Specifying custom ArcSight user in ArcSight Forwarding Connector settings

This section describes how to specify a custom ArcSight user in the ArcSight Forwarding Connector settings.

When the ARB package is imported to ArcSight, the FwdCyberTrace user is created in the Kaspersky CyberTrace Connector group. This user account is intended for use by ArcSight Forwarding Connector. You may want to use another user account instead. We recommend that in this case you remove the FwdCyberTrace user and the Kaspersky CyberTrace Connector group. Note that your custom user must have the Forwarding Connector type.

To create a custom ArcSight user account for forwarding events from ArcSight ESM to Feed Service:

  1. Run ArcSight Console.
  2. In the Navigator pane, select the Resources tab.
  3. Open the drop-down list and select Users.
  4. In the tree view, select the user group that contains the custom user account.

    It is recommended to put this user account into a separate user group created only for this user.

  5. In the tree view, right-click the group entry and select Edit Access Control.

    ArcSight61

    Editing access settings

  6. In the Inspect/Edit pane, select the Events tab.
  7. Click Add.
  8. Select the following event filters:
    • CyberTrace forwarding events

      This is the filter for events that contain hashes, URLs, and IP addresses.

    arcsight_selecting_event_filters

    Selecting the event filters

  9. Install or reconfigure ArcSight Forwarding Connector.

    The procedure for reconfiguring of ArcSight Forwarding Connector is provided below in this section.

To reconfigure ArcSight Forwarding Connector:

  1. Change the current working directory to %FORWARDING_DIR%/current/bin.

    Here %FORWARDING_DIR% is a directory where ArcSight Forwarding Connector is installed.

  2. Execute the runagentsetup.sh script.
  3. Select Modify Connector and click Next.

    ArcSight63

    Modifying the connector

  4. Select Modify connector parameters and click Next.

    ArcSight64

    Modifying the connector parameters

  5. Specify the ArcSight parameters and the credentials of the custom user account and click Next.

    ArcSight65

    Specifying the ArcSight Source Manager parameters

  6. Click Next and then click Finish to finalize the Connector Setup window.
Page top