Configuring the HP ArcSight Task to Populate the Hostname or IP Address
The value of the application_host column can be populated by adding arcsightAppNameHostMap. Adding arcsightAppNameHostMap enables you to define the hostname or IP address which must be used for an Account. SailPoint recommends that this hostname or IP address is the same as what is configured in ArcSight.
The arcsightAppNameHostMap map must be defined in the ArcSight Data Export Task created above. The key in the map should be name of the application as defined in SailPoint and the value should be the hostname, IP address, or any string that the ArcSight administrator understands.
-
To add the map, go to the application, Debug page. Go to TaskDefinition and open the ArcSight task.
-
Add the following entry, and set the value as the string used to identify the host of the Account, such as Hostname or IP.
<entry key = "<application_name>" value="account_host"/>
-
Save the task definition.
For example:
<entry key="arcsightAppNameHostMap">
<value>
<Map>
<entry key="LinuxApp1" value="linux01.sailpoint.com"/>
<entry key="LinuxApp2" value="127.15.19.21"/>
<entry key="ADDirectApp" value="AD.sailpoint.com"/>
<entry key="ServiceNowApp" value="https://sailpoint.service-now.com"/>
<entry key="ACF2App" value="ACF2-Mainframe"/>
</Map>
</value>
</entry> Note
If the application name is not defined in the map the Host field must be blank.
This document provides the information an ArcSight administrator requires to create an ArcSight Active List or Active Channel. The information below provides the same. The following fields are added in the Export table:
SailPoint sptr_arcsight_identity export table
|
Fields |
Description |
|
linkid |
Primary key for the Link table in SailPoint database. This field is copied from |
|
identityid |
Primary key in the Identity table. This field will be copied from the |
|
modified_dt |
Populates timestamp of when the record is exported in the export table. The field can be referenced while configuring a time-based ArcSight database connector. |
|
identity_display_name |
Represents the Display Name of the Identity to be copied from |
|
identity_firstname |
Represents the first name of Identity to be copied from the |
|
identity_lastname |
Represents last name of Identity to be copied from the |
|
application_type |
Populates the type of Account which is connected to the Identity. For example, ActiveDirectory – Direct, ACF2 – Full, Box, Cloud Gateway, ServiceNow. |
|
application_host |
The host name, IPaddress, or any string which can be used by the ArcSight administrator to identify the host of the link or account uniquely. You can enter any string which can be sent to ArcSight to identify the host of the link. |
|
application_name |
Populates the application name of the account connected to the Identity. |
|
link_display_name |
The account connected to the identity to be copied from |
|
entitlements |
Represents a comma-separated list of entitlements to the link of the Identity. |
|
risk_score |
Represents the composite risk score of Identity. |
SailPoint sptr_arcsight_audit_event export table
|
Fields |
Description |
|
auditid |
The audit ID which is primary key for the export Audit table. The field will be copied from the |
|
created_dt |
Populates the timestamp of when the record is exported in the export table. The field can be referenced while configuring a time-based ArcSight database connector. |
|
owner |
Describes the Owner of the generated audit |
|
source |
Helps the ArcSight administrator determine the source of the audit |
|
action |
Describes the action taken on an entity |
|
target |
Provides target details |
|
application |
Describes the name of application the target belongs to |
|
account_name |
The name of the Account is populated in this field |
|
attribute_name |
The name of the attribute modified |
|
attribute_value |
The value provided to the attribute |