Introduction    

This guide is written to assist Centrify customers with the task of easily integrating event data in Centrify Authentication Service, Privilege Elevation Service, and Audit & Monitoring Service with ArcSight.

You can leverage the Centrify Add-on for ArcSight to normalize Centrify events in ArcSight so that you can view Centrify Authentication Service, Privilege Elevation Service, and Audit & Monitoring Service events when you use the ArcSight Console. For example, a sample event payload for an event named, Run as role failure, looks like this:

Apr 19 17:19:46 member.centrify.vms dzagent[1404]: WARN AUDIT_TRAIL|Centrify Suite|DirectAuthorize - Windows|1.0|18|Run as role failure|7|user=dwirth@centrify.vms userSid=S-1-5-21-3883016548-1611565816-1967702834-1107 sessionId=3 centrifyEventID=6018 role=ROLE_SYSTEM_Archt/Global desktopguid=9766a262-c07b-4dbc-bad7-8a48d1fa3983 command=C:\\Program Files\\Centrify\\DirectManage Audit\\AuditManager\\Centrify DirectManage Audit Manager.msc reason=The user name or password is incorrect desktopname=Default networkroles=ROLE_SYSTEM_Archt/Global passwordprompted=True

This integration guide applies to the following ArcSight versions and Centrify Authentication Service, Privilege Elevation Service, and Audit & Monitoring Service releases:

ArcSight Versions Centrify Authentication Service, Privilege Elevation Service, and Audit & Monitoring Service Releases

Enterprise Security Manager (ESM) 6.8.0

2016

 

ESM Console 6.8.0

2016.1

2016.2

2017

2017.1

2017.2

2017.3

 

ArcSight Components

The following diagram illustrates the ArcSight components that interact with the Centrify Add-on for ArcSight: