trusted users.
If you set permissions to the file, make sure you are running the following as a user with the right permissions.
Put your input in the same directory of “csv2ActiveList.exe,” and name it “input.csv,” as the example file. Note that you have the same columns as the destination Active List.
Run the csv2ActiveList.exe file, and you will see the Active List start to update.
If you want to keep updating the Active List automatically, you can replace the “input.csv” file with the new entries and run the application as a service in your system by using the sc command:
sc create CyberSIEMCSV2ActiveList binpath= [EXE PATH] start= auto
- Note that there is a space between the binpath= and the exe path.
The application will create a log file that will log each deleted line and errors in run time.
Ofek Sher, SIEM Orchestration Specialist