CIF Integration with ArcSight
April 28, 2012 1 Comment
I have been playing with and testing the Collective Intelligence Framework (CIF) and after seeing these great posts by Martin Holste and Brad Shoop on integrating CIF into ELSA and Splunk I got motivated to do the same thing with the ArcSight ESM console. EDIT: 6/10/2012 if you haven’t seen @kylemaxwell ‘s Post Introduction to the Collective Intelligence Framework I highly recommend check it out!
There are several steps to integrating CIF with arcsight before you start make sure you know the following:
- CIF API Key
- CIF API url
To start off you will need to go the Integration Commands Navigation Panel and right click your personal Integration Commands Folder and select New Command.
From there in the Inspect/Edit Panel you will want to select URL as the type of command:
You will want to give the new command a name for this example I used CIF (orginal huh?) you then can double click the URL field and you will want to put in the CIF API url and your CIF API key. If you notice the screenshot below you will also see $selectedItem, this is the field that will get populated by what you select in the ArcSight Console. Once you have your API url, key and $selectedItem set you can click OK then click Apply.
You are now halfway there. Your command is now set you need to set the Integration Command Configuration. In the Navigator Panel Click the Configuration Tab and right click your Integration Configuration folder and select New Configuration.
In the Inspect/Edit Panel you now can select the name of the Configuration and if it will be rendered in an internal or external browser
Next click on the Context Tab and select what ArcSight Contexts you want to see this CIF Search enabled for. In this example I have selected the Editor and Viewer Locations. You may choose others so play around with and see what works best for you.
Next click the Commands tab Click Add and select the Command you created earlier. In this case the CIF command.
Click OK then Apply and your Integration Command is ready to go.
Fire up an Active Channel that you use and select either an IP Address Field or Host Name Field and Right Click and Select Integration Commands – > CIF, In the example below we have Right Clicked an Attacker Host Name and selected the CIF Integration Command.
In a few seconds your external browser (If that is what you chose and had configured) should load and you should see something similar to this:
Now you are done and you have CIF integrated in your ArcSight Console. If you have tried out Martin’s CIF-REST-Sphinx addon you could configure that as an Integration Command as well.
Now go have fun hunting!