Merge pull request #206674 from batamig/arcsight

Author: BCS2022

articles/defender-for-iot/organizations/TOC.yml

@@ -106,6 +106,8 @@
     items:
     - name: Overview
       href: integrate-overview.md
+    - name: ArcSight
+      href: integrations/arcsight.md
     - name: Integrate ClearPass
       href: tutorial-clearpass.md
     - name: Integrate CyberArk

articles/defender-for-iot/organizations/integrate-overview.md

@@ -16,6 +16,7 @@ The following table lists available integrations for Microsoft Defender for IoT,
 
 |Partner service  |Description | Learn more  |
 |---------|---------|---------|
+| **ArcSight** | Forward Defender for IoT alerts to ArcSight. | [Integrate ArcSight with Microsoft Defender for IoT](integrations/arcsight.md) |
 |**Aruba ClearPass**     | Share Defender for IoT data with ClearPass Security Exchange and update the ClearPass Policy Manager Endpoint Database with Defender for IoT data. | [Integrate ClearPass with Microsoft Defender for IoT](tutorial-clearpass.md)       |
 |**CyberArk**     | Send CyberArk PSM syslog data on remote sessions and verification failures to Defender for IoT for data correlation.   | [Integrate CyberArk with Microsoft Defender for IoT](tutorial-cyberark.md)       |
 |**Forescout**     | Automate actions in Forescout based on activity detected by Defender for IoT, and correlate Defender for IoT data with other *Forescout eyeExtended* modules that oversee monitoring, incident management, and device control.  | [Integrate Forescout with Microsoft Defender for IoT](tutorial-forescout.md)      |

articles/defender-for-iot/organizations/integrations/arcsight.md

@@ -0,0 +1,57 @@
+---
+title: Integrate ArcSight with Microsoft Defender for IoT
+description: Learn how to send Microsoft Defender for IoT alerts to ArcSight.
+ms.topic: how-to
+ms.date: 08/02/2022
+---
+
+# Integrate ArcSight with Microsoft Defender for IoT
+
+This article describes how to send Microsoft Defender for IoT alerts to ArcSight. Integrating Defender for IoT with ArcSight provides visibility into the security and resiliency of OT networks and a unified approach to IT and OT security.
+
+## Prerequisites
+
+Before you begin, make sure that you have the following prerequisites:
+
+- Access to a Defender for IoT OT sensor as an Admin user.
+
+## Configure the ArcSight receiver type
+
+To configure your ArcSight server settings so that it can receive Defender for IoT alert information:
+
+1. Sign in to your ArcSight server.
+1. Configure your receiver type as a **CEF UDP Receiver**.
+
+For more information, see the [ArcSight SmartConnectors Documentation](https://www.microfocus.com/documentation/arcsight/arcsight-smartconnectors/#gsc.tab=0).
+
+## Create a Defender for IoT forwarding rule
+
+This procedure describes how to create a forwarding rule from your OT sensor to send Defender for IoT alerts from that sensor to ArcSight.
+
+For more information, see [Forward alert information](../how-to-forward-alert-information-to-partners.md).
+
+1. Sign in to your OT sensor console and select **Forwarding** on the left.
+
+1. Enter a meaningful name for your rule, and then define your rule details, including:
+
+    - The minimal alert level. For example, if you select Minor, you are notified about all minor, major and critical incidents.
+    - The protocols you want to include in the rule.
+    - The traffic you want to include in the rule.
+
+1. In the **Actions** area, define the following values:
+
+    - **Server**: Select **ArcSight**
+    - **Host**: The ArcSight server address
+    - **Port**: The ArcSight server port
+    - **Timezone**: The timezone of the ArcSight server
+
+1. Select **Save** to save your forwarding rule.
+
+## Next steps
+
+For more information, see:
+
+- [Integrations with partner services](../integrate-overview.md)
+- [Forward alert information](../how-to-forward-alert-information-to-partners.md)
+- [Manage individual sensors](../how-to-manage-individual-sensors.md)
+