integration of ATA with Arcsight SIEM

%3CLINGO-SUB%20id%3D%22lingo-sub-324120%22%20slang%3D%22en-US%22%3Eintegration%20of%20ATA%20with%20Arcsight%20SIEM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-324120%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EWe%20have%20configured%20all%20the%20settings%20to%20forward%20events%20through%20Syslog%20through%20port%20514%20and%20network%20access%20is%20also%20verified.%20But%20the%20events%20are%20not%20%26nbsp%3Bforwarding%20%26nbsp%3Bto%26nbsp%3Barcsight%20SIEM.%20%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-324120%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EATA%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-326392%22%20slang%3D%22en-US%22%3ERe%3A%20integration%20of%20ATA%20with%20Arcsight%20SIEM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-326392%22%20slang%3D%22en-US%22%3E%3CP%3EHave%20you%20tested%20the%20connection%20with%20Arcsight%3F%20If%20yes%2C%20did%20Arcsight%20receive%20the%20test%20message%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20a%20test%20button%20on%20the%20page%20you%20configure%20the%20settings%20to%20send%20the%20notifications%20to%20your%20SIEM.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fadvanced-threat-analytics%2Fsetting-syslog-email-server-settings%23provide-ata-with-your-syslog-server-settings%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fadvanced-threat-analytics%2Fsetting-syslog-email-server-settings%23provide-ata-with-your-syslog-server-settings%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-324298%22%20slang%3D%22en-US%22%3ERe%3A%20integration%20of%20ATA%20with%20Arcsight%20SIEM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-324298%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20there%20any%20errors%20in%20the%20center%20logs%20that%20seems%20related%3F%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fadvanced-threat-analytics%2Ftroubleshooting-ata-using-logs%23ata-center-logs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fadvanced-threat-analytics%2Ftroubleshooting-ata-using-logs%23ata-center-logs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20am%20guessing%20you%20are%20using%20UDP.%20if%20your%20SIEM%20supports%20it%20I%20would%20suggest%20for%20troubleshooting%20switching%20to%20TCP.%20in%20UDP%2C%20if%20there%20is%20a%20network%20blocker%2C%20We%20can't%20tell.%20for%20TCP%20we%20will%20generate%20errors%20in%20the%20logs.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

We have configured all the settings to forward events through Syslog through port 514 and network access is also verified. But the events are not  forwarding  to arcsight SIEM.

2 Replies

Are there any errors in the center logs that seems related?

https://docs.microsoft.com/en-us/advanced-threat-analytics/troubleshooting-ata-using-logs#ata-center...

 

I am guessing you are using UDP. if your SIEM supports it I would suggest for troubleshooting switching to TCP. in UDP, if there is a network blocker, We can't tell. for TCP we will generate errors in the logs.

Have you tested the connection with Arcsight? If yes, did Arcsight receive the test message? 

 

There is a test button on the page you configure the settings to send the notifications to your SIEM. 

 

https://docs.microsoft.com/en-us/advanced-threat-analytics/setting-syslog-email-server-settings#prov...