ArcSight IT Security Information and Event Management Infrastructure Module Overview
The ArcSight IT Security Information and Event Management Infrastructure Module (SEIM) is a universal log management solution that helps enterprises identify and prioritize current and potential security threats. SailPoint collects security event information such as Audit information. The SailPoint integration with ArcSight IT Security allows both end systems to take remediation action in the event of security threats.
The SailPoint integration with ArcSight enables the following:
-
SailPoint data (Identity, Account, Audit, and Syslog) stored in SailPoint can be exported to ArcSight. ArcSight administrators can store this data in an ArcSight Active List.
SailPoint data can be exported to ArcSight for correlation, such as successful provisioning of privileged accounts, password changes, login failure and so on. For more information on ways to export data, refer to Import data to SailPoint from ArcSight in Supported Features.
-
SailPoint can import filtered activity event data from ArcSight based on which activity-based remediation processes can be triggered. Event records are expected in standard ArcSight Common Event Format (CEF).
Events received are matched with users held within the SailPoint warehouse, and used to trigger activity policies when certain types of events are recognized. These triggers execute a business process fully re-certifies the affected user and recalculates their risk score. The system then updates risk reports and dashboard content to highlight the activity.
Note
Creating an ArcSight Active Channel or Active List is outside the scope of this document. This document assumes the ArcSight administrator is familiar with steps to create an ArcSight Active Channel or Active List. It provides the SailPoint information an ArcSight administrator will require to create an ArcSight Active Channel or Active List.