← Back to integrations
SIEM
ArcSight
Trusteed Connector enriches ArcSight with IP, risk score, and threat category in air-gapped SOCs — no internet exposure required.
Prerequisites
- ArcSight ESM (7.5+) or ArcSight Logger
- Trusteed account with IP Enrichment feed
- Trusteed ArcSight Connector (provided by Trusteed)
- Admin access to ArcSight Console for Active List creation
Setup Steps
1. Deploy the Connector
- Install the Trusteed Connector on a bridge server with outbound internet access and internal reach to ArcSight Manager.
- Configure Trusteed API credentials, ArcSight credentials, and target Active List in
config.yml.
2. Fetch Trusteed Feed
Connector downloads CSV feed with IP + attributes:
IP, RiskScore, Category, FirstSeen, LastSeen
192.168.38.187,95,Botnet,2025-09-01,2025-09-20
192.168.38.186,70,Scanner,2025-09-05,2025-09-19
3. Push Data into ArcSight Active List
- Connector pushes each row into an Active List named
Trusteed_IP_Enrichment. - Columns:
IP,RiskScore,Category,FirstSeen,LastSeen. - Active List is updated on schedule (default 15 minutes).
4. Automate Updates
- Connector runs as a scheduled service (systemd/cron).
- Maintains sync with Trusteed feed; retries on failure.
- Logs provide visibility into update status.
5. Use in Correlation Rules
Example rule in ArcSight:
Condition:
Event SourceAddress IN ActiveList(Trusteed_IP_Enrichment)
AND RiskScore > 80
Action:
Generate High Severity Alert "High-Risk IP detected by Trusteed"
Outcome
- ArcSight remains fully air-gapped — no internet exposure required.
- Analysts see IPs enriched with Risk Score, Category, Timeline.
- Noise is reduced, correlation rules trigger only on true high-risk IPs.
- SOC teams operate faster with higher fidelity signals.
Next Steps
- Extend enrichment with domains or hashes.
- Forward enriched data into ArcSight Logger for reporting.
- Chain enrichment into SOAR or automated response playbooks.