ArcSight ESM

Version: 2.0.8

ArcSight Enterprise Security Manager sits centrally within an organization, collecting and analyzing events from across systems and security tools. It detects security threats in real time so that analysts respond quickly, and it scales to meet demanding security requirements.

Connect ArcSight with LogicHub

  1. Navigate to Automations > Integrations.
  2. Search for ArcSight.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Enter a connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • Remote Agent: Run this integration using the LogicHub Remote Agent.
    • ArcSight ESM Server Name or Host IP: Example: 192.168.1.1 or myarcsightesm.example.com.
    • ESM Server Port: Specify the port on which the ArcSight server is listening. Generally, it is 8443.
    • Username: Username for connecting to ArcSight
    • Password: Password for connecting to ArcSight
  4. After you've entered all the details, click Connect.

Actions for ArcSight

Get Security Events

Get all security events of a particular security ID.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Event ID Column Name

Column from parent table containing one or more event IDs (JSON list or separated by commas).

Required

Auto Fetch Base Events

If an event is a correlation event, Automatically fetch its base events (default: False).

Required

Explode Results

If multiple results are found, return as individual rows (default: False).

Required

Drop Fields with NULL Values

If a field is returned with a null value, exclude it from result output (default: False).

Required

Reformat Events with CEF Field Names

Rewrite event json to flatten the output and use proper CEF field names instead of having many sets of nested fields (default: False).

Required

Start Date

Column from parent table containing a date and time for the query Start Date. (Example: 2017-05-22T10:00:00 or 1495447200000). Default: -1 (unlimited).

Optional

End Date

Column from parent table containing a date and time for the query End Date. (Example: 2017-05-22T10:00:00 or 1495447200000) Default: -1 (unlimited).

Optional

Output

Get All Cases

Get the list of all updated cases.

Input Field

Choose a connection that you have previously created to complete the connection.

Output

A JSON object returning a list of case IDs in JSON format.

Get Case Details

Get the details of one particular case.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Column name

Column name from the parent table to lookup value for case resource ID.

Required

Output

A JSON object returning details of a case.

Get All Query Viewers

Returns all the query viewer IDs.

Input Field

Choose a connection that you have previously created to complete the connection.

Output

A JSON object returning the IDs of all query viewers.

Get Query Viewer Results

Get the query viewer results of a particular ID.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Column name

Column name from parent table that contains query viewer ID.

Required

Output

Get Case Events

Get all case events of a particular case ID.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Resource ID Column Name

Column name from the parent table to lookup value for case resource ID.

Required

Output

A JSON object returning events of a case.

Delete Case

Delete a particular case by case ID.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Resource ID Column Name

Column name from the parent table to lookup value for case resource ID.

Required

Output of Action**

Get All Active Lists

Get the list of all active list resource IDs.

Input Field

Choose a connection that you have previously created to complete the connection.

Output

Get Entries from Active List

Get all entries of a particular resource ID.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Resource ID Column Name

Column name from parent table that contains resource ID.

Required

Output

Add Entries to Active List

Add all entries to a particular resource.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

RESOURCE ID Column Name

Column name from parent table that contains resource ID.

Required

Entries Column list

Column name from parent table to lookup value for all new entries. Example: sample row in the parent table '[{"ConnectorName":"A0830","AverageEPS":"1212"}]'

Required

Output


Did this page help you?