ArcSight Data Export

Export data for HP ArcSight Database Connector to an external database table.

The ArcSight data export task enables you to export IdentityIQ data to external tables.

Before you can use the ArcSight data export task, you must create the export databases on your destination data source.

The task schedule user interface includes a button that generates a customized DDL which you can hand off to a database administrator for execution. Once the data source parameters are entered, click Generate Table Creation SQL. The task adds the following tables in database:

Tables

Description

sptr_arcsight_export

Table to maintain the task execution history.

sptr_arcsight_identity

Table contains exported data of Identity.

sptr_arcsight_audit_event

Table contains Audit Events information.

 

Option

Description

Datasource Parameters

Database

Select a database type from the dropdown list.

User Name

Enter the user name parameter of the database table.

Password

Enter the password of the database table.

Driver Class

Enter the driver class used for database.

URL

Enter the URL of the database.

Object Export Options

Export Identities

Export Identity related data in ArcSight tables. It provides the following options:

Full: Exports all the records irrespective if they were exported earlier.

Incremental: Exports only records that are updated since last run of this task.

This option can even be selected when running the task for first time. When the task is running for first time, this option exports all records similar to the Full option.

Export Audits

Export Audit Events in ArcSight table. It provides the following options:

Full: Exports all the records irrespective if they were exported earlier.

Incremental: Exports only records that are updated since last run of this task.
This option can even be selected when running the task for first time. When the task is running for first time, this option exports all records similar to the Full option.

After you complete customizing your task options, click Save for later use or Save and Execute to save the task and run it immediately.

Configuring HP ArcSight Task to populate host name or IP

The value of column application_host can be populated by adding a map with the value as arcsightAppNameHostMap as shown in the following example. The fieldThis is read from the map as explained below:

It is difficult to determine the host name or IP address of the account as the field is not constant in Application definition in IdentityIQ. Hence, customer can define a map in TaskDefinition and select the task added to export data in ArcSight table. The key in the map should be name of the application defined in IdentityIQ and value should be hostname, IP, or any string that ArcSight administrator understands.

To add the map:

  1. Go to debug page, navigate to TaskDefinition and open the ArcSight task configured above.

  2. Add the entry as key = Name of Application defined in IdentityIQ and value as the string to identify host of Account like Hostname or IP.

  3. Save the task definition. For example:

Copy 
  <entry key="arcsightAppNameHostMap">
    <value>
        <Map>
          <entry key="LinuxApp1" value="linux01.iiq.com"/>
          <entry key="LinuxApp2" value="127.15.19.21"/>
          <entry key="ADDirectApp" value="AD.iiq.com"/>
          <entry key="ServiceNowApp" value="https://iiq.service-now.com"/>
          <entry key="ACF2App" value="ACF2-Mainframe"/>
        </Map>
    </value>
</entry>

Note: If the application name is not defined in the map the host field is blank.

The following fields are added in export table:

Fields

Description

linkid

Primary key for Link table in IdentityIQ database. This field is copied from spt_link table id field and is the primary key for export table.

identityid

Primary key in Identity table. This field is copied from spt_Identity table.

modified_dt

Populates timestamp when the record is exported in export table. The field can be referred while configuring time based ArcSight database connector.

identity_display_name

Represents Display Name of Identity which is copied from spt_identity table field (display_name).

identity_firstname

Represents first name of Identity which is copied from spt_identity table field (firstname).

identity_lastname

Represents last name of Identity which is copied from spt_identity table field (lastname).

application_type

Populates the type of Account which is connected to the Identity like ActiveDirectory – Direct, ACF2 – Full, Box, Cloud Gateway, ServiceNow and so on.

application_host

The host name, IP, or any string which can be used by ArcSight administrator to identify the host of link/account uniquely. Customer can enter any string which can be sent to ArcSight to identify the host of link.

This field can be populated as explained in ArcSight Data Export.

application_name

Populates the name of Application of the Account connected to the Identity.

link_display_name

The account connected to the identity which is copied from spt_link table, field display_name.

entitlements

Represents comma separated list of entitlements to the link of Identity.

risk_score

Represents the composite risk score of Identity.

 

Fields

Description

auditid

The audit ID which is primary key for the export Audit table. The field is copied from spt_audit_event table id field.

created_dt

Populates timestamp when the record is exported in export table. The field can be referred while configuring time based ArcSight database connector.

owner

Describes the Owner of the audit generated.

source

Provides more details to help ArcSight administrator determine the source of audit.

action

Describes the action taken on entity.

target

Provides target details.

application

Describes the name of application the target belongs to.

account_name

The name of Account is populated in this field.

attribute_name

The name of attribute modified.

attribute_value

The value provided to the attribute.