ArcSight ESM

ArcSight Enterprise Security Manager sits centrally within an organization, collecting and analyzing events from across systems and security tools. It detects security threats in real time so that analysts respond quickly, and it scales to meet demanding security requirements.

Integration with LogicHub

Connecting with ArcSight

To connect to ArcSight following details are required:

  • Label: Connection name.
  • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
  • ArcSight ESM Server Name or Host IP: Example: 192.168.1.1 or myarcsightesm.example.com
  • Username: Username for connecting to ArcSight
  • Password: Password for connecting to ArcSight
  • ESM Server Port: Specify the port on which the ArcSight server is listening. Generally, it is 8443

Actions with ArcSight

Get Security Events

Get all security events of a particular security ID.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Event ID Column Name: Column from parent table containing one or more event IDs (JSON list or separated by commas).
  • Auto Fetch Base Events: If an event is a correlation event, Automatically fetch its base events (default: False).
  • Explode Results: If multiple results are found, return as individual rows (default: False).
  • Drop Fields with NULL Values: If a field is returned with a null value, exclude it from result output (default: False).
  • Reformat Events with CEF Field Names: Rewrite event json to flatten the output and use proper CEF field names instead of having many sets of nested fields (default: False).
  • START DATE (Optional): Column from parent table containing a date and time for the query Start Date. (Example: 2017-05-22T10:00:00 or 1495447200000). Default: -1 (unlimited).
  • END DATE (Optional): Column from parent table containing a date and time for the query End Date. (Example: 2017-05-22T10:00:00 or 1495447200000) Default: -1 (unlimited).

Output of Action

Get All Cases

Get the list of all updated cases.

Inputs to this Action

  • Connection: Choose a connection that you have created.

Output of Action
It returns a list of case IDs in JSON format.

Get Case Details

Get the details of one particular case.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • COLUMN NAME: Column name from the parent table to lookup value for case resource ID.

Output of Action
It returns details of a case.

Get All Query Viewers

Returns all the query viewer IDs.
Inputs to this Action

  • Connection: Choose a connection that you have created.

Output of Action
It returns the IDs of all query viewers.

Get Query Viewer Results

Get the query viewer results of a particular ID.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • COLUMN NAME: Column name from parent table that contains query viewer ID.

Output of Action

Get Case Events

Get all case events of a particular case ID.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Resource ID Column Name: Column name from the parent table to lookup value for case resource ID.

Output of Action
It returns events of a case.

Delete Case

Delete a particular case by case ID.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Resource ID Column Name: Column name from the parent table to lookup value for case resource ID.

Output of Action

Get All Active Lists

Get the list of all active list resource IDs.

Inputs to this Action

  • Connection: Choose a connection that you have created.

Output of Action

Get Entries from Active List

Get all entries of a particular resource ID.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Resource ID Column Name: Column name from parent table that contains resource ID.

Output of Action

Add Entries to Active List

Add all entries to a particular resource.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • RESOURCE ID Column Name: Column name from parent table that contains resource ID
  • ENTRIES COLUMN LIST: Column name from parent table to lookup value for all new entries. Example: sample row in the parent table '[{"ConnectorName":"A0830","AverageEPS":"1212"}]'

Output of Action


Did this page help you?