I need a connector, fast! - Hewlett Packard Documentation −FlexConnector Developer’s Guide −REST FlexConnector Developer’s Guide −ArcMC AdminGuide • Forums −Q&A −Previous

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

I need a connector, fast! Aaron Kramer, Global Field Support Engineer, CISSP, CEH Victor Lee, Product Manager, CISSP

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2

Agenda

• Introduction

• SmartConnector capabilities

• FlexConnectors

• What is the FlexConnector Wizard?

• FlexConnector Toolkit demo

• Sources of help

• Questions and answers


Introduction

Aaron Kramer − Global Field Support Engineer for HP ArcSight − Over 20 years in Network, Application, and Computer Security (CISSP, CEH) − >9 years of ArcSight experience − Presented at previous ArcSight Protect User Conference on FlexConnectors, Logger, ESM − Regular contributor to the Protect724 User Community

Victor Lee

− Product Manager for ArcSight Management Center and SmartConnectors − Over 20 years of Industry Experience (CISSP, PMP, CSM) − 1+ year of ArcSight experience


HP ArcSight Next Generation Cyber Defense

Predict

Visualize

Search

Collect

Correlate

Respond

Analytics SIEM


SmartConnector capabilities


SmartConnector event collection


Connectors: Robust collection

Follows NIST 800-92 Log Aggregation Guidelines

HP ArcSight Logger HP ArcSight ESM/Express

Centralized updates/upgrades

Bandwidth management

Heartbeat connection

Encrypted and compressed

ArcSight Connector Cache/Batch

Filtering

Encryption

Aggregation


My device or Application or Source is not one of the supported sources…

Why FlexConnectors?

Enter the HP ArcSight FlexConnector


HP ArcSight FlexConnectors


HP ArcSight FlexConnectors

• Has same capabilities as SmartConnectors (caching, batching, compression, etc.)

• The FlexConnector Developer Toolkit is the same Toolkit that developers use to write the 350+ SmartConnectors

• The Toolkit is a fully-supported and documented offering

• The FlexConnector Development Kit is a licensed item; must be purchased

• Goal: Produce the Properties File


HP ArcSight FlexConnectors can be written for various files, formats and sources

FlexConnector types

• Regularly-formatted Files

• Files processed better by use of Regular Expressions


FlexConnector types

JSON files XML files



FlexConnector types

Read from databases Various sources in a syslog stream



FlexConnector types

SNMP Over a RESTful API • REST API endpoints https://abc.com/events?created_after=<>&maxEvents=<>...

• JSON output • OAuth2



Which platforms do FlexConnectors run on?

• Windows • Linux • Solaris • AIX • Connector Appliance • ArcSight Management Center


FlexConnector helpers

flexagentwizard Regex


ArcSight FlexConnectors

Goal: Produce the Properties File, with 3 sections – Parsing – Tokens, types, and formats – Mapping

• Delimited File: Delimiter, Tokens, Mappings • Regular Expression: Words, Tokens, Mappings • Database: Query, Tokens, Mappings … and so on


HP ArcSight FlexConnector further capabilities

• Follow file rotations and follow folders • Consume multiline events • Advanced functions to parse, manipulate, convert

__concatenate(String1,String2….) __extractNTDomain(“AMERICAS\WABC123”) yields AMERICAS __regexToken(TOKEN,regex) __simpleMAP(TOKEN,Case1,Case2…) __safeToLong(TOKEN) Lots ‘n’ lots more Pull pieces of filename or filepath

• Chaining – where one type of Flex Connector calls another – A text file of events, where each event has a field that is XML in structure

• Can read compressed files directly


What is the FlexConnector Wizard?


FlexConnector Wizard

• Available in ArcSight Management Center • Easy to use web-based workflow interface • From creation to deployment of FlexConnectors

– Provides suggested regular expressions – Identify tokens – Suggests token to ArcSight event fields mappings – Does not assume user expertise in Regular Expressions, FlexConnector SDK, ArcSight

Event Schema • Currently supports Regex-based parsers for files and syslog

– These count for vast majority of FlexConnectors


Video for FlexConnector Wizard


Video for FlexConnector Wizard


FlexConnector Wizard pros and cons

Pros • Easier to use than Regex Tool • Faster time to deployment • FlexConnector Wizard does NOT require

FlexConnector SDK • User does not require

– Knowledge of Parser File Syntax and – To be an expert of regular expression – Detail knowledge of ArcSight Event Schema

• Less error-prone

Cons • Limited support to regex and syslog • Not as robust as Regex Tool • Design for simpler FlexConnector


How to write a FlexConnector


How to write a FlexConnector

• Confirm that your organization is licensed for the FlexConnector Developer Toolkit • Research to see if a FlexConnector was already written by someone else, somewhere else • Gather sample Log events and/or files • Decide on which FlexConnector is best (file reader, database reader, Syslog subagent) • Consult the FlexConnector Developer Guide for step-by-step example


Switch to live demo


Sources of help

• Documentation − FlexConnector Developer’s Guide − REST FlexConnector Developer’s Guide − ArcMC AdminGuide

• http://Protect724.HP.Com Forums − Q&A − Previous HP Protect content (2012, 2013) − Protect724 Webex Video Recording June 2014: https://protect724.hp.com/videos/1285

• Tech Support – supporting the FlexConnector Developer Toolkit or FlexConnector Wizard, not the FlexConnector itself

• HP Partners • HP ArcSight Education

− 3-day course • HP ArcSight User Gatherings

http://protect724.hp.com/

https://protect724.hp.com/videos/1285


For more information

Attend these sessions

• TB3033, HP FlexConnector deep dive and best practices

• TT3097, ArcSight SmartConnector map files for fun and profit

• TB3044, Using Windows Event Forwarding with the Windows Unified Connector

Visit these demos

• HP ArcSight ESM demo station

• HP ArcSight Logger demo station

After the event

• Contact your sales rep • Presentations will be

posted after Protect at https://protect724.hp.com/community/events/protect-conference

Your feedback is important to us. Please take a few minutes to complete the session survey.

https://protect724.hp.com/community/events/protect-conference





Questions and answers

For more information, and future webinars, please visit: https://protect724.hp.com/community/events/enterprise-security-webinars


Use the mobile app 1. Click on Sessions 2. Click on this session 3. Click on Rate Session

Or use the hard copy surveys

Thank you for providing your feedback, which helps us enhance content for future events.

Session TB3150 Speakers Aaron Kramer and Victor Lee

Please give me your feedback


Thank you


Documents

I need a connector, fast! - Hewlett Packard Documentation −FlexConnector Developer’s Guide −REST FlexConnector Developer’s Guide −ArcMC AdminGuide • Forums −Q&A −Previous