How to Integrate the Elastic Stack with ArcSight SIEM?


Demonstrate the use of an X-Pack enabled Elastic Stack with one of the SIEM solutions…ArcSight. The existing ArcSight connector can be used to send data to Elasticsearch, with two possible approaches to configuration.

Setup the Elastic Stack with Docker

For a quick setup you can download an example docker-compose.yml definition to help you to install all the elastic stack with x-plugin ( step 1 to 5 ), then issue:

$ docker-compose up

But First, ensure that:

You have Docker Engine installed.
Your host meets the prerequisites.
If you are on Linux, that docker-compose is installed.

Importing ArcSight Data

Configure ArcSight connectors to send data to Logstash
Run the command …\current\bin\arcsight agentsetup
Choose yes to start the ‘wizardmode’
Choose ‘I want to add/remove/modify ArcSight Manager destinations’
Choose ‘add new destination’
Choose ‘CEF syslog’
Add the information of the logstash host and port 5000 you prepared and choose the TCP protocol.
Point your web browser at http:// localhost:5601/ to open Kibana. You should be prompted to log in to Kibana. To log in, you can use the built-in ‘elastic’ user and the password ‘changeme’. NOTE: These are the same credentials used in the logstash.conf download from above. When you change them ensure you update your logstash configuration and restart the pipeline.

Article credits: Elastic