Ycsecurity/auditlogs/export-auditlogs-to-ArcSight

Collecting, monitoring, and analyzing audit logs in an external SIEM ArcSight

Table of Contents

• Collecting, monitoring, and analyzing audit logs in an external SIEM ArcSight
  • Solution description
  • Two log shipping scenarios
  • Solution diagram
  • Security Content
  • Long-term storing of logs in S3
  • Instructions for scenarios
    • Prerequisites for scenarios
    • Scenario #1: Uploading log files to ArcSight from a server located inside the infrastructure of the customer's remote site
    • Scenario #2: Uploading log files to ArcSight using a VM located in Yandex.Cloud
  • Support and consulting services

Solution description

The current version of Security Content is available here. Our support partner is ATB. The solution lets you collect, monitor, and analyze audit logs in Yandex.Cloud from the following sources:

• Yandex Audit Trails

Two log shipping scenarios

• [x] Uploading log files to ArcSight from a server located inside the infrastructure of the customer's remote site

• [x] Uploading log files to ArcSight using a VM located in Yandex.Cloud

Solution diagram

Scenario #1: Uploading log files to ArcSight from a server located inside the infrastructure of the customer's remote site

Description:

• JSON files with logs are stored in S3.
• The s3fs utility is installed on a server in the customer's infrastructure, which allows you to mount an S3 Bucket as a local folder in your OS.
• A standard ArcSight Connector is installed on a server in the customer's infrastructure.
• Security content is loaded from the current repository.
• ArcSight Connector uses security content to read files, parses the files, and sends them to the ArcSight server.

Scenario #2: Uploading log files to ArcSight using a VM located in Yandex.Cloud

Security Content

Security Content - ArcSight objects that are loaded according to the instructions. All the content has been developed together with our partner ATB, leveraging the long-term expertise of the Yandex.Cloud Security team and our cloud customers.

The current version of Security Content is available here.

The solution contains the following Security Content:

• Parsing file (and map file).
• Dashboard that shows useful statistics.
• A set of Filters, Active channels, Active lists.
• A set of correlation Rules. Detailed description of the list of correlation rules (the client should specify the alert destination). All relevant event fields have been converted to a Common Event Format.

For a detailed description of field mapping, see the file Поля ArcSight_JSON.docx.

Long-term storage of logs in S3

By default, these instructions suggest deleting files after reading, but you can both store Audit Trails audit logs in S3 on a long-term basis and send them to ArcSight. For this you need to create two Audit Trails in different S3 buckets:

• The first bucket will be used only for storage.
• The second bucket will be used for integration with ArcSight.

Instructions for scenarios

Prerequisites for scenarios

• :white_check_mark: Object Storage Bucket for Audit Trails (instructions).
• :white_check_mark: Audit Trails service enabled in the UI (instructions).

Scenario #1: Uploading log files to ArcSight from a server located inside the infrastructure of the customer's remote site

1) Install the s3fs utility on the server inside the remote site infrastructure and prepare it for operation follow the instructions. Result: an Object Storage Bucket mounted as a folder and hosting Audit Trails JSON files. For example, /var/trails/.

2) Install ArcSight SmartConnector (FlexAgent — JSON Folder Follower) software on your server follow the official instructions.

3) During the installation, select ArcSight FlexConnector JSON Folder Follower and specify the previously mounted /var/trails/ folder.

4) Specify the JSON configuration filename prefix: yc.

5) Complete the connector installation.

6) Download all Security Content files from here.

7) Copy the yc.jsonparser.properties file to the <agent installation folder >/current/user/agent/flexagent.

8) Copy the file map.0.properties in <agent installation folder>/current/user/agent/map.

9) Edit the file <agent installation folder>/current/user/agent/agent.properties:

agents[0].mode=DeleteFile
agents[0].proccessfoldersrecursively=true

10) Start the connector and make sure that events are arriving

Support and consulting services

Our support partner, ATB, provides the following services on a paid basis:

• Installing and configuring the connector.
• Connecting new data sources with security events.
• Developing new correlation rules and visualization tools.
• Developing mechanisms for responding to incidents.

Partner's contact details: +7 (499) 648-75-48 info@ast-security.ru