EclecticIQ Platform connector field mappings#
Information contained within vendor-specific event definitions is sent to the ArcSight SmartConnector, then mapped to an ArcSight data field.
The table below lists the mappings from ArcSight data fields to the supported vendor-specific event definitions.
The extract type and value will always be mapped to cs2 and cs3 respectively.
However, when the extract type matches a field type available in CEF, such as an ipv4 address, the extract value will also be mapped to the corresponding CEF field.
See the table below for the extract types which will be mapped to additional CEF fields.
ArcSight field name |
ArcSight CEF field |
Vendor-specific event definition |
---|---|---|
Device Customer Number 1 |
cn1 |
Entity Half Life in Days |
Device Customer Number 2 |
cn2 |
Sightings Count |
Device Customer Number 3 |
cn3 |
Entity Severity |
Device Custom String 1 |
cs1 |
Entity TLP |
Device Custom String 2 |
cs2 |
Extract Type |
Device Custom String 3 |
cs3 |
Extract Value |
Device Custom String 4 |
cs4 |
CEF Feed ID |
Device Custom String 5 |
cs5 |
Extract Classification (Bad, Safe, Unknown) |
Device Custom String 6 |
cs6 |
Extract Confidence |
Device Custom Date 1 |
customdate1 |
Extract creation date |
EclecticIQ Relevance |
EclecticIQ_Relevance |
Entity Relevancy (0-10) |
External Id |
externalid |
Entity ID |
End Time |
end |
Entity Threat end time |
Flex String 1 |
flexstring1 |
Source ID who created entity |
Flex String 2 |
flexstring2 |
CEF Feed Name |
Request Url |
request |
c3 if c2 is “URI” |
Destination User Name |
duser |
c3 if c2 is “handle” or “name” |
File Name |
fname |
c3 if c2 is “file” |
File Hash |
filehash |
c3 if c2 is hash-{md5, sha1, sha256, sha512} |
Destination DNS Domain |
destinationDnsDomain |
c3 if c2 is “domain” |
Device Custom ipv6 Address |
c6a3 |
c3 if c2 is “ipv6” |
Destination Address |
dst |
c3 if c2 is “ipv4” |