This section describes how to import the ARB package to ArcSight.
The ARB package contains objects (active channels, dashboards, field sets, reports, rules, filters, users) that are necessary for integrating the service with ArcSight. When you import this file, these objects are created in ArcSight.
To import the ARB package:
ArcSight packages
integration
directory.
ARB file selection
The import process will be performed.
ARB import complete
After all objects from the ARB file are imported to ArcSight, all the imported rules are real-time rules, that is, they will be applied in real time.
To browse and manage the list of real-time rules:
Real-time rules
After the ARB package is imported, new objects are created in ArcSight.
Object |
Description |
Default state |
CyberTrace alerts |
Displays service events from Kaspersky CyberTrace in real time. |
Turned on |
CyberTrace all matches |
Displays detection events from Kaspersky CyberTrace in real time. |
Turned on |
CyberTrace hash matches |
Displays hash detection events from Kaspersky CyberTrace in real time. |
Turned off |
CyberTrace URL matches |
Displays URL detection events from Kaspersky CyberTrace in real time. |
Turned off |
CyberTrace IP matches |
Displays IP detection events from Kaspersky CyberTrace in real time. |
Turned off |
Object |
Description |
Default state |
CyberTrace detection map |
Displays all devices that sent events containing malicious URLs, IP addresses, or hashes. Displays all feeds that were involved in the detection process. |
Turned off |
CyberTrace match statistics |
Detection statistics: how many objects of a specific category were detected. |
Turned on |
CyberTrace Top 10 matched indicators |
Top 10 detected indicators. |
Turned off |
The CyberTrace detection map
and CyberTrace Top 10 matched indicators
dashboards are turned off by default so as not to overload ArcSight. You can turn them on if you need these dashboards.
Object |
Description |
Default state |
CyberTrace alerts |
Displayed fields of service events from Kaspersky CyberTrace. |
Static |
CyberTrace all matches |
Displayed fields of detection events from Kaspersky CyberTrace. |
Static |
CyberTrace matched hashes |
Displayed fields of hash detection events from Kaspersky CyberTrace. |
Static |
CyberTrace matched URLs |
Displayed fields of URL detection events from Kaspersky CyberTrace. |
Static |
CyberTrace matched IPs |
Displayed fields of IP address detection events from Kaspersky CyberTrace. |
Static |
Object |
Description |
Default state |
CyberTrace all matches |
Report that contains detection events from Kaspersky CyberTrace. |
Static |
Object |
Description |
Default state |
CyberTrace_HighThreatScoreIP |
Rule for assigning high severity level and storing high priority IP detection events from Kaspersky CyberTrace. |
Turned on |
CyberTrace_MediumThreatScoreIP |
Rule for assigning medium severity level and storing medium priority IP detection events from Kaspersky CyberTrace. |
Turned on |
CyberTrace_LowThreatScoreIP |
Rule for assigning low severity level and storing low priority IP detection events from Kaspersky CyberTrace. |
Turned on |
Object |
Description |
Default state |
CyberTrace all matches |
Filter for selecting detection events sent by Kaspersky CyberTrace. |
Static |
CyberTrace forwarding events |
Filter for forwarding to Kaspersky CyberTrace those events that contain URLs, IP addresses, or hashes. |
Static |
CyberTrace matched hashes |
Filter for selecting hash detection events sent by Kaspersky CyberTrace. |
Static |
CyberTrace matched URLs |
Filter for selecting URL detection events sent by Kaspersky CyberTrace. |
Static |
CyberTrace matched IPs |
Filter for selecting IP detection events sent by Kaspersky CyberTrace. |
Static |
Object |
Description |
Default state |
FwdCyberTrace |
Account that is used for configuring ArcSight event forwarding. |
Static |
After the import is finished, make sure that the FwdCyberTrace
user is created. To check, navigate to Users > Shared > Custom User Groups > Kaspersky CyberTrace Connector in ArcSight Console. If there is no FwdCyberTrace
user, create it manually.