Sending Arcsight logs on top of OMS agent via CEF
Hi i need to send logs from Arcsight Smart connectors to the L.A i have added an extra destination on the Arcsight Log Forwarder towards OMS Server and trying to get the logs to Log Analytics with no success. Arcsight Smart Connector --->Arcsight Log Forwarder --->OMS Server ---> Azure L.A * where is the parser of the OMS agent located? i am seeing the logs on the OMS server but getting errors: tcpdump -A -ni any port 25226 -vv tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 17:02:01.604687 IP (tos 0x0, ttl 64, id 47401, offset 0, flags [DF], proto TCP (6), length 159) 127.0.0.1.47282 > 127.0.0.1.25226: Flags [P.], cksum 0xfe93 (incorrect -> 0x68ae), seq 1681783013:1681783120, ack 3624475695, win 342, options [nop,nop,TS val 88196652 ecr 88183285], length 107 E....)@.@..-..........b.d=... ./...V....... .A.,.A..<86>Nov 25 17:02:01 Rsyslog02 CRON[10356]: pam_unix(cron:session): session opened for user root by (uid=0) 17:02:01.604700 IP (tos 0x0, ttl 64, id 14570, offset 0, flags [DF], proto TCP (6), length 52) 127.0.0.1.25226 > 127.0.0.1.47282: Flags [.], cksum 0xfe28 (incorrect -> 0x5aed), seq 1, ack 107, win 6638, options [nop,nop,TS val 88196652 ecr 88196652], length 0 E..48.@.@...........b.... ./d=.P.....(..... .A.,.A., 17:02:01.606011 IP (tos 0x0, ttl 64, id 47402, offset 0, flags [DF], proto TCP (6), length 343) 127.0.0.1.47282 > 127.0.0.1.25226: Flags [P.], cksum 0xff4b (incorrect -> 0x12f6), seq 107:398, ack 1, win 342, options [nop,nop,TS val 88196652 ecr 88196652], length 291 E..W.*@.@..t..........b.d=.P. ./...V.K..... .A.,.A.,<78>Nov 25 17:02:01 Rsyslog02 CRON[10357]: (root) CMD ([ -f /etc/krb5.keytab ] && [ \( ! -f /etc/opt/omi/creds/omi.keytab \) -o \( /etc/krb5.keytab -nt /etc/opt/omi/creds/omi.keytab \) ] && /opt/omi/bin/support/ktstrip /etc/krb5.keytab /etc/opt/omi/creds/omi.keytab >/dev/null 2>&1 || true) 17:02:01.606018 IP (tos 0x0, ttl 64, id 14571, offset 0, flags [DF], proto TCP (6), length 52) 127.0.0.1.25226 > 127.0.0.1.47282: Flags [.], cksum 0xfe28 (incorrect -> 0x59ca), seq 1, ack 398, win 6638, options [nop,nop,TS val 88196652 ecr 88196652], length 0 E..48.@.@...........b.... ./d=.s.....(..... .A.,.A., 17:02:01.607744 IP (tos 0x0, ttl 64, id 47403, offset 0, flags [DF], proto TCP (6), length 148) 127.0.0.1.47282 > 127.0.0.1.25226: Flags [P.], cksum 0xfe88 (incorrect -> 0xc87d), seq 398:494, ack 1, win 342, options [nop,nop,TS val 88196652 ecr 88196652], length 96 E....+@.@..6..........b.d=.s. ./...V....... .A.,.A.,<86>Nov 25 17:02:01 Rsyslog02 CRON[10356]: pam_unix(cron:session): session closed for user root 17:02:01.607751 IP (tos 0x0, ttl 64, id 14572, offset 0, flags [DF], proto TCP (6), length 52) 127.0.0.1.25226 > 127.0.0.1.47282: Flags [.], cksum 0xfe28 (incorrect -> 0x596a), seq 1, ack 494, win 6638, options [nop,nop,TS val 88196652 ecr 88196652], length 0 E..48.@.@...........b.... ./d=.......(..... .A.,.A., Arcsight log example: 17:01:03.137194 IP 192.168.200.34.33376 > 192.168.200.35.514: [|syslog] E.....@.@......"...#.`......CEF:0|Microsoft|Microsoft Windows|Windows Server 2016|Microsoft-Windows-Security-Auditing:4689|A process has exited.|Low| eventId=119 externalId=4689 msg=Success categorySignificance=/Informational categoryBehavior=/Execute/Stop categoryDeviceGroup=/Operating System catdt=Operating System categoryOutcome=/Success categoryObject=/Host/Resource/Process art=1574694225705 cat=Security deviceSeverity=Audit_success rt=1574694209940 dhost=LAB-AXA-Test.CP-LAB.LOCAL dst=192.168.200.33 destinationZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 dntdom=CP-LAB duser=LAB-AXA-TEST$ duid=0x3e7 dproc=C:\\Windows\\System32\\wbem\\WmiPrvSE.exe oldFileHash=UTF-8| cs2=Process Termination cs3=0x1170 cs4=0x0 locality=0 cs2Label=EventlogCategory cs3Label=Process ID cs4Label=Status ahost=lab-axa-centos.local agt=192.168.200.34 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 amac=00-50-56-83-69-83 av=7.6.0.8009.0 atz=Asia/Jerusalem at=syslog dvchost=LAB-AXA-Test.CP-LAB.LOCAL dvc=192.168.200.33 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 deviceNtDomain=CP-LAB dtz=Asia/Jerusalem _cefVer=0.1 ad.EventRecordID=479902 ad.ThreadID=2536 ad.Opcode=Info ad.ProcessID=4 ad.Version=0 ad.arcSightEventPath=31KjcjW4BABCABJrrC9uzYg\=\= aid=3z78dom4BABCAApaY3nt5JA\=\=
Menlo and Archer integration with Microsoft Sentinel
We have two scenarios, 1- We want to integrate Menlo Security tool with Microsoft Sentinel, and it looks like there isnt any built-in connector or matter of fact no materiel out there. 2- We also want to integrate Sentinel with Archer (so sentinel can send incident/alert data to Archer), a risk management tool with ticketing capability. Could you guys please advise how this can be achieved, I know custom connector build would be the answer but does any one have achieved this already, any tips suggestions?
