Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

ArcSight Logger delivers a universal log management solution that unifies searching, reporting, alerting, and analysis across any type of enterprise machine data.

Connect ArcSight Logger with Devo SOAR

  1. Navigate to Automations > Integrations.

  2. Search for ArcSight Logger.

  3. Click Details, then the + icon. Enter the required information in the following fields.

  4. Label: Enter a connection name.

  5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

  6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

  7. Remote Agent: Run this integration using the Devo SOAR Remote Agent.

  8. Server URL: Application server URL to connect to the ArcSight Logger. Example: abc.abcd.net or 10.10.10.10.

  9. Server Port (Optional): Application server port to connect to the ArcSight Logger (Default is 443).

  10. Login ID: The Login ID to connect to the ArcSight Logger.

  11. Password: The Password to connect to the ArcSight Logger.

  12. After you've entered all the details, click Connect.

Actions for ArcSight Logger

Search Events

Search event objects in ArcSight Logger.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Jinja Template for Query

Jinja-templated text containing the search query string to filter/process the events.

Example: message CONTAINS {{query_column_name}}.

Required

Start Time

Column name from the parent table to lookup value for start time (Default is Batch start time). Example: 2020-08-25T21:49:46.000-07:00.

Optional

End Time

Column name from the parent table to lookup value for end time (Default is Batch end time). Example: 2020-08-26T21:49:46.000-07:00.

Optional

Search Time

Select option for search time, it indicates the field date used for searching events (Default is Received Time).

Optional

Jinja Template for Fields

Jinja-templated text containing comma separated list of fields in order to show (Default is all fields). Example: {{fields_column1}}, {{fields_column2}}.

Optional

Number of results

Maximum number of results to return, must be between 1 through 10,000 (Default is 100).

Optional

Timeout

Maximum timeout duration per search in milliseconds for results to return (Default is 600000 milliseconds, 10 minutes).

Optional

Discover Fields

Select option for discovering fields, It indicates that the search should try to discover fields in the events found. Will be considered when Field Summary is set to True. Otherwise, ignored. (Default is False).

Optional

Jinja Template for Summary Fields

Jinja-templated text containing comma separated list of fields to be used to calculate summary when Field Summary is true (Default is empty). Example: {{summary_fields_column1}}, {{summary_fields_column2}}.

Optional

Field Summary

Select option for field summary, It indicates to use the field summary (Default is False).

Optional

Local Search

Select option for local search. Setting it as True indicates that the search is local only and does not include peers. Set it as False if you want to include peers in the search. (Default is False).

Optional

Output

A JSON object containing multiple rows of result:

...

Code Block
{
  "Device": "Logger",
  "Event Time": 1598959891935,
  "Logger": "Local",
  "Receipt Time": 1598960492511,
  "Version": "0",
  "_rowId": "531-0@Local",
  "agentSeverity": "2",
  "baseEventCount": 1,
  "destinationUserId": "1",
  "destinationUserName": "admin",
  "deviceCustomString4": "F3B80A1A9548F6FF7A962708E559D967",
  "deviceCustomString4Label": "Session ID",
  "deviceEventCategory": "/Logger/Resource/Dashboard/Configuration/Add",
  "deviceEventClassId": "logger:580",
  "deviceProduct": "Logger",
  "deviceReceiptTime": 1598959891883,
  "deviceVendor": "ArcSight",
  "deviceVersion": "7.1.0.8337.0",
  "endTime": 1598959891883,
  "error": null,
  "fileId": "1369094286720630795",
  "fileName": "Summary",
  "fileType": "Dashboard",
  "globalEventId": 0,
  "has_error": false,
  "message": "Dashboard [Summary] has been added",
  "name": "Dashboard added",
  "startTime": 1598959891883
},
{
  "Device": "Logger",
  "Event Time": 1598959891987,
  "Logger": "Local",
  "Receipt Time": 1598960492511,
  "Version": "0",
  "_rowId": "531-1@Local",
  "agentSeverity": "2",
  "baseEventCount": 1,
  "destinationUserId": "1",
  "destinationUserName": "admin",
  "deviceCustomString4": "F3B80A1A9548F6FF7A962708E559D967",
  "deviceCustomString4Label": "Session ID",
  "deviceEventCategory": "/Logger/Resource/Dashboard/Configuration/Update",
  "deviceEventClassId": "logger:582",
  "deviceProduct": "Logger",
  "deviceReceiptTime": 1598959891985,
  "deviceVendor": "ArcSight",
  "deviceVersion": "7.1.0.8337.0",
  "endTime": 1598959891985,
  "error": null,
  "fileId": "1369094286720630795",
  "fileName": "Summary",
  "fileType": "Dashboard",
  "globalEventId": 0,
  "has_error": false,
  "message": "Dashboard [Summary] has been updated",
  "name": "Dashboard updated",
  "startTime": 1598959891985
}

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem

...