ArcSight FlexConnector Development

Bespoke log collection with a custom built Microfocus ArcSight FlexConnector.

A FlexConnector is a custom SmartConnector that you define to gather security events from log files, databases, and other software and devices.

Available FlexConnector types:

  • Log file FlexConnector for reading fixed-format log files
  • Syslog FlexConnector for reading events from Syslog messages
  • Regular expression FlexConnector for reading variable-format log files
  • Regular expression FlexConnectors for recursively reading variable-format log files in a folder or multiple folders
  • Time-based and ID-based database FlexConnectors for reading the latest security events from a database (or multiple databases)
  • Simple Network Management Protocol FlexConnector for gathering events from SNMP traps
  • Extensible Markup Language (XML) FlexConnector for recursively reading events from XML-based files in a folder
  • Scanner FlexConnector to import the scan results from a scanner device
  • REST FlexConnector that uses REST API endpoints, JSON parser, and OAuth2 authentication to collect security events from cloud vendors (such as Box, Salesforce, or Google Apps).

Timescales  for creation of a FlexConnector will vary depending on the complexity:

  • Simple complexity:
    • Parser override or single format log file
    • Approx 25 Hours effort estimate
  • Medium complexity:
    • Multiple sub messages, several log formats in one product
    • Approx 50 hours effort estimate
  • High complexity:
    • Scanners, Multiple parsers, complex Database connections, custom integration / mappings with third party tools, Action Connectors, Model Import Connectors.
    • Approx 100 hours effort estimate

The above estimates assume all the required log files and information are available at the start of the project and the FlexConnector will be deployed by the customer using our provided integration guide.

Complete the quick quote form below:

ArcSight FlexConnector Request process:

ArcSight FlexConnector development consists of the following tasks:

  1. Customer completion of the OpSecure FlexConnector Request form.
  2. OpSecure Consultant review and confirm the resource requirements and estimate of effort / complexity.
  3. OpSecure assign an appropriate resource to carry out the work.
  4. Remote kick-off meeting to discuss ArcSight FlexConnector configuration tasks, resource requirements and dependencies.
  5. Review of the sample logs, design and planning of the FlexConnector format
  6. Configuring the FlexConnector configuration file
  7. Mapping the device fields to the ArcSight schema (also known as device event mapping)
    • Configuring the device severity mappings
    • Categorising events
  8. Deployment of the FlexConnector (Customer or OpSecure Consultant led as agreed)
  9. Verifying a functional FlexConnector
    • System tests following deployment
  10. Remediation / re-work
    • Updates to the FlexConnector following testing
  11. Deliver Documentation
    • FlexConnector Integration Guide (IG)
    • FlexConnector files (Parser, Categoriser and mapping files)

All connector development will be provided by OpSecure SIEM Consultant resources and will ordinarily be provided remotely. Where on site presence is required (likely for complex connector development) then this will be scheduled when agreed dependencies and pre-requisites are captured, travel and expenses will be charged as appropriate.

In the event that any information cannot be gathered at the initial request stage, OpSecure SIEM Consultants can work with the business / SME to extract the relevant information. However, this will cause an increase in time and costs to deliver the work package.

Leave a Reply