Configuring Integration with ArcSight

Save PDF

Feedback

Working with SecureSphere Web Application Firewall
Overview
- Introducing SecureSphere Web Application Security
- Available Licenses for SecureSphere Web Security Products
  - Web Application Firewall
  - Threat Intelligence
- Accurate Protection
- Transparent Inspection
- Multi Layer Protection
- The SecureSphere WAF System
- SecureSphere Architecture
- SecureSphere Main Features
- Working with SecureSphere Web Application Firewall
Discovering Network Assets
- Introduction to SecureSphere Discovery and Classification
- Understanding the Discovery Window
- Major Discovery and Classification Tasks
  - Using Service Discovery to Populate a SecureSphere Site
- Working with SecureSphere Scans
- Managing Discovered Servers
  - Analyzing Discovered Servers
    - Viewing Discovered Server Details in Tabular View
    - Viewing Discovered Servers in Graphical Views
- Working with Discovered Servers
Basic SecureSphere Configuration
- Basic Configuration Overview
  - Browser Support
  - Exporting and Importing Individual Objects
- Basic Configuration Guidelines for Gateways, Management Servers
- IPv6 Support
- Basic Site Configuration
- Basic Server Group Configuration
  - Server Group Best Practices
  - Basic Server Group Configuration Tasks
- Understanding Server Group Parameters
- Basic Web Services Configuration
- Managing Web Applications
  - Adding a New Web Application
  - Understanding Web Application Parameters
    - Web Application Definitions Parameters
    - Web Application Applied Policies Information
- General Basic Configuration Tasks
- Configuring Action Sets and Followed Actions
- Activating Settings
Software Update
- SecureSphere Software Update Overview
  - Understanding Families
  - Understanding the Workflow of Software Update
- The Software Update Synchronization Process
  - Online Synchronization
  - Manual Synchronization
- Selecting and Uploading the Software Installation Packages
  - Understanding the Target Version Window
  - Understanding the Procedure for Uploading Software Installation Packages
    - Selecting a Target Version for Update
    - Uploading Software Installation Packages to the MX
- Updating the Software
- Configuring Software Update Settings
Monitoring
- Monitoring Models in SecureSphere
- Understanding Alerts, Events and Violations
  - Monitoring Architecture
- Monitoring Checklist
- Working with the Dashboard
- Managing Alerts
- Managing Violations
- Managing Blocked Sources
  - Viewing Blocked Sources
  - Releasing Blocked Sources
- Filtering Alerts and Violations
- Web Error Pages and Response Pages in Alerts
  - Viewing Web Error Pages and Responses
- Managing System Events
  - Viewing System Events
  - Understanding System Events
    - Understanding the System Events Table
    - Configuring System Events to Interface with 3rd Party Tools
System Monitoring
- Working with Alarms
  - Understanding the Alarm Details Window
- Working with the Alarms History Window
- Configuring Alarms
  - Configuring Alarm Notifications
- Acknowledging Alarms
- Adding a Note to an Alarm
Threat Intelligence Services
- Intelligence (Reputation Services)
- Intelligence (Community Defense)
- Anti Automation (Bot Protection)
  - CAPTCHA
  - ThreatRadar Bot Protection
    - ThreatRadar Bot Protection Dashboard
    - Configuring ThreatRadar Bot Protection
- Emergency Feed Services
SecureSphere API Security
- Integration with API Security Anywhere
  - Prerequisites
  - Configuring WAF Gateway to Integrate with API Security Anywhere
- SecureSphere API Security Feature Set
Risk Management
- Introduction to SecureSphere Risk Management
- Scanning and Assessing Web Services
- Managing Vulnerabilities
Security Policies
- Introducing Security Policies
- Security Policy Main Tasks
- Network Security Policies
- Securing Web Transport
- HTTP Protocol Signature Policies
- Web Service Custom Policies
- Snippet Injection Policies
- Securing Web Applications
Reporting
- Reports Introduction
- Report Terminology
- Understanding the Reports Window
- Working with Reports
- Creating and Managing Reports
- Filtering Reports
  - Basic Filter Criteria
Web Application Profiles
- Understanding Web Profiles in SecureSphere
- Web Profile Tasks
- Tuning Web Profiles
- Web Profile Graphs
  - Overall Graphs
  - Access Patterns
- Web Profile Optimization
  - Web Profile Optimization Overview
  - Web Profile Optimization Issues
- Web Profile Policy
  - Tuning a Web Profile Policy
    - Viewing a Web Profile Policy
    - Disabling Automatic Web Profiling
- Web APU (Automatic Profile Update)
- Web Profile System Definitions
Signatures
- Working with Signatures
- Working with Dictionaries
- Standard Dictionaries
Advanced SecureSphere Configuration
- Advanced Configuration Overview
  - Identifying Advanced Configuration Requirements
- Applying Policies
  - Applying Security Policies to the Objects in the Sites Tree
  - Applying Security Policies to the Objects in the Applications Tree
    - Working with Application Groups
  - Applying/Unapplying Automatic Application of a Policy to New Server Groups, Services, and Applications
- Managing Archive and Key Settings
  - Managing Keys
  - Defining Archive Settings
  - Configuring and Applying Archive Settings
- Working with Action Sets and Followed Actions
  - Action Sets and Followed Actions Overview
  - Action Set Main Tasks
  - Working with Default Action Sets
  - Creating Custom Action Sets
  - Action Interface Types
  - Configuring Action Interface Parameters
    - Run on Every Event
    - SNMP Traps
  - Assigning Followed Actions
    - Directly Assigning Followed Actions from the Security Policy Window
- Working with Global Objects
  - Summary of Global Objects
  - Creating New Global Objects
  - Working with Global Ports Groups
  - Configuring IP Groups
    - Importing an IP Group from a CSV File
    - Creating an IP Group Individually
- Configuring Sensitive Data Protection
  - Using Sensitive Data Dictionary Groups
  - Masking Data in Elements
    - Adding Parameters to a Data Masking List
    - Attaching a Data Masking List to a Service
- Working with Data Types
  - Creating a New Data Type
- Generic Dictionary Groups
- Configuring Windows Domains
  - Configuring the Default Domain Name
  - Configuring Default Domain Credentials
  - Configuring Active Directory Settings
  - Configuring Kerberos Support
    - Configuring Kerberos Settings
    - Managing Kerberos Keys
- Protecting and Auditing Custom Information with Lookup Data
  - Predefined Lookup Data Sets
  - Creating a Lookup Data Set
  - Configuring and deleting Lookup Data Sets
- Enriching Data
  - Creating an Enrichment Policy
  - Configuring Data Enrichment Policies
  - Configuring Data Enrichment Policy Rules
  - Configuring Data Enrichment Web Policy Rules
    - Configuring Data Enrichment from a Lookup Data Set
      - Content Hashing in Data Enrichment Policies
- Change Tracking - External Objects
  - Overview of Change Tracking - External Objects
  - Before Running a Change Tracking - External Objects Policy
    - Change Tracking - External Objects Policy Permissions
    - Change Tracking - External Objects - Policy Configuration
  - Creating a New Change Tracking - External Objects Policy
  - Viewing a Change Tracking - External Objects Policy
  - Editing a Change Tracking - External Objects Policy
- Application Structure Modeling
- Working with Tasks
  - Tasks Overview
  - Task Types
  - Understanding the Tasks List
  - Task Followed Action Configuration Guidelines
  - Creating Review Tasks
  - Creating Assignment Tasks
  - Working with Open Tasks
    - Completing Review Tasks
    - Completing Assignment Tasks
- Configuring Preferences
  - Configuring User Details
  - Changing Passwords
  - Configuring User Preferences
- Configuring Syslog
  - Understanding Syslog Fault Tolerance
  - Configuring Available Space for Syslog Buffering (Optional)
- Configuring Integration with Third Party Management Systems
  - Configuring the Gateway's Syslog Client Message Size
  - Configuring Integration with ArcSight
  - Integrating with RSA enVision
  - Archiving to Amazon S3
  - Configuring Integration with BMC Remedy Service Desk
  - Configuring Integration with Active Directory for User Management
- System Event Policies
  - Working with System Events Policies
  - Creating a System Events Policy
  - Importing and Exporting System Event Policies
- Configuring Scheduling
  - Understanding the Execution Plan
- Customizing How SecureSphere Handles Web Traffic
  - Configuring Web Service Restrictions
  - Configuring Restrictions
    - Configuring IP Based Restrictions
      - Configuring Source Restrictions
    - Configuring URL Prefixes / Directory Based Restrictions
      - Configuring URL Prefixes/Directories Group
      - Adding URL Prefixes/Directories Groups to Web Applications
  - Configuring Web Error Page Policies
  - Configuring Advanced Web Service Settings
  - Configuring Gateway HTTP Proxies
  - HTTP Header Manipulation
  - Configuring OCSP Support
  - Configuring Webworm Protection
    - Configuring Susceptible Directories
  - Configuring Session Tracking
    - Adding Tokens to a Session Tracking List
    - Associating a Session Tracking List to a Web Service
  - Configuring TLS Settings
  - URL Rewrite
  - Supporting Web Load Balancers
  - Validating SSL Client Certificates
- Malware Detection Support
  - Configuring Malware Detection Support
  - Understanding the List of Local IP Addresses Identified as Infected by Malware
    - Displaying Local IP Addresses Identified as Infected by Malware
    - Understanding the Malware Infected Local IP Addresses Table
  - Modifying Advanced Settings for Malware Detection Support
    - Specifying Names and Targets to Exclude from Malware Identification
      - Modifying the Malware Name White List
      - Modifying the Malware Target White List
    - Modifying Threat Levels of Malware Types
  - Configuring Malware Detection Policies
- Working with Base64
- Working with Request Body Signatures
- Working with Content-type Discovery
- Advanced Bridge Mode
  - Setting up ABR
  - Reverting to Bridge Mode
  - ABR Clarifications
- Large Scale MX
  - Setting up Large Scale MX
- Advanced Bot Protection
- HTTP2 Support
- WAAP Anywhere
  - Terminology
  - WAAP Anywhere Architecture
  - Gateway Architecture Highlights
  - Setting Up WAAP Anywhere
  - WAAP Anywhere Clarifications
Reverse Proxies
- Non-Transparent Reverse Proxy
- Transparent Reverse Proxy
  - Configuring a Transparent Reverse Proxy
Attack Analytics
MXs Managed by SOM
- Working with SOM
- Registering MXs
  - Setting Up SSL with Certificate Authentication
  - Removing MXs from SOM
Writing Signatures and Regular Expressions
- Writing Signatures
- Regular Expressions
Plugins
- Plugins Overview
- Order of Plugin Execution
- Configuring Plugins
  - Regular Expressions
  - Associating a Plugin with a Service and Configuring the Plugin
Imperva ThreatRadar Feed Details
- Structure
- Anonymous Browsing
  - TOR IPs
  - Anonymous Proxies
- In-House Serial Attacker Feeds
- 3rd Party Serial Attackers
- Compound Policies
Placeholders
- Working with Placeholders
  - Working with Standard Placeholders
  - Working with Collection Placeholders
    - Understanding Single Collection Placeholders
    - Understanding the Nested Collection Placeholder
- List of Standard Placeholders
  - Correspondence Table
- List of Collection Placeholders
- List of Web Security-Only Placeholders
- Advanced Options
  - DTFormat
- Macros for Use with Placeholders
- Splunk Placeholders
  - List of Splunk Placeholders
- ArcSight Placeholders and Syntax
Rule.dn Associated IDs
- About Rule.dns
- List of Rule.Dn Associated IDs
ArcSight Placeholders and Syntax
- Macros for use with ArcSight Placeholders
- Examples of Syslog Events for ArcSight
- CEF Fields
  - Standard Fields
  - Extended Fields
Appendix Event Types
Filter Criteria and Report Data Fields
- Filter Criteria and Report Data Fields Overview
- Dataset: Lookup Attribute Usage Example
- Alert and Violation Criteria
- Assessment Criteria
- System Event Criteria
- Vulnerability Criteria
- Task Report Criteria
- Configuration Report Criteria
  - Configuration - Sites Report Criteria
  - Configuration Security Policy Report Criteria
- Risk Management Filter Criteria
  - Vulnerability Management Filter Criteria
  - Assessment Results Filter Criteria
- Discovery Report Match Criteria
  - Service Discovery Detailed Report
  - Service Discovery Execution Report
- Discovery Filter Criteria
- Profile Criteria
- Custom Policies Match Criteria
  - Web Custom Policies Match Criteria
- Enrichment Policy Match Criteria
  - Web Service Enrichment Policy Match Criteria
Report Columns
- Columns Available in Alert Reports
  - Alert Report Available Columns
  - Alert Event Available Columns
- Columns Available in Assessment Reports
- Columns Available in System Event Reports
- Columns Available in Vulnerability Reports
- Columns Available in Task Reports
- Columns Available in Configuration Reports
  - Configuration Reports - Sites
  - Configuration Reports - Security Policies
- Columns Available in Discovery Reports
  - Service Discovery Detailed Report Columns
  - Service Discovery Execution Summary Report Columns
- Columns Available in Profile Reports
Pre-Defined Reports
- Alert Reports
- System Events Reports
Alert Aggregation Descriptions
- Alert Aggregation Descriptions
Troubleshooting Hashed Users
Glossary
Copyright Notice
End User License and Services Agreement

HomeWeb Application Firewall User Guide...Advanced SecureSphere ConfigurationConfiguring Integration with Third Party Management SystemsConfiguring Integration with ArcSight

Table of Contents

Configuring Integration with ArcSight

Also available in:
WAF v15.3
WAF v15.2
WAF v15.1
WAF v15.0
WAF v14.7
Last UpdatedApr 16, 2025
3 minute read

This procedure describes how to configure SecureSphere integration with ArcSight, enabling the reporting of SecureSphere events to ArcSight where events can be correlated and processed.

Configuring integration with Arcsight involves the tasks listed in the following table.

Configuring Integration with Arcsight – Task Overview

	Action	Description	For more information, see...
1	Create action set.	Create an action set to be assigned as a followed action, which generates a task.	Creating Custom Action Sets.
2	Configure Action Interfaces.	Add Review or Assignment action interfaces to the action set and configure its parameters.	Configuring Action Interface Parameters.
3	Configure Policy with Followed Actions.	Attach the ArcSight action set to a policy as a followed action.	Assigning Followed Actions.

To configure integration with ArcSight:

Create a new System Event Type Action Set with an intuitive name. For example, ArcSightSyslogEvent as described in Creating Custom Action Sets.
In the Main workspace, select Policies > Action Sets. The Action Sets window appears.
Select the new Action Set created in step 1 above. Available action interfaces are listed in the Action Interface pane.
Add the desired action interface to the Selected Actions pane by clicking on its green arrow. Note there are four event types for CEF Standard:
- Regular Security Event (System Log > Log security event to System Log (syslog) using the CEF standard): Logs a regular security event to System Log (syslog) using the CEF standard.
- Custom Event (System Log > Custom Policy Security Event): Logs a custom event to System Log (syslog) using the CEF standard.
- Firewall Security Event (System Log > Firewall Security Event): Logs firewall event to System Log (syslog) using the CEF standard.
- System Event (System Log > Log system event to System Log (syslog) using the CEF standard): Logs a system event to System Log (syslog) using the CEF standard.
Expand the selected CEF System Log action interface by clicking on the plus sign (+) to its right.
Configure it as follows:
- Name: Type a name for the Syslog event.
- Syslog Host: Type the IP or host name of the ArcSight server.
- Syslog Log level: Select the desired syslog log level from the dropdown list (info, warn, debug or error).
- Message: Type a message with placeholder information to be used by syslog to create a message readable by ArcSight. This message must follow CEF guidelines. For a description of the CEF syslog message, including syntax and available placeholders, see ArcSight Placeholders and Syntax.
  
  Note: The message field may be locked by your SecureSphere administrator. In this case the message is predefined and can only be modified by the administrator.
- Facility: Select the required facility (type of authorization required by your installation of Arcsight).
- Run on every event: Select this checkbox if you want to send a syslog event to Arcsight for every event.
In the Policies > Security window, select the action set created in step 1 from the followed action dropdown list of the policy you want to configure.
Click Save. Settings are saved. If you are in delayed activation mode, you need to activate these settings. For more information, see Activating Settings.
When a violation occurs, an alert is generated and a syslog message is sent to ArcSight.

Was this topic helpful?

Like Dislike

Web Application Firewall User Guide

Filters

Source Type

Application Security

Data Security

Network Security

Application Performance

Product Versions

Hypervisor Installation

Document Type

Access

Product Area

Configuring Integration with ArcSight

Table of Contents

Configuring Integration with ArcSight

Provide feedback for this topic

Save PDF

Provide feedback for this topic