ArcSight ESM
- Jonas Gonzalez
ArcSight Enterprise Security Manager sits centrally within an organization, collecting and analyzing events from across systems and security tools. It detects security threats in real time so that analysts respond quickly, and it scales to meet demanding security requirements.
Connect ArcSight with Devo SOAR
Navigate to Automations > Integrations.
Search for ArcSight.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
ArcSight ESM Server Name or Host IP: Example: 192.168.1.1 or myarcsightesm.example.com.
ESM Server Port: Specify the port on which the ArcSight server is listening. Generally, it is 8443.
Username: Username for connecting to ArcSight
Password: Password for connecting to ArcSight
After you've entered all the details, click Connect.
Actions for ArcSight
Get Security Events
Get all security events of a particular security ID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Event ID Column Name | Column from parent table containing one or more event IDs (JSON list or separated by commas). | Required |
Auto Fetch Base Events | If an event is a correlation event, Automatically fetch its base events (default: False). | Required |
Explode Results | If multiple results are found, return as individual rows (default: False). | Required |
Drop Fields with NULL Values | If a field is returned with a null value, exclude it from result output (default: False). | Required |
Reformat Events with CEF Field Names | Rewrite event json to flatten the output and use proper CEF field names instead of having many sets of nested fields (default: False). | Required |
Start Date | Column from parent table containing a date and time for the query Start Date. (Example: 2017-05-22T10:00:00 or 1495447200000). Default: -1 (unlimited). | Optional |
End Date | Column from parent table containing a date and time for the query End Date. (Example: 2017-05-22T10:00:00 or 1495447200000) Default: -1 (unlimited). | Optional |
Output
Get All Cases
Get the list of all updated cases.
Input Field
Choose a connection that you have previously created to complete the connection.
Output
A JSON object returning a list of case IDs in JSON format.
Get Case Details
Get the details of one particular case.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Column name | Column name from the parent table to lookup value for case resource ID. | Required |
Output
A JSON object returning details of a case.
Get All Query Viewers
Returns all the query viewer IDs.
Input Field
Choose a connection that you have previously created to complete the connection.
Output
A JSON object returning the IDs of all query viewers.
Get Query Viewer Results
Get the query viewer results of a particular ID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Column name | Column name from parent table that contains query viewer ID. | Required |
Output
Get Case Events
Get all case events of a particular case ID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Resource ID Column Name | Column name from the parent table to lookup value for case resource ID. | Required |
Output
A JSON object returning events of a case.
Delete Case
Delete a particular case by case ID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Resource ID Column Name | Column name from the parent table to lookup value for case resource ID. | Required |
Output of Action**
Get All Active Lists
Get the list of all active list resource IDs.
Input Field
Choose a connection that you have previously created to complete the connection.
Output
Get Entries from Active List
Get all entries of a particular resource ID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Resource ID Column Name | Column name from parent table that contains resource ID. | Required |
Output
Add Entries to Active List
Add all entries to a particular resource.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
RESOURCE ID Column Name | Column name from parent table that contains resource ID. | Required |
Entries Column list | Column name from parent table to lookup value for all new entries. Example: sample row in the parent table '[{"ConnectorName":"A0830","AverageEPS":"1212"}]' | Required |
Output
Release Notes
v3.0.0- Updated architecture to support IO via filesystem