← Back to integrations
SIEM

ArcSight

Trusteed Connector enriches ArcSight with IP, risk score, and threat category in air-gapped SOCs — no internet exposure required.

Prerequisites

  • ArcSight ESM (7.5+) or ArcSight Logger
  • Trusteed account with IP Enrichment feed
  • Trusteed ArcSight Connector (provided by Trusteed)
  • Admin access to ArcSight Console for Active List creation

Setup Steps

1. Deploy the Connector

  • Install the Trusteed Connector on a bridge server with outbound internet access and internal reach to ArcSight Manager.
  • Configure Trusteed API credentials, ArcSight credentials, and target Active List in config.yml.

2. Fetch Trusteed Feed

Connector downloads CSV feed with IP + attributes:

IP, RiskScore, Category, FirstSeen, LastSeen
192.168.38.187,95,Botnet,2025-09-01,2025-09-20
192.168.38.186,70,Scanner,2025-09-05,2025-09-19

3. Push Data into ArcSight Active List

  • Connector pushes each row into an Active List named Trusteed_IP_Enrichment.
  • Columns: IP, RiskScore, Category, FirstSeen, LastSeen.
  • Active List is updated on schedule (default 15 minutes).

4. Automate Updates

  • Connector runs as a scheduled service (systemd/cron).
  • Maintains sync with Trusteed feed; retries on failure.
  • Logs provide visibility into update status.

5. Use in Correlation Rules

Example rule in ArcSight:

Condition:
  Event SourceAddress IN ActiveList(Trusteed_IP_Enrichment)
  AND RiskScore > 80

Action:
  Generate High Severity Alert "High-Risk IP detected by Trusteed"

Outcome

  • ArcSight remains fully air-gapped — no internet exposure required.
  • Analysts see IPs enriched with Risk Score, Category, Timeline.
  • Noise is reduced, correlation rules trigger only on true high-risk IPs.
  • SOC teams operate faster with higher fidelity signals.

Next Steps

  • Extend enrichment with domains or hashes.
  • Forward enriched data into ArcSight Logger for reporting.
  • Chain enrichment into SOAR or automated response playbooks.