Configuration to Import HP ArcSight CEF Flat File to SailPoint

  1. Access the Application Configuration Console.

  2. Go to the Schema tab.

    Enter the correlation key for which you want to correlate activity from HP ArcSight to SailPoint.

    For example, for Active Directory application:

    sAMAccountName

  3. Go to the Activity Data Sources tab.

    Note
    For more information on Activity Data Source, refer to the IdentityIQ Administration Guide in SailPoint Product Documentation.

  4. Select Add to add a new Activity Data Source.

  5. Set the Activity Data source type as CEF Log File. The default transformation rule and correlation rule will be automatically selected.

    Note
    You can change the value of cefLinkAttribute in the correlation rule to set correlation keys as needed in the application.

  6. Go to the Transport Settings tab and set the Transport Type as local, ftp or scp.

  7. Go to the Log File Settings tab and in the File name, provide the exact path of the CEF flat file.

    For example:

    C:\ArcSight\activedirectory.csv

  8. Select the Save button to save activity data source configuration.

  9. Select the Save button to save the application.

If the correlation key is not set and the account aggregation for that application is already performed, then perform the following:

  1. Access the Application Configuration console.

  2. Go to the Correlation tab.

  3. Select the New button to create a new Account Correlation.

  4. Select the Next button and provide the name of the configuration.

  5. Select the Application Attributes and Identity Attributes and select Add button.

  6. Select Save.

  7. Select Save to save the application.

After the correlation configuration is done, execute the account aggregation (with optimization turned off to pick up the existing accounts) again.

  1. Go to Define > Identities.

  2. Select the identity for which you want to enable Activity monitoring and import data from ArcSight.

  3. Go to the Activity tab.

  4. Enable Activity Monitoring.

  5. Save the Identity.

  6. Go to Monitor > Tasks.

  7. Create a new Activity Aggregation Task.

  8. Select an activity data source you configured earlier.

  9. Save and execute the task.

    • To see the result of the task executed in previous step go to the Task Results tab and select the task.

    • To see the correlated events go to Define > Identities. Select the identity for which you have correlated the event. Go to the Activity Tab. Check the Recent Activities section.

Note
After correlating the HP ArcSight event to Identity, the Policy Violation and Certification can be created and used to notify for any activity for that identity using the workflow.