This section describes how to specify a custom ArcSight user in the ArcSight Forwarding Connector settings.
When the ARB package is imported to ArcSight, the FwdCyberTrace
user is created in the Kaspersky CyberTrace Connector
group. This user account is intended for use by ArcSight Forwarding Connector. You may want to use another user account instead. We recommend that in this case you remove the FwdCyberTrace
user and the Kaspersky CyberTrace Connector
group. Note that your custom user must have the Forwarding Connector type.
To create a custom ArcSight user account for forwarding events from ArcSight ESM to Feed Service:
It is recommended to put this user account into a separate user group created only for this user.
Editing access settings
CyberTrace forwarding events
This is the filter for events that contain hashes, URLs, and IP addresses.
Selecting the event filters
The procedure for reconfiguring of ArcSight Forwarding Connector is provided below in this section.
To reconfigure ArcSight Forwarding Connector:
%FORWARDING_DIR%/current/bin
.Here %FORWARDING_DIR%
is a directory where ArcSight Forwarding Connector is installed.
Modifying the connector
Modifying the connector parameters
Specifying the ArcSight Source Manager parameters