Configuring ESM for Integration

The SOAR and ESM integration requires configuration on ESM. To ingest data, you must create an active list on ESM and configure the rules to forward events to this list. The rules define the type of event that is forwarded to SOAR for investigation. After the active list is added and the rule is configured, SOAR monitors the events from ESM, and creates respective alerts.

To configure ESM for Integration:

  1. Log in to ArcSight Console.

  2. Create a new active list with name ATAR Rule Name List.

  3. Add the rule names to the newly created ATAR Rule Name List.

  4. Create a Pre-persistence rule on ArcSight Console. To process and forward alerts to SOAR, you must create the Pre-persistence rule with following conditions:

    1. Select the forwarding connector user that you have created, as the owner of this rule.

      For example, to assign the forwarding connector user forwardATAR, as the owner of the Pre-persistence rule, navigate to Inspect/Edit window. Click Attributes tab of the Rule:ATAR Integration Rule. Under Assign tab, specify forwardATAR, admin as Owner.

    2. Set Action for this rule to add a key value to event data before sending the data to SOAR.

      For example, to add a key value to event data, before sending the data to SOAR, navigate to the Rule:ATAR Integration Rule of the Inspect/Edit window.

      1. Click the Conditions tab. In Edit tab, click event1 below the Event conditions.

      2. Click & AND. Set Type = Correlation and InActiveList("/All Active Lists/Public/ATAR/ATAR Rule Names).

      3. Click Actions tab and select On Every Event [Active] option.

      4. Click Set Event Field Actions and set oldFileHash = <some_random_string>.

  5. Create a web user account on ArcSight Console, with following details:

    Login

    • User ID: atarapi

    • User Type: Web User

    User

    • Last Name: API Access

    • First Name: ATAR

    This user account enables SOAR’s access to ESM’s REST API.

  6. Set permission to read all potential base events triggering correlations to the web user.

    1. Navigate to Filter:FetchBaseEventsFilter window and click Filter tab.

    2. In the Edit tab, click Event conditions. Click {} Event and set Type =Base.

  7. Add a filter as ATAR Filter.

    1. Navigate the Inspect/Edit window and click Filter: ATARFilter tab. Click Filter tab and go to Edit.

    2. Click Event conditions and go to {} Event 1. Click & AND and set Type = Correlation. Set oldFileHash = <some_random_string>.

  8. Add the ATAR Filter to ACL.

    1. Navigate to ACL Editor [/All Users/Custom User Groups/ATAR] window and click the Events tab.

    2. Select Filter in the Resource field on top of the window and click Add.