About the connector
Micro Focus ArcSight Logger delivers a cost-effective universal log management solution that unifies searching, reporting, alerting, and analysis across any type of enterprise machine data. This unified machine data can be used for compliance, regulations, security, IT operations, and log analytics.
This document provides information about the Micro Focus ArcSight Logger connector, which facilitates automated interactions, with a Micro Focus ArcSight Logger server using FortiSOAR™ playbooks. Add the Micro Focus ArcSight Logger connector as a step in FortiSOAR™ playbooks and perform automated operations, such as searching for events, stopping a search session, and releasing a search session.
Version information
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 4.12.1-253
Authored By: Fortinet
Certified: Yes
Installing the connector
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-micro-focus-arcsight-logger
For the detailed procedure to install a connector, click here
Prerequisites to configuring the connector
- You must have the URL of Micro Focus ArcSight Logger server to which you will connect and perform automated operations and credentials to access that server.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here
Configuration parameters
In FortiSOAR™, on the Connectors page, click the Micro Focus ArcSight Logger connector row, and in the Configure tab enter the required configuration details.
| Parameter |
Description |
| Server URL |
IP Address or Hostname URL of the ArcSight Logger server to which you will connect and perform automated operations. |
| Port |
Port number used to access the ArcSight Logger server to which you will connect and perform automated operations. |
| Username |
Username to access the ArcSight Logger server to which you will connect and perform automated operations. |
| Password |
Password to access the ArcSight Logger server to which you will connect and perform automated operations. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
| Function |
Description |
Annotation and Category |
| Search Events |
Starts a new search for events on ArcSight Logger. This operation waits until the search query is complete and returns the events from ArcSight Logger based on input parameters you have specified. |
search_events
Investigation |
| Start Search |
Starts a new search on ArcSight Logger based on input parameters you have specified. |
start_search
Investigation |
| Get Search Status |
Checks and retrieves the current status of a search from ArcSight Logger based on the search session ID and user session ID you have specified. |
get_status
Investigation |
| Get Histogram |
Returns data from ArcSight Logger that you can use to display a histogram (a column chart with no gap between columns) of the event distribution over time of an already searched time range. Data is returned from ArcSight Logger based on the search session ID and user session ID you have specified. |
get_histogram
Investigation |
| Get Search Result |
Returns the list of events found in a specific search in ArcSight Logger based on the search session ID and user session ID you have specified. |
get_events
Investigation |
| Get Raw Events |
Returns the raw events from ArcSight Logger for the specific row IDs based on the search session ID, user session ID, and row ID you have specified. |
get_raw_events
Investigation |
| Get Events from Time Range |
Returns search results specific to a particular time range from ArcSight Logger based on the search session ID, user session ID, and time range you have specified. |
search_events
Investigation |
| Stop Search |
Stops a specific search operation on ArcSight Logger but keeps the search session so that you can narrow down the search results at a later time. The search operation is stopped on ArcSight Logger based on the search session ID and user session ID you have specified. |
stop_search
Investigation |
| Release Search Session |
Stops the execution of a specific search operation on ArcSight Logger and clears the search session data from the server. The search operation is released from ArcSight Logger based on the search session ID and user session ID you have specified. |
close_session
Investigation |
operation: Search Events
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter |
Description |
| Query |
Query string based on which you want to filter/process the events on ArcSight Logger. |
| Start Time |
Start date and time from when you want to search for events on ArcSight Logger.
Note: If you specify the start date and time, you must specify the end date and time. |
| End Time |
End date and time till when you want to search for events on ArcSight Logger.
Note: If you specify the end date and time, you must specify the start date and time. |
| Field Summary |
Select True in this field if you want to include the summary of fields in the search result retrieved from ArcSight Logger. By default, this is set to False.
If you select True from the Field Summary drop-down list, then you must specify the following parameters:
- Summary Fields: Comma-separated list of fields that is used to calculate summary.
- Discover Fields: Select this checkbox, i.e., set it to True, so that the search operation tries to discover fields in the events that are found in the search operation. By default, this is set to False.
|
| Local Search |
Specifies whether the search is local or not. By default, this is set as True, which indicates that the search is local only, and does not include peers. If you want to include peers in the search, then clear this checkbox, i.e., set this parameter to False, |
| Timeout |
Number of milliseconds for which you want to keep the search after its processing has stopped.
By default, the timeout value is set to 2 minutes, i.e., 120000 milliseconds. Increase the timeout value to keep the search for a longer time. |
| Sort Direction |
Sorts the results retrieved from ArcSight Logger based on event time. You can choose between Forward or Backward. By default, sort direction is set as Forward. |
| Fields in Order to Show |
Comma-separated list of fields in the order that you want to retrieve from ArcSight Logger. If you do not specify the fields, then all the fields will be considered. |
| Number of Events to Retrieve |
Number of events to retrieve from ArcSight Logger. Maximum number of events that can be retrieved from ArcSight Logger is 10000. |
| Offset |
Index of the first item that this operation should return. |
Output
The output contains the following populated JSON schema:
{
"results": [
{
"deviceCustomString6Label": "",
"deviceAddress": "",
"Logger": "",
"baseEventCount": "",
"fileType": "",
"deviceCustomString6": "",
"deviceCustomNumber2Label": "",
"endTime": "",
"Version": "",
"deviceReceiptTime": "",
"deviceEventCategory": "",
"deviceCustomString1": "",
"fileName": "",
"deviceCustomString3": "",
"deviceCustomString3Label": "",
"deviceCustomString2": "",
"Device": "",
"deviceEventClassId": "",
"_rowId": "",
"deviceCustomNumber1Label": "",
"fsize": "",
"destinationAddress": "",
"deviceCustomNumber3": "",
"Receipt Time": "",
"Event Time": "",
"deviceVersion": "",
"name": "",
"deviceCustomString1Label": "",
"deviceCustomNumber1": "",
"deviceProduct": "",
"deviceCustomNumber3Label": "",
"deviceVendor": "",
"agentSeverity": "",
"deviceCustomString2Label": "",
"deviceCustomNumber2": "",
"startTime": ""
}
]
}
operation: Start Search
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter |
Description |
| Query |
Query string based on which you want to filter/process items on ArcSight Logger. |
| Start Time |
Start date and time from when you want to start the search on ArcSight Logger.
Note: If you specify the start date and time, you must specify the end date and time. |
| End Time |
End date and time till when you want to end the search on ArcSight Logger.
Note: If you specify the end date and time, you must specify the start date and time. |
| Field Summary |
Select True in this field if you want to include the summary of fields in the search result retrieved from ArcSight Logger. By default, this is set to False.
If you select True from the Field Summary drop-down list, then you must specify the following parameters:
- Summary Fields: Comma-separated list of fields that is used to calculate summary.
- Discover Fields: Select this checkbox, i.e., set it to True, so that the search operation tries to discover fields in the events that are found in the search operation. By default, this is set to False.
|
| Local Search |
Specifies whether the search is local or not. By default, this is set as True, which indicates that the search is local only, and does not include peers. If you want to include peers in the search, then clear this checkbox, i.e., set this parameter to False. |
| Timeout |
Number of milliseconds for which you want to keep the search after its processing has stopped.
By default, the timeout value is set to 2 minutes, i.e., 120000 milliseconds. Increase the timeout value to keep the search for a longer time. |
Output
The output contains the following populated JSON schema:
{
"sessionId": "",
"search_session_id": "",
"user_session_id": ""
}
operation: Get Search Status
Input parameters
| Parameter |
Description |
| Search Session ID |
Session ID of the search whose status you want to retrieve from ArcSight Logger.
The search session ID is generated when a new search was called. The Search Session ID is returned by the Start Search operation. |
| User Session ID |
User Session ID of the search whose status you want to retrieve from ArcSight Logger.
The user session ID is generated when a new search was called. The User Session ID is returned by the Start Search operation. |
Output
The output contains the following populated JSON schema:
{
"scanned": "",
"hit": "",
"status": "",
"elapsed": "",
"message": [],
"result_type": ""
}
operation: Get Histogram
Input parameters
| Parameter |
Description |
| Search Session ID |
Session ID of the search whose histogram you want to retrieve from ArcSight Logger.
The search session ID is generated when a new search was called. The Search Session ID is returned by the Start Search operation. |
| User Session ID |
User Session ID of the search whose histogram you want to retrieve from ArcSight Logger.
The user session ID is generated when a new search was called. The User Session ID is returned by the Start Search operation. |
Output
The output contains the following populated JSON schema:
{
"start_bucket_time": "",
"bucket_count": "",
"hits": [],
"bucket_width": ""
}
operation: Get Search Result
Input parameters
| Parameter |
Description |
| Search Session ID |
Session ID of the search whose results you want to retrieve from ArcSight Logger.
The search session ID is generated when a new search was called. The Search Session ID is returned by the Start Search operation. |
| User Session ID |
User Session ID of the search whose results you want to retrieve from ArcSight Logger.
The user session ID is generated when a new search was called. The User Session ID is returned by the Start Search operation. |
| Sort Direction |
(Optional) Sorts the results retrieved from ArcSight Logger based on event time. You can choose between Forward or Backward. By default, sort direction is set as Forward. |
| Fields in Order to Show |
(Optional) Comma-separated list of fields in the order that you want to retrieve from ArcSight Logger. If you do not specify the fields, then all the fields will be considered. |
| Number of Events to Retrieve |
(Optional) Number of events to retrieve from ArcSight Logger. Maximum number of events that can be retrieved from ArcSight Logger is 10000. |
| Offset |
(Optional) Index of the first item that this operation should return. |
Output
The output contains the following populated JSON schema:
{
"results": [
{
"deviceCustomString6Label": "",
"deviceAddress": "",
"Logger": "",
"baseEventCount": "",
"fileType": "",
"deviceCustomString6": "",
"deviceCustomNumber2Label": "",
"endTime": "",
"Version": "",
"deviceReceiptTime": "",
"deviceEventCategory": "",
"deviceCustomString1": "",
"fileName": "",
"deviceCustomString3": "",
"deviceCustomString3Label": "",
"deviceCustomString2": "",
"Device": "",
"deviceEventClassId": "",
"_rowId": "",
"deviceCustomNumber1Label": "",
"fsize": "",
"destinationAddress": "",
"deviceCustomNumber3": "",
"Receipt Time": "",
"Event Time": "",
"deviceVersion": "",
"name": "",
"deviceCustomString1Label": "",
"deviceCustomNumber1": "",
"deviceProduct": "",
"deviceCustomNumber3Label": "",
"deviceVendor": "",
"agentSeverity": "",
"deviceCustomString2Label": "",
"deviceCustomNumber2": "",
"startTime": ""
}
]
}
operation: Get Raw Events
Input parameters
| Parameter |
Description |
| Search Session ID |
Session ID of the search whose raw events you want to retrieve from ArcSight Logger.
The search session ID is generated when a new search was called. The Search Session ID is returned by the Start Search operation. |
| User Session ID |
User Session ID of the search whose raw events you want to retrieve from ArcSight Logger.
The user session ID is generated when a new search was called. The User Session ID is returned by the Start Search operation. |
| Row IDs |
List of rows IDs based on which you want to retrieve the raw events for the search results from ArcSight Logger. |
Output
The output contains the following populated JSON schema:
{
"result": []
}
operation: Get Events from Time Range
Input parameters
| Parameter |
Description |
| Search Session ID |
Session ID of the search whose events you want to retrieve from ArcSight Logger.
The search session ID is generated when a new search was called. The Search Session ID is returned by the Start Search operation. |
| User Session ID |
User Session ID of the search whose raw events you want to retrieve from ArcSight Logger.
The user session ID is generated when a new search was called. The User Session ID is returned by the Start Search operation. |
| Start Time |
Start date and time from when you want to search for events on ArcSight Logger.
Note: If you specify the start date and time, you must specify the end date and time. |
| End Time |
End date and time till when you want to end the search on ArcSight Logger.
Note: If you specify the end date and time, you must specify the start date and time. |
Output
The output contains the following populated JSON schema:
{
"results": [
{
"deviceCustomString6Label": "",
"deviceAddress": "",
"Logger": "",
"baseEventCount": "",
"fileType": "",
"deviceCustomString6": "",
"deviceCustomNumber2Label": "",
"endTime": "",
"Version": "",
"deviceReceiptTime": "",
"deviceEventCategory": "",
"deviceCustomString1": "",
"fileName": "",
"deviceCustomString3": "",
"deviceCustomString3Label": "",
"deviceCustomString2": "",
"Device": "",
"deviceEventClassId": "",
"_rowId": "",
"deviceCustomNumber1Label": "",
"fsize": "",
"destinationAddress": "",
"deviceCustomNumber3": "",
"Receipt Time": "",
"Event Time": "",
"deviceVersion": "",
"name": "",
"deviceCustomString1Label": "",
"deviceCustomNumber1": "",
"deviceProduct": "",
"deviceCustomNumber3Label": "",
"deviceVendor": "",
"agentSeverity": "",
"deviceCustomString2Label": "",
"deviceCustomNumber2": "",
"startTime": ""
}
]
}
operation: Stop Search
Input parameters
| Parameter |
Description |
| Search Session ID |
Session ID of the search that you want to stop on ArcSight Logger.
The search session ID is generated when a new search was called. The Search Session ID is returned by the Start Search operation. |
| User Session ID |
User Session ID of the search that you want to stop on ArcSight Logger.
The user session ID is generated when a new search was called. The User Session ID is returned by the Start Search operation. |
Output
The output contains the following populated JSON schema:
{
"result": ""
}
operation: Release Search Session
Input parameters
| Parameter |
Description |
| Search Session ID |
Session ID of the search that you want to release from ArcSight Logger.
The search session ID is generated when a new search was called. The Search Session ID is returned by the Start Search operation. |
| User Session ID |
User Session ID of the search that you want to release from ArcSight Logger.
The user session ID is generated when a new search was called. The User Session ID is returned by the Start Search operation. |
Output
The output contains the following populated JSON schema:
{
"result": ""
}
Included playbooks
The Sample - Micro Focus ArcSight Logger - 1.0.0 playbook collection comes bundled with the Micro Focus ArcSight Logger connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Micro Focus ArcSight Logger connector.
- Get Events from Time Range
- Get Histogram
- Get Raw Events
- Get Search Result
- Get Search Status
- Release Search Session
- Search Events
- Start Search
- Stop Search
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
