Micro Focus

The ThreatConnect ArcSight ESM integration provides ArcSight users the ability to leverage customizable threat intelligence integrated in ArcSight from their ThreatConnect accounts. The App takes users aggregated logs from ArcSight and combines them with their threat intelligence in ThreatConnect. ThreatConnect provides context with indicators, and enables their teams to easily spot abnormal trends and patterns to be able to act on them efficiently. Users can quickly look up and create indicators, report false positives, and record the frequency with which particular indicators are observed in your network. Users can tie their data to Playbooks, ThreatConnect’s orchestration capability, to automate nearly any cybersecurity task and respond to threats faster - as well as send to other systems in the security stack.

The following actions are included:

• Add to ArcSight - Add a new Threat Indicator via the ArcSight ESM API.
• Delete from ArcSight - Delete a Threat Indicator via the ArcSight ESM API.

With this integration you get:

• Automate the detection of Advanced Threats in your environment
• Collect multi-source threat intelligence (open source, commercial, communities, internal research)
• Access insights on a threat’s capability, infrastructure, and past incidents
• Receive alerts to block cyber threats and respond to incidents
• Reduce False Positives to save time
• Leverage tailored, accurate, and timely threat intelligence
• Receive alerts on intel sourced from ThreatConnect communities and feeds matched against the logs and other machine data from a network within ArcSight
• Prioritize events and respond to threats as they happen
• Sort by threat rating and confidence scores, relationships to known threat types and adversary groups, past incidents, and tags
• Triage events with context to quickly spot abnormal trends and patterns and act on them efficiently
• Built-in dashboards and reports to expedite time to value

These apps can be found in the ThreatConnect App Catalog under the following names: Micro Focus ArcSight ESM - API (Playbook), and Micro Focus ArcSight ESM - API (Organization)

With this Playbook and Job App, you can deploy Indicators and logs from Micro Focus ArcSight ESM to ThreatConnect using the syslog protocol and CEF formatted lines. Common Event Format (CEF) is a Logging and Auditing file format from ArcSight and is an extensible, text-based format designed to support multiple device types by offering the most relevant information.

The ThreatConnect ArcSight ESM integration provides ArcSight users the ability to leverage customizable threat intelligence integrated in ArcSight from ThreatConnect. The App takes users' aggregated logs from ArcSight and combines them with their threat intelligence in ThreatConnect. ThreatConnect provides context with indicators and enables their teams to easily spot abnormal trends and patterns to be able to act on them efficiently. Users can quickly look up and create indicators, report false positives, and record the frequency with which particular indicators are observed in your network. Users can tie their data to Playbooks, ThreatConnect’s orchestration capability, to automate nearly any cybersecurity task and respond to threats faster - as well as send to other systems in the security stack.

The following actions are included:

• The Add action sets in the formatted line a value of add.
• The Remove actions sets in the formatted line a value of remove.

These apps can be found in the ThreatConnect App Catalog under the following names: Micro Focus ArcSight ESM - CEF (Playbook), and Micro Focus ArcSight ESM - CEF (Organization)