CIF Integration with ArcSight

I have been playing with and testing the Collective Intelligence Framework (CIF) and after seeing these great posts by Martin Holste and Brad Shoop on integrating CIF into ELSA and Splunk I got motivated to do the same thing with the ArcSight ESM console. EDIT: 6/10/2012 if you haven’t seen @kylemaxwell ‘s Post Introduction to the Collective Intelligence Framework I highly recommend check it out!

There are several steps to integrating CIF with arcsight before you start make sure you know the following:

  • CIF API Key
  • CIF API url

To start off you will need to go the Integration Commands Navigation Panel and right click your personal Integration Commands Folder  and select New Command.

New Integration Command

From there in the Inspect/Edit Panel you will want to select URL as the type of command:

Selecting New Command Type URL

You will want to give the new command a name for this example I used CIF (orginal huh?) you then can double click the URL field and you will want to put in the CIF API url and your CIF API key. If you notice the screenshot below you will also see $selectedItem, this is the field that will get populated by what you select in the ArcSight Console. Once you have your API url, key and $selectedItem set you can click OK then click Apply.

You are now halfway there :). Your command is now set you need to set the Integration Command Configuration. In the Navigator Panel Click the Configuration Tab and right click your Integration Configuration folder and select New Configuration.

New Integration Configuration

In the Inspect/Edit Panel you now can select the name of the Configuration and if it  will be rendered in an internal or external browser

Configuration Name and Browser

Next click on the Context Tab and select what ArcSight Contexts you want to see this CIF Search enabled for. In this example I have selected the Editor and Viewer Locations. You may choose others so play around with and see what works best for you.

Config Context Examples

Next click the Commands tab Click Add and select the Command you created earlier. In this case the CIF command.

Selecting Config Command

Click OK then Apply and your Integration Command is ready to go.

Fire up an Active Channel that you use and select either an IP Address Field or Host Name Field and Right Click and Select Integration Commands – > CIF, In the example below we have Right Clicked an Attacker Host Name and selected the CIF Integration Command.

Selecting Integration

In a few seconds your external browser (If that is what you chose and had configured) should load and you should see something similar to this:

CIF Query in External Browser

Now you are done and you have CIF integrated in your ArcSight Console. If you have tried out Martin’s CIF-REST-Sphinx addon you could configure that as an Integration Command as well.

Now go have fun hunting!