IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Arcsight Integration with Resilient

    Posted Tue February 05, 2019 02:02 AM

    Hi Team,

    Greetings for the day!

    We are in process of integration Arcsight with resilient. Till now, we are able to send test events (Using EventID) successfully manually (Using : /usr/bin/python2.7 /opt/resilient/arcsight/alert/resilient_arcsight_alert.py --type event --id "$eventId" OR python resilient_arcsight_alert.py --type event --id <event_id> --dry-run).


    1. But unfortunately  the same has not been getting executed using Arcsight Console Rule "Action".  I mean incidents are not getting forwarded automatically using rule action. 

    Please let me know if anyone faced the same problem, your any suggestions would be a great help to us. 

    --

    Thanks



    ------------------------------
    Fms SOC
    Ravi Sharma
    ------------------------------


  • 2.  RE: Arcsight Integration with Resilient

    Posted Tue February 05, 2019 09:30 AM
    Hi Ravi,

    Were to able to review the resilient_arcsight_alert.log file and see what errors, if any, are being returned?

    ------------------------------
    Mark Scherfling
    ------------------------------

    Original Message


  • 3.  RE: Arcsight Integration with Resilient

    Posted Wed February 06, 2019 12:25 AM
    Hi Mark,

    Yes, we have checked "resilient_arcsight_alert.log" log file and it is completely blank.

    ------------------------------
    Fms SOC
    ------------------------------

    Original Message


  • 4.  RE: Arcsight Integration with Resilient

    Posted Tue February 05, 2019 02:11 PM
    Edited by CRAIG R Tue February 05, 2019 02:12 PM
    This can sometimes happen due to the permissions of the Arcsight service running/executing the script. 

    Check the scripts permissions and owner matches your arcsight service (or the arcsight user is able to execute them).


    Original Message


  • 5.  RE: Arcsight Integration with Resilient

    Posted Wed February 06, 2019 12:25 AM
    Hi Craig,

    could you please guide us where to set permission of the Arcsight service running/executing the script.

    The same has been getting executed when we are using actual eventID in place of "$eventId" in parameter section.


    EX:
    /usr/bin/python2.7 /opt/resilient/arcsight/alert/resilient_arcsight_alert.py --type event --id "254253625" : Getting executed successfully and also events are getting generated on Resilient

    /usr/bin/python2.7 /opt/resilient/arcsight/alert/resilient_arcsight_alert.py --type event --id "$eventId" : No events are getting generated on Resilient

    Please suggest if we have missed something

    --
    Thanks,
    Ravi

    ------------------------------
    Fms SOC
    ------------------------------

    Original Message


  • 6.  RE: Arcsight Integration with Resilient

    Posted Wed February 06, 2019 11:22 AM
    you can run 

    ls -ltr /opt/resilient/arcsight/alert/

    It will show the file permissions, you want to check it doesn't require root to execute the files, as usually the arcsight service doesn't run as root. Then you can change the file permission accordingly to allow the arcsight service to execute the script. 

    If this doesn't work - it is worth checking the error log which is located at 

    /opt/resilient/arcsight/alert/resilient_arcsight_alert.log

    Original Message


  • 7.  RE: Arcsight Integration with Resilient

    Posted Mon February 11, 2019 01:41 AM

    Thanks,

    Checked and found Permissions are set as a Arcsight user.

    Also when the incident generates on resilient command (through manual on Arcsight), then only we can see some logs in file "resilient_arcsight_alert.log" otherwise this file remains empty.



    ------------------------------
    Fms SOC
    ------------------------------

    Original Message


  • 8.  RE: Arcsight Integration with Resilient

    Posted Tue March 05, 2019 02:13 AM

    Hi All,

    Please update if anyone has any solutions for my issue?



    ------------------------------
    Fms SOC
    ------------------------------

    Original Message


  • 9.  RE: Arcsight Integration with Resilient
    Best Answer

    Posted Tue April 02, 2019 09:00 AM
    PROBLEM SOLVED

    The solution is to delete and rebuild the ArcSight Console Rule "Action" Trigger. Apparently, the rule was corrupted and simply deleting it and rebuilding it (about 20 seconds worth of work :-)) fixes the problem.  The sign that something was amiss with the rule was that the EventID variable was coming back blank.

    Special thanks to Morgan from Microfocus for finding this problem after hours of trouble shooting in logs and scripts!




    ------------------------------
    Raymond Suarez
    ------------------------------

    Original Message


Related Content