ArcSight ESM

Version: 3.0.0

ArcSight Enterprise Security Manager sits centrally within an organization, collecting and analyzing events from across systems and security tools. It detects security threats in real time so that analysts respond quickly, and it scales to meet demanding security requirements.

Connect ArcSight with LogicHub

  1. Navigate to Automations > Integrations.
  2. Search for ArcSight.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Enter a connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • Remote Agent: Run this integration using the LogicHub Remote Agent.
    • ArcSight ESM Server Name or Host IP: Example: 192.168.1.1 or myarcsightesm.example.com.
    • ESM Server Port: Specify the port on which the ArcSight server is listening. Generally, it is 8443.
    • Username: Username for connecting to ArcSight
    • Password: Password for connecting to ArcSight
  4. After you've entered all the details, click Connect.

Actions for ArcSight

Get Security Events

Get all security events of a particular security ID.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Event ID Column NameColumn from parent table containing one or more event IDs (JSON list or separated by commas).Required
Auto Fetch Base EventsIf an event is a correlation event, Automatically fetch its base events (default: False).Required
Explode ResultsIf multiple results are found, return as individual rows (default: False).Required
Drop Fields with NULL ValuesIf a field is returned with a null value, exclude it from result output (default: False).Required
Reformat Events with CEF Field NamesRewrite event json to flatten the output and use proper CEF field names instead of having many sets of nested fields (default: False).Required
Start DateColumn from parent table containing a date and time for the query Start Date. (Example: 2017-05-22T10:00:00 or 1495447200000). Default: -1 (unlimited).Optional
End DateColumn from parent table containing a date and time for the query End Date. (Example: 2017-05-22T10:00:00 or 1495447200000) Default: -1 (unlimited).Optional

Output

1244

Get All Cases

Get the list of all updated cases.

Input Field

Choose a connection that you have previously created to complete the connection.

Output

A JSON object returning a list of case IDs in JSON format.

1246

Get Case Details

Get the details of one particular case.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Column nameColumn name from the parent table to lookup value for case resource ID.Required

Output

A JSON object returning details of a case.

1246

Get All Query Viewers

Returns all the query viewer IDs.

Input Field

Choose a connection that you have previously created to complete the connection.

Output

A JSON object returning the IDs of all query viewers.

1246

Get Query Viewer Results

Get the query viewer results of a particular ID.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Column nameColumn name from parent table that contains query viewer ID.Required

Output

1246

Get Case Events

Get all case events of a particular case ID.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Resource ID Column NameColumn name from the parent table to lookup value for case resource ID.Required

Output

A JSON object returning events of a case.

1246

Delete Case

Delete a particular case by case ID.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Resource ID Column NameColumn name from the parent table to lookup value for case resource ID.Required

Output of Action**

1246

Get All Active Lists

Get the list of all active list resource IDs.

Input Field

Choose a connection that you have previously created to complete the connection.

Output

1246

Get Entries from Active List

Get all entries of a particular resource ID.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Resource ID Column NameColumn name from parent table that contains resource ID.Required

Output

1246

Add Entries to Active List

Add all entries to a particular resource.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
RESOURCE ID Column NameColumn name from parent table that contains resource ID.Required
Entries Column listColumn name from parent table to lookup value for all new entries. Example: sample row in the parent table '[{"ConnectorName":"A0830","AverageEPS":"1212"}]'Required

Output

1246

Release Notes

  • v3.0.0 - Updated architecture to support IO via filesystem

© Devo Technology Inc. All Rights Reserved.