Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

Integrating Centrify Server Suite with SIEM Tools – Part 4, integration with HP ArcSight

11 April,19 at 11:50 AM

In our previous posts we've covered Integrating Centrify Server Suite with SIEM tools, Integrating CSS Events into Splunk & Integrating CSS events into IBM QRadar. In this post, we cover how to integrate the Centrify Server Suite events into your existing HP ArcSight deployment. 

 

Getting Started

First, how do I get Centrify events into ArcSight? Centrify events are available locally in standard logs either in *Nix syslogs or Windows event logs. Install HP ArcSight Connectors to consolidate and index all Centrify events on machines with Centrify Agent.

 

Below, find the list of all the connectors on the left hand side and the status using the ArcSight Console after successfully configuring the connectors. 

A1.jpg

 

Normalizing events

Install Centrify Server Suite ArcSight Parser on the node with the Centrify agent to normalize Centrify events, follow the instructions in the installation guide. Once the events are collected, you can find the relevant events via the search interface on the right hand side on the picture below in the ArcSight Console. 

A2.jpg 

Categorising Events 

We've taken over a dozen centrify events and categorised them into the ArcSight. This will enable any Security Analyst to easily correlate Authentication events from accross vendors within your enterprise. 

 

Shown below, events that are mapped into the authentication category.

event.externalId

set.event.categoryObject

set.event.categoryBehavior

set.event.categoryDeviceGroup

set.event.categorySignificance

set.event.categoryOutcome

6001

/Host/Application

/Authentication/Verify

/Application

/Informational

/Success

6003

/Host/Application

/Authentication/Verify

/Application

/Informational

/Success

9001

/Host/Application

/Authentication/Verify

/Application

/Informational

/Success

18200

/Host/Application

/Authentication/Verify

/Application

/Informational

/Success

24100

/Host/Application

/Authentication/Verify

/Application

/Informational

/Success

24500

/Host/Application

/Authentication/Verify

/Application

/Informational

/Success

27100

/Host/Application

/Authentication/Verify

/Application

/Informational

/Success

54100

/Host/Application

/Authentication/Verify

/Application

/Informational

/Success

54200

/Host/Application

/Authentication/Verify

/Application

/Informational

/Success

6002

/Host/Application

/Authentication/Verify

/Application

/Informational/Warning

/Failure

6004

/Host/Application

/Authentication/Verify

/Application

/Informational/Warning

/Failure

6010

/Host/Application

/Authentication/Verify

/Application

/Informational/Warning

/Failure

6011

/Host/Application

/Authentication/Verify

/Application

/Informational/Warning

/Failure

24101

/Host/Application

/Authentication/Verify

/Application

/Informational/Warning

/Failure

24501

/Host/Application

/Authentication/Verify

/Application

/Informational/Warning

/Failure

27101

/Host/Application

/Authentication/Verify

/Application

/Informational/Warning

/Failure

54101

/Host/Application

/Authentication/Verify

/Application

/Informational/Warning

/Failure

54201

/Host/Application

/Authentication/Verify

/Application

/Informational/Warning

/Failure

  

To summarize, CSS Standard edition captures all logon and privilege activity on any machines that have a CSS agent running – the event is stored in CEF format in Syslog on Linux/ UNIX machines and is stored in Event logs on Windows machines. You can now ingest Centrify events to ArcSight and normalize the Centrify data leveraging our parsers, easily.

 

You can try the integration with a free trial of Centrify Server Suite Standard Edition today. If you are already a Centrify customer and want to learn more, please contact your Centrify account team.

 

Links

Centrify Server Suite ArcSight Installation guide

Centrify Server Suite ArcSight Parsers

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.