Mirtov Alexey ce8e11e558 Update README_RU.md | 2 лет назад | |
---|---|---|
.. | ||
arcsight_content | 2 лет назад | |
images | 3 лет назад | |
README.md | 2 лет назад | |
README_RU.md | 2 лет назад | |
Use-cases.docx | 3 лет назад |
The current version of Security Content is available here. Our support partner is ATB. The solution lets you collect, monitor, and analyze audit logs in Yandex.Cloud from the following sources:
[x] Uploading log files to ArcSight from a server located inside the infrastructure of the customer's remote site
[x] Uploading log files to ArcSight using a VM located in Yandex.Cloud
Description:
Security Content - ArcSight objects that are loaded according to the instructions. All the content has been developed together with our partner ATB, leveraging the long-term expertise of the Yandex.Cloud Security team and our cloud customers.
The current version of Security Content is available here.
The solution contains the following Security Content:
For a detailed description of field mapping, see the file Поля ArcSight_JSON.docx.
By default, these instructions suggest deleting files after reading, but you can both store Audit Trails audit logs in S3 on a long-term basis and send them to ArcSight. For this you need to create two Audit Trails in different S3 buckets:
1) Install the s3fs utility on the server inside the remote site infrastructure and prepare it for operation follow the instructions. Result: an Object Storage Bucket mounted as a folder and hosting Audit Trails JSON files. For example, /var/trails/
.
2) Install ArcSight SmartConnector (FlexAgent — JSON Folder Follower) software on your server follow the official instructions.
3) During the installation, select ArcSight FlexConnector JSON Folder Follower and specify the previously mounted /var/trails/
folder.
4) Specify the JSON configuration filename prefix: yc
.
5) Complete the connector installation.
6) Download all Security Content files from here.
7) Copy the yc.jsonparser.properties file to the <agent installation folder >/current/user/agent/flexagent
.
8) Copy the file map.0.properties in <agent installation folder>/current/user/agent/map
.
9) Edit the file <agent installation folder>/current/user/agent/agent.properties
:
agents[0].mode=DeleteFile
agents[0].proccessfoldersrecursively=true
10) Start the connector and make sure that events are arriving
Our support partner, ATB, provides the following services on a paid basis:
Partner's contact details: +7 (499) 648-75-48 info@ast-security.ru