EclecticIQ Platform connector field mappings#

Information contained within vendor-specific event definitions is sent to the ArcSight SmartConnector, then mapped to an ArcSight data field.

The table below lists the mappings from ArcSight data fields to the supported vendor-specific event definitions.

The extract type and value will always be mapped to cs2 and cs3 respectively.

However, when the extract type matches a field type available in CEF, such as an ipv4 address, the extract value will also be mapped to the corresponding CEF field.

See the table below for the extract types which will be mapped to additional CEF fields.

ArcSight field name

ArcSight CEF field

Vendor-specific event definition

Device Customer Number 1

cn1

Entity Half Life in Days

Device Customer Number 2

cn2

Sightings Count

Device Customer Number 3

cn3

Entity Severity

Device Custom String 1

cs1

Entity TLP

Device Custom String 2

cs2

Extract Type

Device Custom String 3

cs3

Extract Value

Device Custom String 4

cs4

CEF Feed ID

Device Custom String 5

cs5

Extract Classification (Bad, Safe, Unknown)

Device Custom String 6

cs6

Extract Confidence

Device Custom Date 1

customdate1

Extract creation date

EclecticIQ Relevance

EclecticIQ_Relevance

Entity Relevancy (0-10)

External Id

externalid

Entity ID

End Time

end

Entity Threat end time

Flex String 1

flexstring1

Source ID who created entity

Flex String 2

flexstring2

CEF Feed Name

Request Url

request

c3 if c2 is “URI”

Destination User Name

duser

c3 if c2 is “handle” or “name”

File Name

fname

c3 if c2 is “file”

File Hash

filehash

c3 if c2 is hash-{md5, sha1, sha256, sha512}

Destination DNS Domain

destinationDnsDomain

c3 if c2 is “domain”

Device Custom ipv6 Address

c6a3

c3 if c2 is “ipv6”

Destination Address

dst

c3 if c2 is “ipv4”