Integrating Centrify Server Suite with SIEM Tools – Part 4, integration with HP ArcSight

Home >

Integrating Centrify Server Suite with SIEM Tools – Part 4, integration with HP ArcSight

Product:

Published:

11 April,19 at 11:50 AM

Rating:

In our previous posts we've covered Integrating Centrify Server Suite with SIEM tools, Integrating CSS Events into Splunk & Integrating CSS events into IBM QRadar. In this post, we cover how to integrate the Centrify Server Suite events into your existing HP ArcSight deployment.

Getting Started

First, how do I get Centrify events into ArcSight? Centrify events are available locally in standard logs either in *Nix syslogs or Windows event logs. Install HP ArcSight Connectors to consolidate and index all Centrify events on machines with Centrify Agent.

Below, find the list of all the connectors on the left hand side and the status using the ArcSight Console after successfully configuring the connectors.

Normalizing events

Install Centrify Server Suite ArcSight Parser on the node with the Centrify agent to normalize Centrify events, follow the instructions in the installation guide. Once the events are collected, you can find the relevant events via the search interface on the right hand side on the picture below in the ArcSight Console.

Categorising Events

We've taken over a dozen centrify events and categorised them into the ArcSight. This will enable any Security Analyst to easily correlate Authentication events from accross vendors within your enterprise.

Shown below, events that are mapped into the authentication category.

event.externalId	set.event.categoryObject	set.event.categoryBehavior	set.event.categoryDeviceGroup	set.event.categorySignificance	set.event.categoryOutcome
6001	/Host/Application	/Authentication/Verify	/Application	/Informational	/Success
6003	/Host/Application	/Authentication/Verify	/Application	/Informational	/Success
9001	/Host/Application	/Authentication/Verify	/Application	/Informational	/Success
18200	/Host/Application	/Authentication/Verify	/Application	/Informational	/Success
24100	/Host/Application	/Authentication/Verify	/Application	/Informational	/Success
24500	/Host/Application	/Authentication/Verify	/Application	/Informational	/Success
27100	/Host/Application	/Authentication/Verify	/Application	/Informational	/Success
54100	/Host/Application	/Authentication/Verify	/Application	/Informational	/Success
54200	/Host/Application	/Authentication/Verify	/Application	/Informational	/Success
6002	/Host/Application	/Authentication/Verify	/Application	/Informational/Warning	/Failure
6004	/Host/Application	/Authentication/Verify	/Application	/Informational/Warning	/Failure
6010	/Host/Application	/Authentication/Verify	/Application	/Informational/Warning	/Failure
6011	/Host/Application	/Authentication/Verify	/Application	/Informational/Warning	/Failure
24101	/Host/Application	/Authentication/Verify	/Application	/Informational/Warning	/Failure
24501	/Host/Application	/Authentication/Verify	/Application	/Informational/Warning	/Failure
27101	/Host/Application	/Authentication/Verify	/Application	/Informational/Warning	/Failure
54101	/Host/Application	/Authentication/Verify	/Application	/Informational/Warning	/Failure
54201	/Host/Application	/Authentication/Verify	/Application	/Informational/Warning	/Failure

To summarize, CSS Standard edition captures all logon and privilege activity on any machines that have a CSS agent running – the event is stored in CEF format in Syslog on Linux/ UNIX machines and is stored in Event logs on Windows machines. You can now ingest Centrify events to ArcSight and normalize the Centrify data leveraging our parsers, easily.

You can try the integration with a free trial of Centrify Server Suite Standard Edition today. If you are already a Centrify customer and want to learn more, please contact your Centrify account team.

Links

Centrify Server Suite ArcSight Installation guide

Centrify Server Suite ArcSight Parsers