integration of ATA with Arcsight SIEM

%3CLINGO-SUB%20id%3D%22lingo-sub-324120%22%20slang%3D%22en-US%22%3Eintegration%20of%20ATA%20with%20Arcsight%20SIEM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-324120%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EWe%20have%20configured%20all%20the%20settings%20to%20forward%20events%20through%20Syslog%20through%20port%20514%20and%20network%20access%20is%20also%20verified.%20But%20the%20events%20are%20not%20%26nbsp%3Bforwarding%20%26nbsp%3Bto%26nbsp%3Barcsight%20SIEM.%20%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-324120%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EATA%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-326392%22%20slang%3D%22en-US%22%3ERe%3A%20integration%20of%20ATA%20with%20Arcsight%20SIEM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-326392%22%20slang%3D%22en-US%22%3E%3CP%3EHave%20you%20tested%20the%20connection%20with%20Arcsight%3F%20If%20yes%2C%20did%20Arcsight%20receive%20the%20test%20message%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20a%20test%20button%20on%20the%20page%20you%20configure%20the%20settings%20to%20send%20the%20notifications%20to%20your%20SIEM.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fadvanced-threat-analytics%2Fsetting-syslog-email-server-settings%23provide-ata-with-your-syslog-server-settings%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fadvanced-threat-analytics%2Fsetting-syslog-email-server-settings%23provide-ata-with-your-syslog-server-settings%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-324298%22%20slang%3D%22en-US%22%3ERe%3A%20integration%20of%20ATA%20with%20Arcsight%20SIEM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-324298%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20there%20any%20errors%20in%20the%20center%20logs%20that%20seems%20related%3F%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fadvanced-threat-analytics%2Ftroubleshooting-ata-using-logs%23ata-center-logs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fadvanced-threat-analytics%2Ftroubleshooting-ata-using-logs%23ata-center-logs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20am%20guessing%20you%20are%20using%20UDP.%20if%20your%20SIEM%20supports%20it%20I%20would%20suggest%20for%20troubleshooting%20switching%20to%20TCP.%20in%20UDP%2C%20if%20there%20is%20a%20network%20blocker%2C%20We%20can't%20tell.%20for%20TCP%20we%20will%20generate%20errors%20in%20the%20logs.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

We have configured all the settings to forward events through Syslog through port 514 and network access is also verified. But the events are not  forwarding  to arcsight SIEM.

2 Replies
Highlighted

Are there any errors in the center logs that seems related?

https://docs.microsoft.com/en-us/advanced-threat-analytics/troubleshooting-ata-using-logs#ata-center...

 

I am guessing you are using UDP. if your SIEM supports it I would suggest for troubleshooting switching to TCP. in UDP, if there is a network blocker, We can't tell. for TCP we will generate errors in the logs.

Highlighted

Have you tested the connection with Arcsight? If yes, did Arcsight receive the test message? 

 

There is a test button on the page you configure the settings to send the notifications to your SIEM. 

 

https://docs.microsoft.com/en-us/advanced-threat-analytics/setting-syslog-email-server-settings#prov...