How do I send ArcSight cases to TruSTAR?

Updated 3 weeks ago by Elvis Hovor

We support integration with ArcSight SIEM using a python script that is available with our SDK examples. This script supports the following actions:

  1. Parsing a CSV of events exported from ArcSight and submitting it to your TruSTAR enclave.
  2. Associating TruSTAR report URL with event in ArcSight. This utilizes the CEF and can be sent back to ArcSight using syslog.

Please note that making this script work requires in-depth knowledge of ArcSight and TruSTAR's REST API. This script was designed to provide a foundation for developing complex data workflows between ArcSight and TruSTAR. 

Steps to run this script:

  1. Install TruSTAR's Python SDK.
  2. Export the list of ArcSight cases in CSV format.
  3. Identify any changes to the parser object (line #33) to align with your CSV export.
  4. Review and make changes if needed to the python script.
    1. To link the TruSTAR report back to the ArcSight case you will need to make sure the accurate column name from CSV is identified as the column of case id's.

Please reach out to support@trustar.co if you have any questions about this script.

 

How Did We Do?