Kaspersky CyberTrace

Specifying custom ArcSight user in ArcSight Forwarding Connector settings

27 February 2024

ID 173055

This section describes how to specify a custom ArcSight user in the ArcSight Forwarding Connector settings.

When the ARB package is imported to ArcSight, the FwdCyberTrace user is created in the Kaspersky CyberTrace Connector group. This user account is intended for use by ArcSight Forwarding Connector. You may want to use another user account instead. We recommend that in this case you remove the FwdCyberTrace user and the Kaspersky CyberTrace Connector group. Note that your custom user must have the Forwarding Connector type.

To create a custom ArcSight user account for forwarding events from ArcSight ESM to Kaspersky CyberTrace Service:

  1. Run ArcSight Console.
  2. In the Navigator pane, select the Resources tab.
  3. Open the drop-down list and select Users.
  4. In the tree view, select the user group that contains the custom user account.

    It is recommended to put this user account into a separate user group created only for this user.

  5. In the tree view, right-click the group entry and select Edit Access Control.

    Edit Access Control menu item in ArcSight.

    Editing access settings

  6. In the Inspect/Edit pane, select the Events tab.
  7. Click Add.
  8. Select the following event filters:
    • CyberTrace forwarding events

      This is the filter for events that contain hashes, URLs, and IP addresses.

    Selecting the event filters in ArcSight.

    Selecting the event filters

  9. Install or reconfigure ArcSight Forwarding Connector.

    The procedure for reconfiguring of ArcSight Forwarding Connector is provided below in this section.

To reconfigure ArcSight Forwarding Connector:

  1. Change the current working directory to %FORWARDING_DIR%/current/bin.

    Here %FORWARDING_DIR% is a directory where ArcSight Forwarding Connector is installed.

  2. Execute the runagentsetup.sh script.
  3. Select Modify Connector and click Next.

    Selecting Modify Connector in ArcSight.

    Modifying the connector

  4. Select Modify connector parameters and click Next.

    Selecting Modify connector parameters in ArcSight.

    Modifying the connector parameters

  5. Specify the ArcSight parameters and the credentials of the custom user account and click Next.

    Modify simple parameters window in ArcSight.

    Specifying the ArcSight Source Manager parameters

  6. Click Next and then click Finish to finalize the Connector Setup window.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.