Integration Guide

Micro Focus Common Event

Format Integration Guide
Aqua Security

Aqua Container Security Platform

Date: August 17, 2017

Contents
Revision History ........................................................................................................................................................3
Aqua Container Security Platform Integration Guide ………….………………………………..………………………………….………….4
Joint Solution Overview ............................................................................................................................................4
Use Cases ..................................................................................................................................................................4
CEF Integration ..........................................................................................................................................................5
1. Configuration of Aqua CSP to output CEF events .............................................................................................5
2. Events ...............................................................................................................................................................6
3. Device Event Mapping to ArcSight Data Fields ................................................................................................6
ArcSight Content for Aqua CSP ........................................................................................................................7
Prerequisites ....................................................................................................................................................7
Support ........................................................... .................................................................................................7
Additional ArcSight Documentation .................................................................................................................8

2
ArcSight Integration Guide
This document is provided for informational purposes only, and the information herein is subject to change
without notice. Please report any errors herein to Micro Focus. Micro Focus does not provide any warranties
covering this information and specifically disclaims any liability in connection with this document.

Certified Integration:
The integration complies with the requirements of the Micro Focus Technology Alliance Partner program. For
inbound integrations, the Micro Focus ArcSight CEF connector will be able to process the events correctly and
the events will be available for use within Micro Focus’ ArcSight product. In addition, the event content has
been deemed to be in accordance with standard SmartConnector requirements. For action and outbound
integrations, the integration establishes outbound communications from Micro Focus ArcSight to a third party
platform. The integration has been tested and demonstrated to Micro Focus by the third party.

Revision History
Date Description

06/29/2017 First edition of this Configuration Guide.

06/29/2017 Version 2.5 Certified by Micro Focus Security

3
Aqua Integration Integration Guide
This guide provides information for configuring Aqua Container Security Platform (CSP) for syslog event
collection. This integration is supported on Linux platforms. Device versions starting Aqua Security version 2.5
and above at any machine running Docker version 1.13 or above.

Joint Solution Overview

Aqua Security enables enterprises to secure their virtual container environments from development to
production, accelerating container adoption and bridging the gap between DevOps and IT security.

The joint solution combining Micro Focus ArcSight platform and Aqua CSP allows users to share all the Docker
related commands and vulnerabilities information between Aqua CSP and Micro Focus ArcSight. This results in
automated risk management and real time context view for the container environment

Use Cases
This section describes important use cases supported by this integration.
• Monitor Docker related events & container run time actions
• Monitor Common Vulnerabilities and Exposure (CVE) found in images and containers

Monitor Docker related events & container runtime actions

Aqua provide important information about Docker related events and runtime actions. This is useful in order to
immediate block or remediate unauthorized behaviour. However, if organizations want to have in-depth
analytics and insights of historic container events and actions they should continuously feed ArcSight with these
events.

Monitor Common Vulnerabilities and Exposure (CVE) found in images and container
Organization should constantly monitor that all applications are properly patched with software updates and
feed the application patch status information into the ArcSight solution.
Use Aqua CSP to continuously scan images for vulnerabilities and send information to ArcSight to continuously
monitor patching process and status.

4
CEF Integration

1. Configuration of Aqua Container Security Platform to output CEF events

1. Login to the Aqua console, Select System>Integrations> Log Management.
Select ArcSight, Mark the ‘Enabled’ checkbox, provide the service URL, network and save changes.

5
2. Events
DeviceEventClassIds:
366 - Administration (Administration related commands, e.g create user, remove user, add policy, etc)
367 - Docker commands (events related to docker, e.g pull, create, start, stop, etc)
368 - Runtime events (events from inside the containers, e.g rm, exec, unlink, connect, accept, etc)
369 - Image Assurance (events related to Image Vulnerabilities)

Jun 18 04:41:43 aquasec-server

CEF:0|Security|aquasec|2.5|367|audit|7|name=start cs5=67007421-e43e-4cae-
9602-
618b50eee5de cs5Label=hostid duser=root cs3=ubuntu:latest
cs3Label=image cs4=7b9b13f7b9c0 cs4Label=imageid
image_hash=3f75c4b41fad6a846145c95c353e5f5837476592cbdb42d27fb55ae8d22915fd
cs2=3ff365ac3bcc cs2Label=containerid rt=1497760895 cs6=container_do1c
cs6Label=container dvchost=azy-ubuntu1404dev-
vm0.f4jg3qsqvgqene4doq5ayd2tzh.ax.internal.cloudapp.net cat=container
duid=0 cs1=rule-admin-containers cs1Label=rule act=allow reason=Found
matching rule granting access to resource

3. Device Event Mapping to ArcSight Data Fields

Information contained within vendor-specific event definitions is sent to the ArcSight SmartConnector, then
mapped to an ArcSight data field.
The following table lists the mappings from ArcSight data fields to the supported vendor-specific event
definitions.

Vendor-Specific Event
Field Name Vendor- Specific Event Name Definition ArcSight Event Data Field

action the user action name

container the container logical name cs6
containerid the container unique id cs2
user the container owner user name duser
uid the container owner user id duid
euser the user inside the container euser
euid the user id inside the container euid
image the container image logical name cs3
imageid the container image unique id cs4
reason why the action is approved/deny reason
category event category cat

6
 Vendor-Specific Event
Field Name Vendor- Specific Event Name Definition ArcSight Event Data Field

host the host name the event was generated dvchost

hostid the host unique id cs5
rule the rule name that blocked the action cs1
process the process name that generated the action dproc
pid the process id that generated the action dpid
Resource the resource file name that was action filepath
resource_digest the resource digest filehash
result the action results: allow-1, deny-2, warning-3 act
image_hash The image digest (SHA-256) image_hash
description general description message
adjective object name filename
high number of high severity CVEs cn1
medium number of medium severity CVEs cn2
low number of low severity CVEs cn3

ArcSight Content for Aqua Container Security Platform

Prerequisites
Product Name Version Information Operating System

Micro Focus ArcSight

Support
Integration support information when an issue is outside of the ArcSight team’s scope

In some cases the ArcSight customer service team is unable to help with issues that lie within the configuration
itself in which case the certified vendor should be contacted for assistance:

Aqua Customer Support

Phone – (781) 270-1504
Email- support@aquasec.com
Instructions – Contact Aqua support via email or phone, provide details about the issue encountered.

7
Additional ArcSight Documentation
For more information about the joint solution, visit the Micro Focus ArcSight Marketplace:
https://marketplace.microfocus.com/arcsight/category/partner-integrations For more
information about Micro Focus Security ArcSight ESM:
https://software.microfocus.com/en-us/software/siem-security-information-event-management