Micro Focus ArcSight Logger delivers a cost-effective universal log management solution that unifies searching, reporting, alerting, and analysis across any type of enterprise machine data. This unified machine data can be used for compliance, regulations, security, IT operations, and log analytics.
This document provides information about the Micro Focus ArcSight Logger connector, which facilitates automated interactions, with a Micro Focus ArcSight Logger server using FortiSOAR™ playbooks. Add the Micro Focus ArcSight Logger connector as a step in FortiSOAR™ playbooks and perform automated operations, such as searching for events, stopping a search session, and releasing a search session.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 4.12.1-253
Authored By: Fortinet
Certified: Yes
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-micro-focus-arcsight-logger
For the detailed procedure to install a connector, click here
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Micro Focus ArcSight Logger connector row, and in the Configure tab enter the required configuration details.
Parameter | Description |
---|---|
Server URL | IP Address or Hostname URL of the ArcSight Logger server to which you will connect and perform automated operations. |
Port | Port number used to access the ArcSight Logger server to which you will connect and perform automated operations. |
Username | Username to access the ArcSight Logger server to which you will connect and perform automated operations. |
Password | Password to access the ArcSight Logger server to which you will connect and perform automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Search Events | Starts a new search for events on ArcSight Logger. This operation waits until the search query is complete and returns the events from ArcSight Logger based on input parameters you have specified. | search_events Investigation |
Start Search | Starts a new search on ArcSight Logger based on input parameters you have specified. | start_search Investigation |
Get Search Status | Checks and retrieves the current status of a search from ArcSight Logger based on the search session ID and user session ID you have specified. | get_status Investigation |
Get Histogram | Returns data from ArcSight Logger that you can use to display a histogram (a column chart with no gap between columns) of the event distribution over time of an already searched time range. Data is returned from ArcSight Logger based on the search session ID and user session ID you have specified. | get_histogram Investigation |
Get Search Result | Returns the list of events found in a specific search in ArcSight Logger based on the search session ID and user session ID you have specified. | get_events Investigation |
Get Raw Events | Returns the raw events from ArcSight Logger for the specific row IDs based on the search session ID, user session ID, and row ID you have specified. | get_raw_events Investigation |
Get Events from Time Range | Returns search results specific to a particular time range from ArcSight Logger based on the search session ID, user session ID, and time range you have specified. | search_events Investigation |
Stop Search | Stops a specific search operation on ArcSight Logger but keeps the search session so that you can narrow down the search results at a later time. The search operation is stopped on ArcSight Logger based on the search session ID and user session ID you have specified. | stop_search Investigation |
Release Search Session | Stops the execution of a specific search operation on ArcSight Logger and clears the search session data from the server. The search operation is released from ArcSight Logger based on the search session ID and user session ID you have specified. | close_session Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Query | Query string based on which you want to filter/process the events on ArcSight Logger. |
Start Time | Start date and time from when you want to search for events on ArcSight Logger. Note: If you specify the start date and time, you must specify the end date and time. |
End Time | End date and time till when you want to search for events on ArcSight Logger. Note: If you specify the end date and time, you must specify the start date and time. |
Field Summary | Select True in this field if you want to include the summary of fields in the search result retrieved from ArcSight Logger. By default, this is set to False. If you select True from the Field Summary drop-down list, then you must specify the following parameters:
|
Local Search | Specifies whether the search is local or not. By default, this is set as True, which indicates that the search is local only, and does not include peers. If you want to include peers in the search, then clear this checkbox, i.e., set this parameter to False, |
Timeout | Number of milliseconds for which you want to keep the search after its processing has stopped. By default, the timeout value is set to 2 minutes, i.e., 120000 milliseconds. Increase the timeout value to keep the search for a longer time. |
Sort Direction | Sorts the results retrieved from ArcSight Logger based on event time. You can choose between Forward or Backward. By default, sort direction is set as Forward. |
Fields in Order to Show | Comma-separated list of fields in the order that you want to retrieve from ArcSight Logger. If you do not specify the fields, then all the fields will be considered. |
Number of Events to Retrieve | Number of events to retrieve from ArcSight Logger. Maximum number of events that can be retrieved from ArcSight Logger is 10000. |
Offset | Index of the first item that this operation should return. |
The output contains the following populated JSON schema:
{
"results": [
{
"deviceCustomString6Label": "",
"deviceAddress": "",
"Logger": "",
"baseEventCount": "",
"fileType": "",
"deviceCustomString6": "",
"deviceCustomNumber2Label": "",
"endTime": "",
"Version": "",
"deviceReceiptTime": "",
"deviceEventCategory": "",
"deviceCustomString1": "",
"fileName": "",
"deviceCustomString3": "",
"deviceCustomString3Label": "",
"deviceCustomString2": "",
"Device": "",
"deviceEventClassId": "",
"_rowId": "",
"deviceCustomNumber1Label": "",
"fsize": "",
"destinationAddress": "",
"deviceCustomNumber3": "",
"Receipt Time": "",
"Event Time": "",
"deviceVersion": "",
"name": "",
"deviceCustomString1Label": "",
"deviceCustomNumber1": "",
"deviceProduct": "",
"deviceCustomNumber3Label": "",
"deviceVendor": "",
"agentSeverity": "",
"deviceCustomString2Label": "",
"deviceCustomNumber2": "",
"startTime": ""
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Query | Query string based on which you want to filter/process items on ArcSight Logger. |
Start Time | Start date and time from when you want to start the search on ArcSight Logger. Note: If you specify the start date and time, you must specify the end date and time. |
End Time | End date and time till when you want to end the search on ArcSight Logger. Note: If you specify the end date and time, you must specify the start date and time. |
Field Summary | Select True in this field if you want to include the summary of fields in the search result retrieved from ArcSight Logger. By default, this is set to False. If you select True from the Field Summary drop-down list, then you must specify the following parameters:
|
Local Search | Specifies whether the search is local or not. By default, this is set as True, which indicates that the search is local only, and does not include peers. If you want to include peers in the search, then clear this checkbox, i.e., set this parameter to False. |
Timeout | Number of milliseconds for which you want to keep the search after its processing has stopped. By default, the timeout value is set to 2 minutes, i.e., 120000 milliseconds. Increase the timeout value to keep the search for a longer time. |
The output contains the following populated JSON schema:
{
"sessionId": "",
"search_session_id": "",
"user_session_id": ""
}
Parameter | Description |
---|---|
Search Session ID | Session ID of the search whose status you want to retrieve from ArcSight Logger. The search session ID is generated when a new search was called. The Search Session ID is returned by the Start Search operation. |
User Session ID | User Session ID of the search whose status you want to retrieve from ArcSight Logger. The user session ID is generated when a new search was called. The User Session ID is returned by the Start Search operation. |
The output contains the following populated JSON schema:
{
"scanned": "",
"hit": "",
"status": "",
"elapsed": "",
"message": [],
"result_type": ""
}
Parameter | Description |
---|---|
Search Session ID | Session ID of the search whose histogram you want to retrieve from ArcSight Logger. The search session ID is generated when a new search was called. The Search Session ID is returned by the Start Search operation. |
User Session ID | User Session ID of the search whose histogram you want to retrieve from ArcSight Logger. The user session ID is generated when a new search was called. The User Session ID is returned by the Start Search operation. |
The output contains the following populated JSON schema:
{
"start_bucket_time": "",
"bucket_count": "",
"hits": [],
"bucket_width": ""
}
Parameter | Description |
---|---|
Search Session ID | Session ID of the search whose results you want to retrieve from ArcSight Logger. The search session ID is generated when a new search was called. The Search Session ID is returned by the Start Search operation. |
User Session ID | User Session ID of the search whose results you want to retrieve from ArcSight Logger. The user session ID is generated when a new search was called. The User Session ID is returned by the Start Search operation. |
Sort Direction | (Optional) Sorts the results retrieved from ArcSight Logger based on event time. You can choose between Forward or Backward. By default, sort direction is set as Forward. |
Fields in Order to Show | (Optional) Comma-separated list of fields in the order that you want to retrieve from ArcSight Logger. If you do not specify the fields, then all the fields will be considered. |
Number of Events to Retrieve | (Optional) Number of events to retrieve from ArcSight Logger. Maximum number of events that can be retrieved from ArcSight Logger is 10000. |
Offset | (Optional) Index of the first item that this operation should return. |
The output contains the following populated JSON schema:
{
"results": [
{
"deviceCustomString6Label": "",
"deviceAddress": "",
"Logger": "",
"baseEventCount": "",
"fileType": "",
"deviceCustomString6": "",
"deviceCustomNumber2Label": "",
"endTime": "",
"Version": "",
"deviceReceiptTime": "",
"deviceEventCategory": "",
"deviceCustomString1": "",
"fileName": "",
"deviceCustomString3": "",
"deviceCustomString3Label": "",
"deviceCustomString2": "",
"Device": "",
"deviceEventClassId": "",
"_rowId": "",
"deviceCustomNumber1Label": "",
"fsize": "",
"destinationAddress": "",
"deviceCustomNumber3": "",
"Receipt Time": "",
"Event Time": "",
"deviceVersion": "",
"name": "",
"deviceCustomString1Label": "",
"deviceCustomNumber1": "",
"deviceProduct": "",
"deviceCustomNumber3Label": "",
"deviceVendor": "",
"agentSeverity": "",
"deviceCustomString2Label": "",
"deviceCustomNumber2": "",
"startTime": ""
}
]
}
Parameter | Description |
---|---|
Search Session ID | Session ID of the search whose raw events you want to retrieve from ArcSight Logger. The search session ID is generated when a new search was called. The Search Session ID is returned by the Start Search operation. |
User Session ID | User Session ID of the search whose raw events you want to retrieve from ArcSight Logger. The user session ID is generated when a new search was called. The User Session ID is returned by the Start Search operation. |
Row IDs | List of rows IDs based on which you want to retrieve the raw events for the search results from ArcSight Logger. |
The output contains the following populated JSON schema:
{
"result": []
}
Parameter | Description |
---|---|
Search Session ID | Session ID of the search whose events you want to retrieve from ArcSight Logger. The search session ID is generated when a new search was called. The Search Session ID is returned by the Start Search operation. |
User Session ID | User Session ID of the search whose raw events you want to retrieve from ArcSight Logger. The user session ID is generated when a new search was called. The User Session ID is returned by the Start Search operation. |
Start Time | Start date and time from when you want to search for events on ArcSight Logger. Note: If you specify the start date and time, you must specify the end date and time. |
End Time | End date and time till when you want to end the search on ArcSight Logger. Note: If you specify the end date and time, you must specify the start date and time. |
The output contains the following populated JSON schema:
{
"results": [
{
"deviceCustomString6Label": "",
"deviceAddress": "",
"Logger": "",
"baseEventCount": "",
"fileType": "",
"deviceCustomString6": "",
"deviceCustomNumber2Label": "",
"endTime": "",
"Version": "",
"deviceReceiptTime": "",
"deviceEventCategory": "",
"deviceCustomString1": "",
"fileName": "",
"deviceCustomString3": "",
"deviceCustomString3Label": "",
"deviceCustomString2": "",
"Device": "",
"deviceEventClassId": "",
"_rowId": "",
"deviceCustomNumber1Label": "",
"fsize": "",
"destinationAddress": "",
"deviceCustomNumber3": "",
"Receipt Time": "",
"Event Time": "",
"deviceVersion": "",
"name": "",
"deviceCustomString1Label": "",
"deviceCustomNumber1": "",
"deviceProduct": "",
"deviceCustomNumber3Label": "",
"deviceVendor": "",
"agentSeverity": "",
"deviceCustomString2Label": "",
"deviceCustomNumber2": "",
"startTime": ""
}
]
}
Parameter | Description |
---|---|
Search Session ID | Session ID of the search that you want to stop on ArcSight Logger. The search session ID is generated when a new search was called. The Search Session ID is returned by the Start Search operation. |
User Session ID | User Session ID of the search that you want to stop on ArcSight Logger. The user session ID is generated when a new search was called. The User Session ID is returned by the Start Search operation. |
The output contains the following populated JSON schema:
{
"result": ""
}
Parameter | Description |
---|---|
Search Session ID | Session ID of the search that you want to release from ArcSight Logger. The search session ID is generated when a new search was called. The Search Session ID is returned by the Start Search operation. |
User Session ID | User Session ID of the search that you want to release from ArcSight Logger. The user session ID is generated when a new search was called. The User Session ID is returned by the Start Search operation. |
The output contains the following populated JSON schema:
{
"result": ""
}
The Sample - Micro Focus ArcSight Logger - 1.0.0
playbook collection comes bundled with the Micro Focus ArcSight Logger connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Micro Focus ArcSight Logger connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Micro Focus ArcSight Logger delivers a cost-effective universal log management solution that unifies searching, reporting, alerting, and analysis across any type of enterprise machine data. This unified machine data can be used for compliance, regulations, security, IT operations, and log analytics.
This document provides information about the Micro Focus ArcSight Logger connector, which facilitates automated interactions, with a Micro Focus ArcSight Logger server using FortiSOAR™ playbooks. Add the Micro Focus ArcSight Logger connector as a step in FortiSOAR™ playbooks and perform automated operations, such as searching for events, stopping a search session, and releasing a search session.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 4.12.1-253
Authored By: Fortinet
Certified: Yes
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-micro-focus-arcsight-logger
For the detailed procedure to install a connector, click here
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Micro Focus ArcSight Logger connector row, and in the Configure tab enter the required configuration details.
Parameter | Description |
---|---|
Server URL | IP Address or Hostname URL of the ArcSight Logger server to which you will connect and perform automated operations. |
Port | Port number used to access the ArcSight Logger server to which you will connect and perform automated operations. |
Username | Username to access the ArcSight Logger server to which you will connect and perform automated operations. |
Password | Password to access the ArcSight Logger server to which you will connect and perform automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Search Events | Starts a new search for events on ArcSight Logger. This operation waits until the search query is complete and returns the events from ArcSight Logger based on input parameters you have specified. | search_events Investigation |
Start Search | Starts a new search on ArcSight Logger based on input parameters you have specified. | start_search Investigation |
Get Search Status | Checks and retrieves the current status of a search from ArcSight Logger based on the search session ID and user session ID you have specified. | get_status Investigation |
Get Histogram | Returns data from ArcSight Logger that you can use to display a histogram (a column chart with no gap between columns) of the event distribution over time of an already searched time range. Data is returned from ArcSight Logger based on the search session ID and user session ID you have specified. | get_histogram Investigation |
Get Search Result | Returns the list of events found in a specific search in ArcSight Logger based on the search session ID and user session ID you have specified. | get_events Investigation |
Get Raw Events | Returns the raw events from ArcSight Logger for the specific row IDs based on the search session ID, user session ID, and row ID you have specified. | get_raw_events Investigation |
Get Events from Time Range | Returns search results specific to a particular time range from ArcSight Logger based on the search session ID, user session ID, and time range you have specified. | search_events Investigation |
Stop Search | Stops a specific search operation on ArcSight Logger but keeps the search session so that you can narrow down the search results at a later time. The search operation is stopped on ArcSight Logger based on the search session ID and user session ID you have specified. | stop_search Investigation |
Release Search Session | Stops the execution of a specific search operation on ArcSight Logger and clears the search session data from the server. The search operation is released from ArcSight Logger based on the search session ID and user session ID you have specified. | close_session Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Query | Query string based on which you want to filter/process the events on ArcSight Logger. |
Start Time | Start date and time from when you want to search for events on ArcSight Logger. Note: If you specify the start date and time, you must specify the end date and time. |
End Time | End date and time till when you want to search for events on ArcSight Logger. Note: If you specify the end date and time, you must specify the start date and time. |
Field Summary | Select True in this field if you want to include the summary of fields in the search result retrieved from ArcSight Logger. By default, this is set to False. If you select True from the Field Summary drop-down list, then you must specify the following parameters:
|
Local Search | Specifies whether the search is local or not. By default, this is set as True, which indicates that the search is local only, and does not include peers. If you want to include peers in the search, then clear this checkbox, i.e., set this parameter to False, |
Timeout | Number of milliseconds for which you want to keep the search after its processing has stopped. By default, the timeout value is set to 2 minutes, i.e., 120000 milliseconds. Increase the timeout value to keep the search for a longer time. |
Sort Direction | Sorts the results retrieved from ArcSight Logger based on event time. You can choose between Forward or Backward. By default, sort direction is set as Forward. |
Fields in Order to Show | Comma-separated list of fields in the order that you want to retrieve from ArcSight Logger. If you do not specify the fields, then all the fields will be considered. |
Number of Events to Retrieve | Number of events to retrieve from ArcSight Logger. Maximum number of events that can be retrieved from ArcSight Logger is 10000. |
Offset | Index of the first item that this operation should return. |
The output contains the following populated JSON schema:
{
"results": [
{
"deviceCustomString6Label": "",
"deviceAddress": "",
"Logger": "",
"baseEventCount": "",
"fileType": "",
"deviceCustomString6": "",
"deviceCustomNumber2Label": "",
"endTime": "",
"Version": "",
"deviceReceiptTime": "",
"deviceEventCategory": "",
"deviceCustomString1": "",
"fileName": "",
"deviceCustomString3": "",
"deviceCustomString3Label": "",
"deviceCustomString2": "",
"Device": "",
"deviceEventClassId": "",
"_rowId": "",
"deviceCustomNumber1Label": "",
"fsize": "",
"destinationAddress": "",
"deviceCustomNumber3": "",
"Receipt Time": "",
"Event Time": "",
"deviceVersion": "",
"name": "",
"deviceCustomString1Label": "",
"deviceCustomNumber1": "",
"deviceProduct": "",
"deviceCustomNumber3Label": "",
"deviceVendor": "",
"agentSeverity": "",
"deviceCustomString2Label": "",
"deviceCustomNumber2": "",
"startTime": ""
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Query | Query string based on which you want to filter/process items on ArcSight Logger. |
Start Time | Start date and time from when you want to start the search on ArcSight Logger. Note: If you specify the start date and time, you must specify the end date and time. |
End Time | End date and time till when you want to end the search on ArcSight Logger. Note: If you specify the end date and time, you must specify the start date and time. |
Field Summary | Select True in this field if you want to include the summary of fields in the search result retrieved from ArcSight Logger. By default, this is set to False. If you select True from the Field Summary drop-down list, then you must specify the following parameters:
|
Local Search | Specifies whether the search is local or not. By default, this is set as True, which indicates that the search is local only, and does not include peers. If you want to include peers in the search, then clear this checkbox, i.e., set this parameter to False. |
Timeout | Number of milliseconds for which you want to keep the search after its processing has stopped. By default, the timeout value is set to 2 minutes, i.e., 120000 milliseconds. Increase the timeout value to keep the search for a longer time. |
The output contains the following populated JSON schema:
{
"sessionId": "",
"search_session_id": "",
"user_session_id": ""
}
Parameter | Description |
---|---|
Search Session ID | Session ID of the search whose status you want to retrieve from ArcSight Logger. The search session ID is generated when a new search was called. The Search Session ID is returned by the Start Search operation. |
User Session ID | User Session ID of the search whose status you want to retrieve from ArcSight Logger. The user session ID is generated when a new search was called. The User Session ID is returned by the Start Search operation. |
The output contains the following populated JSON schema:
{
"scanned": "",
"hit": "",
"status": "",
"elapsed": "",
"message": [],
"result_type": ""
}
Parameter | Description |
---|---|
Search Session ID | Session ID of the search whose histogram you want to retrieve from ArcSight Logger. The search session ID is generated when a new search was called. The Search Session ID is returned by the Start Search operation. |
User Session ID | User Session ID of the search whose histogram you want to retrieve from ArcSight Logger. The user session ID is generated when a new search was called. The User Session ID is returned by the Start Search operation. |
The output contains the following populated JSON schema:
{
"start_bucket_time": "",
"bucket_count": "",
"hits": [],
"bucket_width": ""
}
Parameter | Description |
---|---|
Search Session ID | Session ID of the search whose results you want to retrieve from ArcSight Logger. The search session ID is generated when a new search was called. The Search Session ID is returned by the Start Search operation. |
User Session ID | User Session ID of the search whose results you want to retrieve from ArcSight Logger. The user session ID is generated when a new search was called. The User Session ID is returned by the Start Search operation. |
Sort Direction | (Optional) Sorts the results retrieved from ArcSight Logger based on event time. You can choose between Forward or Backward. By default, sort direction is set as Forward. |
Fields in Order to Show | (Optional) Comma-separated list of fields in the order that you want to retrieve from ArcSight Logger. If you do not specify the fields, then all the fields will be considered. |
Number of Events to Retrieve | (Optional) Number of events to retrieve from ArcSight Logger. Maximum number of events that can be retrieved from ArcSight Logger is 10000. |
Offset | (Optional) Index of the first item that this operation should return. |
The output contains the following populated JSON schema:
{
"results": [
{
"deviceCustomString6Label": "",
"deviceAddress": "",
"Logger": "",
"baseEventCount": "",
"fileType": "",
"deviceCustomString6": "",
"deviceCustomNumber2Label": "",
"endTime": "",
"Version": "",
"deviceReceiptTime": "",
"deviceEventCategory": "",
"deviceCustomString1": "",
"fileName": "",
"deviceCustomString3": "",
"deviceCustomString3Label": "",
"deviceCustomString2": "",
"Device": "",
"deviceEventClassId": "",
"_rowId": "",
"deviceCustomNumber1Label": "",
"fsize": "",
"destinationAddress": "",
"deviceCustomNumber3": "",
"Receipt Time": "",
"Event Time": "",
"deviceVersion": "",
"name": "",
"deviceCustomString1Label": "",
"deviceCustomNumber1": "",
"deviceProduct": "",
"deviceCustomNumber3Label": "",
"deviceVendor": "",
"agentSeverity": "",
"deviceCustomString2Label": "",
"deviceCustomNumber2": "",
"startTime": ""
}
]
}
Parameter | Description |
---|---|
Search Session ID | Session ID of the search whose raw events you want to retrieve from ArcSight Logger. The search session ID is generated when a new search was called. The Search Session ID is returned by the Start Search operation. |
User Session ID | User Session ID of the search whose raw events you want to retrieve from ArcSight Logger. The user session ID is generated when a new search was called. The User Session ID is returned by the Start Search operation. |
Row IDs | List of rows IDs based on which you want to retrieve the raw events for the search results from ArcSight Logger. |
The output contains the following populated JSON schema:
{
"result": []
}
Parameter | Description |
---|---|
Search Session ID | Session ID of the search whose events you want to retrieve from ArcSight Logger. The search session ID is generated when a new search was called. The Search Session ID is returned by the Start Search operation. |
User Session ID | User Session ID of the search whose raw events you want to retrieve from ArcSight Logger. The user session ID is generated when a new search was called. The User Session ID is returned by the Start Search operation. |
Start Time | Start date and time from when you want to search for events on ArcSight Logger. Note: If you specify the start date and time, you must specify the end date and time. |
End Time | End date and time till when you want to end the search on ArcSight Logger. Note: If you specify the end date and time, you must specify the start date and time. |
The output contains the following populated JSON schema:
{
"results": [
{
"deviceCustomString6Label": "",
"deviceAddress": "",
"Logger": "",
"baseEventCount": "",
"fileType": "",
"deviceCustomString6": "",
"deviceCustomNumber2Label": "",
"endTime": "",
"Version": "",
"deviceReceiptTime": "",
"deviceEventCategory": "",
"deviceCustomString1": "",
"fileName": "",
"deviceCustomString3": "",
"deviceCustomString3Label": "",
"deviceCustomString2": "",
"Device": "",
"deviceEventClassId": "",
"_rowId": "",
"deviceCustomNumber1Label": "",
"fsize": "",
"destinationAddress": "",
"deviceCustomNumber3": "",
"Receipt Time": "",
"Event Time": "",
"deviceVersion": "",
"name": "",
"deviceCustomString1Label": "",
"deviceCustomNumber1": "",
"deviceProduct": "",
"deviceCustomNumber3Label": "",
"deviceVendor": "",
"agentSeverity": "",
"deviceCustomString2Label": "",
"deviceCustomNumber2": "",
"startTime": ""
}
]
}
Parameter | Description |
---|---|
Search Session ID | Session ID of the search that you want to stop on ArcSight Logger. The search session ID is generated when a new search was called. The Search Session ID is returned by the Start Search operation. |
User Session ID | User Session ID of the search that you want to stop on ArcSight Logger. The user session ID is generated when a new search was called. The User Session ID is returned by the Start Search operation. |
The output contains the following populated JSON schema:
{
"result": ""
}
Parameter | Description |
---|---|
Search Session ID | Session ID of the search that you want to release from ArcSight Logger. The search session ID is generated when a new search was called. The Search Session ID is returned by the Start Search operation. |
User Session ID | User Session ID of the search that you want to release from ArcSight Logger. The user session ID is generated when a new search was called. The User Session ID is returned by the Start Search operation. |
The output contains the following populated JSON schema:
{
"result": ""
}
The Sample - Micro Focus ArcSight Logger - 1.0.0
playbook collection comes bundled with the Micro Focus ArcSight Logger connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Micro Focus ArcSight Logger connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.