ArcSight Data Export
Export data for HP ArcSight Database Connector to an external database table.
The ArcSight data export task enables you to export IdentityIQ data to external tables.
Before you can use the ArcSight data export task, you must create the export databases on your destination data source.
The task schedule user interface includes a button that generates a customized DDL which you can hand off to a database administrator for execution. Once the data source parameters are entered, click Generate Table Creation SQL. The task adds the following tables in database:
| Tables | Description |
|---|---|
| sptr_arcsight_export | Table to maintain the task execution history. |
| sptr_arcsight_identity | Table contains exported data of Identity. |
| sptr_arcsight_audit_event | Table contains Audit Events information. |
| Option | Description |
| Datasource Parameters | |
| Database | Select a database type from the dropdown list. |
| User Name | Enter the user name parameter of the database table. |
| Password | Enter the password of the database table. |
| Driver Class | Enter the driver class used for database. |
| URL | Enter the URL of the database. |
| Object Export Options | |
| Export Identities | Export Identity related data in ArcSight tables. It provides the following options: Full: Exports all the records irrespective if they were exported earlier. Incremental: Exports only records that are updated since last run of this task. This option can even be selected when running the task for first time. When the task is running for first time, this option exports all records similar to the Full option. |
| Export Audits | Export Audit Events in ArcSight table. It provides the following options: Full: Exports all the records irrespective if they were exported earlier. Incremental: Exports only records that are updated since last run of this task. This option can even be selected when running the task for first time. When the task is running for first time, this option exports all records similar to the Full option. |
After you complete customizing your task options, click Save for later use or Save and Execute to save the task and run it immediately.
Configuring HP ArcSight Task to Populate Host Name or IP
The value of column application_host can be populated by adding a map with the value as arcsightAppNameHostMap as shown in the following example. The fieldThis is read from the map as explained below:
It is difficult to determine the host name or IP address of the account as the field is not constant in Application definition in IdentityIQ. Hence, customer can define a map in TaskDefinition and select the task added to export data in ArcSight table. The key in the map should be name of the application defined in IdentityIQ and value should be hostname, IP, or any string that ArcSight administrator understands.
To add the map:
-
Go to debug page, navigate to TaskDefinition and open the ArcSight task configured above.
-
Add the entry as key = Name of Application defined in IdentityIQ and value as the string to identify host of Account like Hostname or IP.
-
Save the task definition. For example:
<entry key="arcsightAppNameHostMap">
<value>
<Map>
<entry key="LinuxApp1" value="linux01.iiq.com"/>
<entry key="LinuxApp2" value="127.15.19.21"/>
<entry key="ADDirectApp" value="AD.iiq.com"/>
<entry key="ServiceNowApp" value="https://iiq.service-now.com"/>
<entry key="ACF2App" value="ACF2-Mainframe"/>
</Map>
</value>
</entry>
Note
If the application name is not defined in the map the host field is blank.
The following fields are added in export table:
| Fields | Description |
|---|---|
| linkid | Primary key for Link table in IdentityIQ database. This field is copied from spt_link table id field and is the primary key for export table. |
| identityid | Primary key in Identity table. This field is copied from spt_Identity table. |
| modified_dt | Populates timestamp when the record is exported in export table. The field can be referred while configuring time based ArcSight database connector. |
| identity_display_name | Represents Display Name of Identity which is copied from spt_identity table field (display_name). |
| identity_firstname | Represents first name of Identity which is copied from spt_identity table field (firstname). |
| identity_lastname | Represents last name of Identity which is copied from spt_identity table field (lastname). |
| application_type | Populates the type of Account which is connected to the Identity like ActiveDirectory – Direct, ACF2 – Full, Box, Cloud Gateway, ServiceNow and so on. |
| application_host | The host name, IP, or any string which can be used by ArcSight administrator to identify the host of link/account uniquely. Customer can enter any string which can be sent to ArcSight to identify the host of link. This field can be populated as explained in ArcSight Data Export. |
| application_name | Populates the name of Application of the Account connected to the Identity. |
| link_display_name | The account connected to the identity which is copied from spt_link table, field display_name. |
| entitlements | Represents comma separated list of entitlements to the link of Identity. |
| risk_score | Represents the composite risk score of Identity. |
| Fields | Description |
|---|---|
| auditid | The audit ID which is primary key for the export Audit table. The field is copied from spt_audit_event table id field. |
| created_dt | Populates timestamp when the record is exported in export table. The field can be referred while configuring time based ArcSight database connector. |
| owner | Describes the Owner of the audit generated. |
| source | Provides more details to help ArcSight administrator determine the source of audit. |
| action | Describes the action taken on entity. |
| target | Provides target details. |
| application | Describes the name of application the target belongs to. |
| account_name | The name of Account is populated in this field. |
| attribute_name | The name of attribute modified. |
| attribute_value | The value provided to the attribute. |