Fidelis Cybersecurity
Fidelis Blog


CloudPassage Halo Events and HP ArcSight – a recipe for effective security monitoring

Our integration team here at CloudPassage has worked very closely with HP’s ArcSight team to earn HP/Arcsight’s Common Event Format (CEF) certification for our Event Connector – something many of our larger enterprise customers have asked for.

HP ArcSight is a SIEM tool that analyzes and correlates events by sifting through log records, and correlates them to find the critical events via dashboards, notifications, and reports, so you can accurately prioritize security risks and compliance violations.

CloudPassage’s Halo platform records over eighty different types of security events about your Halo-managed infrastructure, whether you deploy into public cloud environments like HP Cloud or your private data center. These events deliver information about your infrastructure and include critical security alerts for firewall changes, access changes, File Integrity Monitoring (FIM) changes, and other activity as recorded in your Halo Portal account.

To unlock the full value that these events deliver, especially in large, complex environments, CloudPassage released an open-source security event connector. The Halo Event Connector retrieves event data from a CloudPassage Halo account and streams it to a variety of SIEM tools, including HP/Arcsight. The Event Connector is a Python script that is designed to execute repeatedly, keeping the SIEM tool up-to-date with Halo events as time passes and new events occur.

As more and more customers move their workloads and assets into public IaaS environments, such as the HP Cloud, their expectation is to have the same level of security monitoring in a cloud environment that they have access to in the traditional perimetered data center environment. Users of the Halo Event Connector and HP ArcSight are able to unify the components of their critical security operations and reduce risk for their enterprise.

As an example of what HP ArcSight can do with Halo events, let’s say we have a certain number of failed logins within a certain time frame to a cloud instance, and Halo’s FIM module catches several configuration file changes on the same instance within the same period. Both events on their own might be serious — but the two combined definitely make this a critical item for investigation.  HP ArcSight’s ability to correlate the two Halo-generated events would provide the user with actionable information about a potential security issue.

The screenshots below show a set of Halo events in one of ArcSight’s dashboards:

CloudPassage ArcSight Screenshot

A closeup of some of events from above:

CloudPassage ArcSight Screenshot

The Halo Event Connector and the CEF User Configuration Guide are available via on the Github-hosted CloudPassage Halo Toolbox:

Stay up to date on all things security

Subscribe to the Threat Geek Blog