ArcSight Enterprise Security Manager (ESM) is a threat detection, analysis, triage, and compliance management SIEM platform.
This document provides information about the Micro Focus ArcSight ESM connector, which facilitates automated interactions, with an ArcSight ESM server using FortiSOAR™ playbooks. Add the Micro Focus ArcSight ESM connector as a step in FortiSOAR™ playbooks and perform automated operations, such as annotating events, running a report based on a report ID, and uploading an ArcSight report file as an attachment in FortiSOAR™.
You can configure ArcSight ESM and FortiSOAR™ so that FortiSOAR™ ingests correlated events from ArcSight ESM and converts them into an alert in FortiSOAR™. For more information, see the ArcSight ESM and FortiSOAR™ integration section. If you are using sample data ingestion playbooks that belong to version earlier to 3.1.1 and you want to address the data loss issue, then follow the steps mentioned in the Data Ingestion Playbooks - Solving the Data Loss Issue section.
Connector Version: 3.1.1
FortiSOAR™ Version Tested on: 6.4.3-2885
Micro Focus ArcSight ESM Version Tested on: 7.0
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Micro Focus ArcSight ESM connector in version 3.1.1:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-arcsight
Important: Upgrading the connector from 2.x to 3.x is not backward compatible because explicit changes are needed in the existing playbooks to delete the 'Active List Entries" after Alerts are created in FortiSOAR™.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Micro Focus ArcSight connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | IP Address or FQDN of the ArcSight ESM server to which you will connect and perform automated operations. |
| ESM Port | REST API port of the ArcSight ESM server. Defaults to 8443. |
| Username | Username to access the ArcSight ESM server. |
| Password | Password to access the ArcSight ESM server. |
| Active List ID | Resource ID of the Active List for which you want to retrieve events from ArcSight ESM. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
| Enable Pull ArcSight Events Service(Deprecated) | Note: 'Enable Pull ArcSight Events Service', is an earlier supported way to read entries from the "Active List", has been deprecated since connector version 3.1.1, and will continue to be available only until the next major release. It is recommended that you use the schedule-based ingestion using the Data Ingestion Wizard to pull ArcSight events at the interval you have specified. If you select this option, then ArcSight events will be pulled at the poll interval you have specified. If you select this option, then you must specify the following parameters:
Important: To run the Enable Pull ArcSight Events Service, you can import the FortiSOAR_ArcSight.arb in ArcSight. Steps to import the FortiSOAR_ArcSight.arb in ArcSight, is mentioned in the "Importing the FortiSOAR_ArcSight.arb package in ArcSight" section.Also, ensure that the playbook whose trigger you have specified in the Playbook Trigger parameter is in the Active state. This ensures that you experience seamless event reading from ArcSight ESM. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Annotate Event | Updates an ArcSight Event Stage, assigns it to a user, and adds a comment. | annotate_event Investigation |
| Annotate Event By Stage ID | Updates an ArcSight Event Stage, assigns it to a user, and adds a comment based on resource ID of the stage, event ID, and other input parameters you have specified. | annotate_event_by_stage_id Investigation |
| Get Event Details | Retrieves information for events from the ArcSight ESM server, based on event IDs and other input parameters you have specified. | get_event_info Investigation |
| Run Report with Default Parameters | Runs a report based on an ID or URI and default inputs on the ArcSight ESM server. | run_report Investigation |
| Run Report | Runs a report based on an ID and custom user inputs on the ArcSight ESM server. | run_report Investigation |
| Delete Report | Deletes an archived report from the ArcSight ESM server, based on the Resource ID you have specified. | delete_report Remediation |
| Create Case | Creates a case in ArcSight ESM, based on the input parameters you have specified. | create_case Investigation |
| Update Case | Updates an existing case in ArcSight ESM, based on the input parameters you have specified. | update_case_info Investigation |
| Get Case Information | Retrieves information about a case from ArcSight ESM, based on the case ID you have specified. | get_case_info Investigation |
| Add Events to Case | Adds the specified events to an existing case in ArcSight ESM, based on the case ID you have specified. | add_events Investigation |
| Delete Case Events | Deletes the specified events from an existing case from ArcSight ESM, based on the case ID you have specified. | delete_events Remediation |
| Search Query | Searches ArcSight ESM records based on the query you have specified. | search_query Investigation |
| Download Report | Downloads a report based on an ID from ArcSight ESM and then upload that report as an attachment in the Attachment Module. |
upload_report Investigation |
| Get Active List Information | Retrieves information about an active list from ArcSight ESM, based on the Active List ID you have specified. | get_active_list_info Investigation |
| Update Active List | Adds new items to a specified active list on ArcSight ESM, based on the Active List ID and other input parameters you have specified. | update_active_list Investigation |
| Get Active List Entries | Retrieves entries for a specified active list, based on the Active List ID you have specified. | get_active_list_entries Investigation |
| Clear Active List Entries | Clear entries for a specified active list, based on the Active List ID you have specified. | clear_active_list_entries Remediation |
| Delete Active List Entries | Deletes entries from a specified active list in ArcSight ESM, based on the Active List ID and other input parameters you have specified. | delete_active_list_entries Investigation |
| Get Fields | Retrieves details of all fields from ArcSight ESM. | get_fields Investigation |
| Get Query Viewer Data | Retrieves data of a specific query viewer from ArcSight ESM, based on the Query Viewer ID you have specified. | get_query_viewer_data Investigation |
You can annotate ArcSight Events using the ArcSight Console to update the Stage and Assignee of the event and to add comments to the event.
You can also perform similar operations using the Annotate Event function in FortiSOAR™ playbooks.
| Parameter | Description |
|---|---|
| Event ID | The ID of the ArcSight Event that you want to annotate. |
| Stage | The Stage to be set for the Event. You can choose from one of the following values:Queued/Initial/Monitoring/Rule Created/Follow-Up/Final/Flagged as Similar/Closed |
| User | An existing ArcSight user to whom you want to assign the event. For example, admin. |
| Comment | The comment that you want to add to the event. |
The JSON output returns a Success message if the ArcSight ESM event is annotated successful or an Error message containing the reason for failure.
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Event ID | The ID of the ArcSight Event that you want to annotate |
| Stage ID | The resource ID of the stage that you want to set for the specified event. |
| User | (Optional) An existing ArcSight user to whom you want to assign the event. For example, admin. |
| Comment | (Optional) The comment that you want to add to the event. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Event IDs | IDs of ArcSight Events whose details you want to retrieve from ArcSight. You can add multiple IDs using the CSV or list format. |
| Replace Null Values with Empty String? | If an event field is not set, the ArcSight APIs return the following values. Use this option to replace these values with an empty string. Note that, by default, the Replace Null Values with Empty String? field is set to True.Field Type integer: Returned value in place of NULL: -2147483648 (Integer.MIN_VALUE)Field Type long: Returned value in place of NULL: -9223372036854775808 (Long.MIN_VALUE)Field Type double: Returned value in place of NULL: 5e-324 (Double.MIN_VALUE |
| IP Address Keys to Parse | (Optional) ArcSight API returns the IP address fields in decimal format. Provide a comma-separated list of field names you want to convert from decimal to IP address format. Defaults to address. |
| MAC Address Keys to Parse | (Optional) ArcSight API returns the MAC address fields in decimal format. Provide a comma-separated list of field names you want to convert from decimal to MAC address format. Defaults to macAddress,translatedAddress. |
| Fields Name | (Optional) Specify field names if you want to retrieve a specific set of columns from Micro Focus ArcSight. |
| Time Field Names | (Optional) Specify a comma-separated list or array of field names for which you want to perform time conversion in the output of this operation. |
| Date Time Format | (Optional) Specify the DateTime format for converting the time fields. You must specify a DateTime format that is supported by the arrow library. For more information on the arrow library, see https://arrow.readthedocs.io/en/latest/ |
The JSON output contains the details of the event, based on the specified event ID and other input parameters, retrieved from ArcSight ESM.
The output contains the following populated JSON schema:
[{
"ttl": "",
"name": "",
"type": "",
"agent": {
"id": "",
"name": "",
"type": "",
"zone": {
"id": "",
"uri": "",
"managerID": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"address": "",
"assetId": "",
"mutable": "",
"version": "",
"hostName": "",
"assetName": "",
nbsp; "macAddress": "",
"assetLocalId": "",
"addressAsBytes": "",
"translatedAddress": ""
},
"device": {
"zone": {
"id": "",
"uri": "",
"managerID": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"vendor": "",
"address": "",
"assetId": "",
"mutable": "",
"product": "",
"version": "",
"hostName": "",
"assetName": "",
"macAddress": "",
"assetLocalId": "",
"addressAsBytes": "",
"translatedAddress": ""
},
"bytesIn": "",
"endTime": "",
"eventId": "",
"bytesOut": "",
"category": {
"object": "",
"mutable": "",
"outcome": "",
"behavior": "",
"deviceGroup": "",
"significance": ""
},
"locality": "",
"priority": "",
"severity": "",
"domainFp1": "",
"domainFp2": "",
"domainFp3": "",
"domainFp4": "",
"domainFp5": "",
"domainFp6": "",
"domainFp7": "",
"domainFp8": "",
"flexDate1": "",
"managerId": "",
"relevance": "",
"sessionId": "",
"startTime": "",
"originator": "",
"destination": {
"geo": {
"mutable": "",
"latitude": "",
"longitude": "",
"latitudeLong": "",
"longitudeLong": ""
},
"port": "",
"zone": {
"id": "",
"uri": "",
"managerID": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"address": "",
"assetId": "",
"mutable": "",
"hostName": "",
"assetName": "",
"processId": "",
"macAddress": "",
"assetLocalId": "",
"addressAsBytes": "",
"translatedPort": "",
"translatedAddress": ""
},
"domainDate1": "",
"domainDate2": "",
"domainDate3": "",
"domainDate4": "",
"domainDate5": "",
"domainDate6": "",
"finalDevice": {
"zone": {
"id": "",
"uri": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"vendor": "",
"address": "",
"assetId": "",
"mutable": "",
"product": "",
"version": "",
"hostName": "",
"assetName": "",
"macAddress": "",
"assetLocalId": "",
"addressAsBytes": "",
"translatedAddress": ""
},
"flexNumber1": "",
"flexNumber2": "",
"persistence": "",
"deviceCustom": {
"mutable": "",
"number1Label": "",
"string1Label": "",
"string2Label": ""
},
"agentSeverity": "",
"domainNumber1": "",
"domainNumber2": "",
"domainNumber3": "",
"domainNumber4": "",
"domainNumber5": "",
"domainNumber6": "",
"domainNumber7": "",
"domainNumber8": "",
"domainNumber9": "",
"originalAgent": {
"id": "",
"name": "",
"type": "",
"zone": {
"id": "",
"uri": "",
"managerID": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"address": "",
"assetId": "",
"mutable": "",
"version": "",
"hostName": "",
"assetName": "",
"macAddress": "",
"assetLocalId": "",
"addressAsBytes": "",
"translatedAddress": ""
},
"baseEventCount": "",
"deviceSeverity": "",
"domainNumber10": "",
"domainNumber11": "",
"domainNumber12": "",
"domainNumber13": "",
"deviceDirection": "",
"deviceProcessId": "",
"domainIpv4addr1": "",
"domainIpv4addr2": "",
"domainIpv4addr3": "",
"domainIpv4addr4": "",
"eventAnnotation": {
"flags": "",
"stage": {
"id": "",
"uri": "",
"managerID": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"comment": "",
"endTime": "",
"eventId": "",
"version": "",
"stageUser": {
"id": "",
"uri": "",
"managerID": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"auditTrail": "",
"modifiedBy": {
"id": "",
"uri": "",
"managerID": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"stageUpdateTime": "",
"modificationTime": "",
"managerReceiptTime": ""
},
"modelConfidence": "",
"agentReceiptTime": "",
"assetCriticality": "",
"deviceCustomDate1": "",
"deviceCustomDate2": "",
"deviceReceiptTime": "",
"concentratorAgents": {
"id": "",
"name": "",
"type": "",
"zone": {
"id": "",
"uri": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"address": "",
"assetId": "",
"mutable": "",
"version": "",
"hostName": "",
"assetName": "",
"macAddress": "",
"assetLocalId": "",
"addressAsBytes": "",
"translatedAddress": ""
},
"deviceEventClassId": "",
"managerReceiptTime": "",
"concentratorDevices": {
"zone": {
"id": "",
"uri": "",
"managerID": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"vendor": "",
"address": "",
"assetId": "",
"mutable": "",
"product": "",
"version": "",
"hostName": "",
"assetName": "",
"macAddress": "",
"assetLocalId": "",
"addressAsBytes": "",
"translatedAddress": ""
},
"deviceCustomNumber1": "",
"deviceCustomNumber2": "",
"deviceCustomNumber3": "",
"deviceCustomString1": "",
"deviceCustomString2": "",
"deviceEventCategory": "",
"aggregatedEventCount": "",
"correlatedEventCount": "",
"deviceCustomFloatingPoint1": "",
"deviceCustomFloatingPoint2": "",
"deviceCustomFloatingPoint3": "",
"deviceCustomFloatingPoint4": ""
}]
You can get the ID for a report (Resource ID) from the ArcSight Console, as shown in the following image:
You can get the URI for a report from the ArcSight Console. To get the URI, you must add the report name to the parent resource, as shown in the following image:
| Parameter | Description |
|---|---|
| Run Report By | Parameter of the report based on which you want to run a report on ArcSight ESM. You can choose between Report ID or Report URI. |
| Report URI or Report ID | ID or URI of the ArcSight report that you want to run on ArcSight ESM. |
The JSON output returns the Download ID of the report. You can use this Download ID to download the report subsequently when the report is ready. You can use the "Download Report" operation to download the report and add it as an attachment in FortiSOAR™.
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Report Id | ID of the ArcSight report that you want to run. |
| Input parameters | Input parameters in the JSON format. For example, {'StartTime': '$Now - 3h', 'Report Format': '0'}.The keys are the same as seen on the ArcSight console. Note that the values for the drop-down fields are their integer positions. For example, the Report Format should be specified as 0, 1, 2, etc., and not as pdf, csv, html, etc. |
The JSON output returns the Download ID of the report. You can use this Download ID to download the report subsequently when the report is ready. You can use the "Download Report" operation to download the report and add it as an attachment to FortiSOAR™.
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Report ID | ID of the archived ArcSight report that you want to delete from ArcSight ESM. |
The JSON output returns a Success message if the specified report is deleted from ArcSight ESM, or an Error message containing the reason for failure.
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Parent Group ID | Parent Group ID of the case you want to create. |
| Case Name | Name of the case that you want to create. |
| Alias (Display Name) | (Optional) Alias or Display Name of the case that you want to create. |
| Ticket Type | (Optional) Ticket type of the case you want to create. You can choose from the following options: INTERNAL, CLIENT, or INCIDENT. |
| Stage | (Optional) Stage that you want to assign to the created case. You can choose from the following options: QUEUED, INITIAL, FOLLOW_UP, FINAL, or CLOSED. |
| Frequency | (Optional) Frequency that you want to assign to the created case. You can choose from the following options: TEN_TO_FIFTEEN, NEVER_OR_ONCE, FIFTEEN, LESS_THAN_TEN, or MORE_THAN_FIFTEEN. |
| Operational Impact | (Optional) Operational Impact that you want to assign to the created case. You can choose from the following options: NO_IMPACT, NO_IMMEDIATE_IMPACT, LOW_PRIORITY_IMPACT, HIGH_PRIORITY_IMPACT, or IMMEDIATE_IMPACT. |
| Security Classification | (Optional) Security Classification that you want to assign to the created case. You can choose from the following options: UNCLASSIFIED, CONFIDENTIAL, SECRET, or TOP_SECRET. |
| Consequence Severity | (Optional) Consequence Severity that you want to assign to the created case. You can choose from the following options: NONE, INSIGNIFICANT, MARGINAL, CRITICAL, or CATASTROPHIC. |
| External ID | (Optional) Unique ID of the case you want to create. |
| Description | (Optional) Description of the case you want to create. |
| Deprecated | (Optional) Whether or not the created case is deprecated. |
| Additional attributes in json format | (Optional) Use this field to set values that are not displayed in FortiSOAR™. |
The JSON output contains the case ID and the details of the case created on ArcSight ESM.
The output contains the following populated JSON schema:
{
"modifierName": "",
"creatorName": "",
"type": "",
"reference": {
"referenceType": "",
"uri": "",
"referenceString": "",
"referenceName": "",
"isModifiable": "",
"id": "",
"managerID": ""
},
"displayID": "",
"createdTimestamp": "",
"attributeInitializationInProgress": "",
"deprecated": "",
"isAdditionalLoaded": "",
"state": "",
"estimatedRestoreTime": {
"day": "",
"minute": "",
"year": "",
"hour": "",
"timezoneID": "",
"second": "",
"milliSecond": "",
"month": ""
},
"modifiedTimestamp": "",
"name": "",
"localID": "",
"description": "",
"URI": "",
"initialized": "",
"disabled": "",
"reportingLevel": "",
"numberOfOccurences": "",
"inCache": "",
"inactive": "",
"resourceid": "",
"typeName": "",
"modificationCount": "",
"createdTime": {
"day": "",
"minute": "",
"year": "",
"hour": "",
"timezoneID": "",
"second": "",
"milliSecond": "",
"month": ""
},
"modifiedTime": {
"day": "",
"minute": "",
"year": "",
"hour": "",
"timezoneID": "",
"second": "",
"milliSecond": "",
"month": ""
}
}
| Parameter | Description |
|---|---|
| Case ID | ID of the case you want to update. |
| Case Name | (Optional) Updated case name, if you want to update the name of an existing case. |
| Alias (Display Name) | (Optional) Alias or Display Name of the case that you want to update. |
| Ticket Type | (Optional) Ticket type of the case you want to update. You can choose from the following options: INTERNAL, CLIENT, or INCIDENT. |
| Stage | (Optional) Updated stage, if you want to update the stage of an existing case. You can choose from the following options: QUEUED, INITIAL, FOLLOW_UP, FINAL, or CLOSED. |
| Frequency | (Optional) Updated frequency, if you want to update the frequency of an existing case. You can choose from the following options: TEN_TO_FIFTEEN, NEVER_OR_ONCE, FIFTEEN, LESS_THAN_TEN, or MORE_THAN_FIFTEEN. |
| Operational Impact | (Optional) Updated operational impact, if you want to update the operational impact of an existing case. You can choose from the following options: NO_IMPACT, NO_IMMEDIATE_IMPACT, LOW_PRIORITY_IMPACT, HIGH_PRIORITY_IMPACT, or IMMEDIATE_IMPACT. |
| Security Classification | (Optional) Updated security classification, if you want to update the security classification of an existing case. You can choose from the following options: UNCLASSIFIED, CONFIDENTIAL, SECRET, or TOP_SECRET. |
| Consequence Severity | (Optional) Updated consequence severity, if you want to update the consequence severity of an existing case. You can choose from the following options: NONE, INSIGNIFICANT, MARGINAL, CRITICAL, or CATASTROPHIC. |
| Estimated Restore Date Time | (Optional) Updates the Date and time for restoring the case, if required. |
| External ID | (Optional) Updated External ID, if you want to update the Unique ID of the case. |
| Description | (Optional) Updated description of the case. |
| Deprecated | (Optional) Updates whether or not the case is deprecated. |
| Notification Group IDs | (Optional) IDs of groups that should be notified when the case is updated. |
| Custom Fields | (Optional) Use this field to set or update values that are not displayed in FortiSOAR™. |
The JSON output contains the details of the case updated on ArcSight ESM.
The output contains the following populated JSON schema:
{
"modifierName": "",
"creatorName": "",
"alias": "",
"type": "",
"reference": {
"referenceType": "",
"uri": "",
"referenceString": "",
"referenceName": "",
"isModifiable": "",
"id": "",
"managerID": ""
},
"displayID": "",
"initialized": "",
"createdTimestamp": "",
"attributeInitializationInProgress": "",
"deprecated": "",
"isAdditionalLoaded": "",
"state": "",
"estimatedRestoreTime": {
"day": "",
"minute": "",
"year": "",
"hour": "",
"timezoneID": "",
"second": "",
"milliSecond": "",
"month": ""
},
"modifiedTimestamp": "",
"name": "",
"localID": "",
"description": "",
"URI": "",
"estimatedStartTime": {
"day": "",
"minute": "",
"year": "",
"hour": "",
"timezoneID": "",
"second": "",
"milliSecond": "",
"month": ""
},
"disabled": "",
"reportingLevel": "",
"numberOfOccurences": "",
"inCache": "",
"inactive": "",
"resourceid": "",
"typeName": "",
"modificationCount": "",
"createdTime": {
"day": "",
"minute": "",
"year": "",
"hour": "",
"timezoneID": "",
"second": "",
"milliSecond": "",
"month": ""
},
"modifiedTime": {
"day": "",
"minute": "",
"year": "",
"hour": "",
"timezoneID": "",
"second": "",
"milliSecond": "",
"month": ""
},
"eventIDs": "",
"detectionTime": {
"day": "",
"minute": "",
"year": "",
"hour": "",
"timezoneID": "",
"second": "",
"milliSecond": "",
"month": ""
}
}
| Parameter | Description |
|---|---|
| Case ID | ID of the case for which you want to retrieve the information from ArcSight ESM. |
The JSON output contains the details of the case, retrieved from ArcSight ESM, based on the specified case ID.
The output contains the following populated JSON schema:
{
"modifierName": "",
"creatorName": "",
"type": "",
"reference": {
"referenceType": "",
"uri": "",
"referenceString": "",
"referenceName": "",
"isModifiable": "",
"id": "",
"managerID": ""
},
"displayID": "",
"initialized": "",
"createdTimestamp": "",
"attributeInitializationInProgress": "",
"deprecated": "",
"isAdditionalLoaded": "",
"state": "",
"estimatedRestoreTime": {
"day": "",
"minute": "",
"year": "",
"hour": "",
"timezoneID": "",
"second": "",
"milliSecond": "",
"month": ""
},
"modifiedTimestamp": "",
"name": "",
"localID": "",
"description": "",
"URI": "",
"estimatedStartTime": {
"day": "",
"minute": "",
"year": "",
"hour": "",
"timezoneID": "",
"second": "",
"milliSecond": "",
"month": ""
},
"disabled": "",
"reportingLevel": "",
"numberOfOccurences": "",
"inCache": "",
"inactive": "",
"resourceid": "",
"typeName": "",
"modificationCount": "",
"createdTime": {
"day": "",
"minute": "",
"year": "",
"hour": "",
"timezoneID": "",
"second": "",
"milliSecond": "",
"month": ""
},
"modifiedTime": {
"day": "",
"minute": "",
"year": "",
"hour": "",
"timezoneID": "",
"second": "",
"milliSecond": "",
"month": ""
},
"eventIDs": "",
"detectionTime": {
"day": "",
"minute": "",
"year": "",
"hour": "",
"timezoneID": "",
"second": "",
"milliSecond": "",
"month": ""
}
}
| Parameter | Description |
|---|---|
| Case ID | ID of the case in which you want to add events. |
| Events IDs | IDs of the events that you want to add to the specified case. You must provide the Event IDs in the list format. |
The JSON output returns a Success message if the events are successfully added to the specified case ID, or an Error message containing the reason for failure.
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Case ID | ID of the case from which you want to delete events. |
| Events IDs | IDs of the events that you want to delete from the specified case. You must provide the Event IDs in the list format. |
The JSON output returns a Success message if the events are successfully deleted from the specified case ID, or an Error message containing the reason for failure.
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Query | Query using which you want to search ArcSight ESM. |
| Start Position | Position from where you want to start the search. By default, this is set to 0. |
| Page Size | Number of result records that you want to display on one page. By default, this is set to 10. |
The JSON output contains the search results retrieved from ArcSight ESM, based on the specified query.
The output contains the following populated JSON schema:
{
"elapsed": "",
"queryStr": "",
"hitCount": "",
"statusString": "",
"searchHits": [
{
"uri": "",
"score": "",
"uuid": "",
"name": ""
}
],
"queryTerms": [],
"rewrittenQueryString": ""
}
| Parameter | Description |
|---|---|
| Report ID | Download ID of the ArcSight report that you want to upload as an attachment in FortiSOAR™. Note: You can get the ID of the report using the Run Report function. |
| Name of the file when added as an attachment in Cybersponse | Name of the file when it is added as an attachment in FortiSOAR™. If you do not specify any name, then the file by default is named as 'ArcSight Report'. |
The JSON output contains the details of the attachment in FortiSOAR™.
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Active List ID | Resource ID of the Active List for which you want to retrieve details from ArcSight ESM. |
The JSON output contains the details of the active list, retrieved from ArcSight ESM, based on the specified active list ID.
The output contains the following populated JSON schema:
{
"modifierName": "",
"multiMap": "",
"creatorName": "",
"inactive": "",
"type": "",
"reference": {
"referenceType": "",
"referenceString": "",
"isModifiable": "",
"referenceName": "",
"id": "",
"managerID": "",
"uri": ""
},
"caseSensitiveType": "",
"capacity": "",
"isAdditionalLoaded": "",
"keyFields": "",
"createdTimestamp": "",
"modifiedTimestamp": "",
"deprecated": "",
"timePartitioned": "",
"state": "",
"optimizeData": "",
"activeListType": "",
"attributeInitializationInProgress": "",
"name": "",
"localID": "",
"fieldTypes": "",
"fieldSubTypes": {},
"URI": "",
"initialized": "",
"entryTimeToLive": "",
"disabled": "",
"partialCache": "",
"inCache": "",
"fieldNames": "",
"resourceid": "",
"typeName": "",
"modificationCount": "",
"createdTime": {
"day": "",
"timezoneID": "",
"milliSecond": "",
"month": "",
"second": "",
"year": "",
"minute": "",
"hour": ""
},
"modifiedTime": {
"day": "",
"timezoneID": "",
"milliSecond": "",
"month": "",
"second": "",
"year": "",
"minute": "",
"hour": ""
}
}
| Parameter | Description |
|---|---|
| Active List ID | (Optional) Resource ID of the Active List that you want to update on ArcSight ESM. |
| Column Names List | (Optional) List of column names that you want to update, i.e., columns in which you want to add entries. By default, all the column names are included. |
| Entry List | (Optional) List of entries to add to the specified active list. You must add the values in the same sequence as the columns specified. For example, [[“val1”, “val2”], [“val3”, “val4”]] |
The JSON output returns a Entry list added successfully message if the active list is successfully updated on ArcSight or an Error message containing the reason for failure.
operation: Get Active List Entries
| Parameter | Description |
|---|---|
| Active List ID | (Optional) Resource ID of the active list for which you want to retrieve entries from Micro Focus ArcSight. |
| Clear Active List Entries | Select this option, i.e., set it to True (default), to clear the entries of the specified active list after the active list is read. |
No output schema is available at this time.
| Parameter | Description |
|---|---|
| Active List ID | Resource ID of the Active List for which you want to clear entries from ArcSight ESM. |
The output response appears as follows if the entries are cleared successfully from the specified Active List:
Active List: <Active List ID> entries are cleared successfully.
| Parameter | Description |
|---|---|
| Active List ID | Resource ID of the Active List from which you want to delete entries on ArcSight ESM. Note: The default ID is taken from the connector configuration. For more information, see the Configuring the connector section. |
| Entry List | List of entries that you want to delete from the specified active list. You must add the values in the same sequence as the columns specified. For example, [[“val1”, “val2”], [“val3”, “val4”]] |
The JSON output returns a Entries deleted successfully message if the active list entries are is successfully deleted on ArcSight or an Error message containing the reason for failure.
None.
The output contains the following populated JSON schema:
{
"sei.getFieldsResponse": {
"sei.return": [
{
"fieldDisplayName": "",
"fieldType": {
"type": "",
"javaTypeName": "",
"name": ""
},
"sidetable": "",
"derived": "",
"groupDisplayName": "",
"simple": "",
"fieldName": "",
"reference": "",
"fieldIndex": "",
"copyOfFieldName": "",
"groupName": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Query Viewer ID | Resource ID of the query viewer for which you want to retrieve details from ArcSight ESM. |
No output schema is available at this time.
The Sample - Micro Focus ArcSight ESM - 3.1.1 playbook collection comes bundled with the Micro Focus ArcSight connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Micro Focus ArcSight connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
For troubleshooting, any issues with the Pull ArcSight Events Service, see the /var/log/cyops/cyops-integrations/arcsight/arcsight_reader.log log file.
This generally occurs in the case of self-signed SSL certificates. If you are using self-signed certificates for testing or staging, keep in mind this problem will not occur in production, and you might need to switch the certificates on or off.
Resolution:
Ensure that the SSL certificates are trusted or that SSL checking is turned off in the wrapper script. This is not advised for production instances.
There are many reasons for a playbook failure, for example, if a required field is null in the target module record, or there are problems with the Playbook Appliance keys.
Resolution:
Investigate the reason for failure using the Running Playbooks tab in the Playbook Administration page. Review the step in which the failure is being generated and the result of the step, which should contain the trace of the error. Once you have identified the error and if you cannot troubleshoot the error, contact Fortinet support for further assistance.
When you upgrade your connector and select the Enable Pull ArcSight Events Service checkbox, then sometimes the connector goes into the "Disconnected" state, due to an issue with the notification service.
Resolution
To resolve this issue, deactivate and then again activate the connector.
ArcSight ESM and FortiSOAR™ integration is achieved by the following simple steps:
An Active List in ArcSight ESM holds correlated events, which can be read by FortiSOAR™ and then converted into alerts.
To ingest data from ArcSight, you need to create an “Active List” and configure “Rules” in ArcSight ESM, so that events from ArcSight ESM can be pulled into FortiSOAR™ as described in the following sections.
Use the “FortiSOAR_ArcSight.arb” package to create the Active List in ArcSight ESM and configure the Rule that forwards desired events to the created active list. You have to create and configure a rule to define the type of events you want to forward and investigate in FortiSOAR™. Once the active list is added and the rule is configured, FortiSOAR™ monitors the active list pulls the desired events from ArcSight ESM, and creates alerts in FortiSOAR™.
Download the FortiSOAR_ArcSight.arb package, which is attached to this article, and then import the same into ArcSight ESM, as described Importing the FortiSOAR_ArcSight.arb package in ArcSight section.
Alternatively, you can manually set up the active list and the rules using the standard ArcSight interface. Points to be considered while manually setting up rules:
Rule:
The following image displays a sample ArcSight Rule to Forward Events to an Active list:
The following image displays an Active List populated with desired events and the Resource ID is highlighted in the right pane:
FortiSOAR™ requires a user account and password to connect to ArcSight ESM. You could use an existing user, or create a new standard user for this purpose. This user account will be used by FortiSOAR™ to fetch and/or update events and invoke other supported actions. Ensure that the user has the following permissions:
The following image displays a FortiSOAR user in ArcSight ESM with "Read" and "Write" access to FortiSOAR AL:
Install and configure the Micro Focus ArcSight Connector in FortiSOAR™ as described in the Installing the connector and Configuring the connector sections.
Configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming ArcSight ESM correlated event data into a FortiSOAR™ alert.
The Data Ingestion Wizard enables you to configure scheduled pulling of data from ArcSight ESM into FortiSOAR™. It also lets you pull some sample data from ArcSight ESM using which you can define mapping of data between ArcSight ESM and FortiSOAR™. Mapping of common fields are generally already done by the Data Ingestion Wizard; users mostly require to only map any custom fields that are added in the ArcSight event.
For additional information about the “Data Ingestion Wizard” and installing and configuring connectors, see the "Connectors Guide" in the FortiSOAR™ product documentation.
FortiSOAR_ArcSight.arb package in ArcSightNote: The 'FortiSOAR_ArcSight.arb' package included with this version has been updated to remove the 'Active List Rule' from the package.
FortiSOAR_ArcSight.arb file that is attached to this document.FortiSOAR_ArcSight.arb package in ArcSight, navigate to the Packages tab in ArcSight as shown in the following image:
FortiSOAR_ArcSight.arb.FortiSOAR_ArcSight.arb package contains the Active List (FortiSOAR_Event_collector).FortiSOAR_ArcSight.arb package is imported successfully, the FortiSOAR Active List will appear in ArcSight as follows:
To avoid data loss while using data ingestion playbooks, do the following:
'Error message' in vars.steps.Fetch_Event_Details_And_Create_Record condition: 
ArcSight Enterprise Security Manager (ESM) is a threat detection, analysis, triage, and compliance management SIEM platform.
This document provides information about the Micro Focus ArcSight ESM connector, which facilitates automated interactions, with an ArcSight ESM server using FortiSOAR™ playbooks. Add the Micro Focus ArcSight ESM connector as a step in FortiSOAR™ playbooks and perform automated operations, such as annotating events, running a report based on a report ID, and uploading an ArcSight report file as an attachment in FortiSOAR™.
You can configure ArcSight ESM and FortiSOAR™ so that FortiSOAR™ ingests correlated events from ArcSight ESM and converts them into an alert in FortiSOAR™. For more information, see the ArcSight ESM and FortiSOAR™ integration section. If you are using sample data ingestion playbooks that belong to version earlier to 3.1.1 and you want to address the data loss issue, then follow the steps mentioned in the Data Ingestion Playbooks - Solving the Data Loss Issue section.
Connector Version: 3.1.1
FortiSOAR™ Version Tested on: 6.4.3-2885
Micro Focus ArcSight ESM Version Tested on: 7.0
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Micro Focus ArcSight ESM connector in version 3.1.1:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-arcsight
Important: Upgrading the connector from 2.x to 3.x is not backward compatible because explicit changes are needed in the existing playbooks to delete the 'Active List Entries" after Alerts are created in FortiSOAR™.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Micro Focus ArcSight connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | IP Address or FQDN of the ArcSight ESM server to which you will connect and perform automated operations. |
| ESM Port | REST API port of the ArcSight ESM server. Defaults to 8443. |
| Username | Username to access the ArcSight ESM server. |
| Password | Password to access the ArcSight ESM server. |
| Active List ID | Resource ID of the Active List for which you want to retrieve events from ArcSight ESM. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
| Enable Pull ArcSight Events Service(Deprecated) | Note: 'Enable Pull ArcSight Events Service', is an earlier supported way to read entries from the "Active List", has been deprecated since connector version 3.1.1, and will continue to be available only until the next major release. It is recommended that you use the schedule-based ingestion using the Data Ingestion Wizard to pull ArcSight events at the interval you have specified. If you select this option, then ArcSight events will be pulled at the poll interval you have specified. If you select this option, then you must specify the following parameters:
Important: To run the Enable Pull ArcSight Events Service, you can import the FortiSOAR_ArcSight.arb in ArcSight. Steps to import the FortiSOAR_ArcSight.arb in ArcSight, is mentioned in the "Importing the FortiSOAR_ArcSight.arb package in ArcSight" section.Also, ensure that the playbook whose trigger you have specified in the Playbook Trigger parameter is in the Active state. This ensures that you experience seamless event reading from ArcSight ESM. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Annotate Event | Updates an ArcSight Event Stage, assigns it to a user, and adds a comment. | annotate_event Investigation |
| Annotate Event By Stage ID | Updates an ArcSight Event Stage, assigns it to a user, and adds a comment based on resource ID of the stage, event ID, and other input parameters you have specified. | annotate_event_by_stage_id Investigation |
| Get Event Details | Retrieves information for events from the ArcSight ESM server, based on event IDs and other input parameters you have specified. | get_event_info Investigation |
| Run Report with Default Parameters | Runs a report based on an ID or URI and default inputs on the ArcSight ESM server. | run_report Investigation |
| Run Report | Runs a report based on an ID and custom user inputs on the ArcSight ESM server. | run_report Investigation |
| Delete Report | Deletes an archived report from the ArcSight ESM server, based on the Resource ID you have specified. | delete_report Remediation |
| Create Case | Creates a case in ArcSight ESM, based on the input parameters you have specified. | create_case Investigation |
| Update Case | Updates an existing case in ArcSight ESM, based on the input parameters you have specified. | update_case_info Investigation |
| Get Case Information | Retrieves information about a case from ArcSight ESM, based on the case ID you have specified. | get_case_info Investigation |
| Add Events to Case | Adds the specified events to an existing case in ArcSight ESM, based on the case ID you have specified. | add_events Investigation |
| Delete Case Events | Deletes the specified events from an existing case from ArcSight ESM, based on the case ID you have specified. | delete_events Remediation |
| Search Query | Searches ArcSight ESM records based on the query you have specified. | search_query Investigation |
| Download Report | Downloads a report based on an ID from ArcSight ESM and then upload that report as an attachment in the Attachment Module. |
upload_report Investigation |
| Get Active List Information | Retrieves information about an active list from ArcSight ESM, based on the Active List ID you have specified. | get_active_list_info Investigation |
| Update Active List | Adds new items to a specified active list on ArcSight ESM, based on the Active List ID and other input parameters you have specified. | update_active_list Investigation |
| Get Active List Entries | Retrieves entries for a specified active list, based on the Active List ID you have specified. | get_active_list_entries Investigation |
| Clear Active List Entries | Clear entries for a specified active list, based on the Active List ID you have specified. | clear_active_list_entries Remediation |
| Delete Active List Entries | Deletes entries from a specified active list in ArcSight ESM, based on the Active List ID and other input parameters you have specified. | delete_active_list_entries Investigation |
| Get Fields | Retrieves details of all fields from ArcSight ESM. | get_fields Investigation |
| Get Query Viewer Data | Retrieves data of a specific query viewer from ArcSight ESM, based on the Query Viewer ID you have specified. | get_query_viewer_data Investigation |
You can annotate ArcSight Events using the ArcSight Console to update the Stage and Assignee of the event and to add comments to the event.
You can also perform similar operations using the Annotate Event function in FortiSOAR™ playbooks.
| Parameter | Description |
|---|---|
| Event ID | The ID of the ArcSight Event that you want to annotate. |
| Stage | The Stage to be set for the Event. You can choose from one of the following values:Queued/Initial/Monitoring/Rule Created/Follow-Up/Final/Flagged as Similar/Closed |
| User | An existing ArcSight user to whom you want to assign the event. For example, admin. |
| Comment | The comment that you want to add to the event. |
The JSON output returns a Success message if the ArcSight ESM event is annotated successful or an Error message containing the reason for failure.
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Event ID | The ID of the ArcSight Event that you want to annotate |
| Stage ID | The resource ID of the stage that you want to set for the specified event. |
| User | (Optional) An existing ArcSight user to whom you want to assign the event. For example, admin. |
| Comment | (Optional) The comment that you want to add to the event. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Event IDs | IDs of ArcSight Events whose details you want to retrieve from ArcSight. You can add multiple IDs using the CSV or list format. |
| Replace Null Values with Empty String? | If an event field is not set, the ArcSight APIs return the following values. Use this option to replace these values with an empty string. Note that, by default, the Replace Null Values with Empty String? field is set to True.Field Type integer: Returned value in place of NULL: -2147483648 (Integer.MIN_VALUE)Field Type long: Returned value in place of NULL: -9223372036854775808 (Long.MIN_VALUE)Field Type double: Returned value in place of NULL: 5e-324 (Double.MIN_VALUE |
| IP Address Keys to Parse | (Optional) ArcSight API returns the IP address fields in decimal format. Provide a comma-separated list of field names you want to convert from decimal to IP address format. Defaults to address. |
| MAC Address Keys to Parse | (Optional) ArcSight API returns the MAC address fields in decimal format. Provide a comma-separated list of field names you want to convert from decimal to MAC address format. Defaults to macAddress,translatedAddress. |
| Fields Name | (Optional) Specify field names if you want to retrieve a specific set of columns from Micro Focus ArcSight. |
| Time Field Names | (Optional) Specify a comma-separated list or array of field names for which you want to perform time conversion in the output of this operation. |
| Date Time Format | (Optional) Specify the DateTime format for converting the time fields. You must specify a DateTime format that is supported by the arrow library. For more information on the arrow library, see https://arrow.readthedocs.io/en/latest/ |
The JSON output contains the details of the event, based on the specified event ID and other input parameters, retrieved from ArcSight ESM.
The output contains the following populated JSON schema:
[{
"ttl": "",
"name": "",
"type": "",
"agent": {
"id": "",
"name": "",
"type": "",
"zone": {
"id": "",
"uri": "",
"managerID": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"address": "",
"assetId": "",
"mutable": "",
"version": "",
"hostName": "",
"assetName": "",
nbsp; "macAddress": "",
"assetLocalId": "",
"addressAsBytes": "",
"translatedAddress": ""
},
"device": {
"zone": {
"id": "",
"uri": "",
"managerID": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"vendor": "",
"address": "",
"assetId": "",
"mutable": "",
"product": "",
"version": "",
"hostName": "",
"assetName": "",
"macAddress": "",
"assetLocalId": "",
"addressAsBytes": "",
"translatedAddress": ""
},
"bytesIn": "",
"endTime": "",
"eventId": "",
"bytesOut": "",
"category": {
"object": "",
"mutable": "",
"outcome": "",
"behavior": "",
"deviceGroup": "",
"significance": ""
},
"locality": "",
"priority": "",
"severity": "",
"domainFp1": "",
"domainFp2": "",
"domainFp3": "",
"domainFp4": "",
"domainFp5": "",
"domainFp6": "",
"domainFp7": "",
"domainFp8": "",
"flexDate1": "",
"managerId": "",
"relevance": "",
"sessionId": "",
"startTime": "",
"originator": "",
"destination": {
"geo": {
"mutable": "",
"latitude": "",
"longitude": "",
"latitudeLong": "",
"longitudeLong": ""
},
"port": "",
"zone": {
"id": "",
"uri": "",
"managerID": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"address": "",
"assetId": "",
"mutable": "",
"hostName": "",
"assetName": "",
"processId": "",
"macAddress": "",
"assetLocalId": "",
"addressAsBytes": "",
"translatedPort": "",
"translatedAddress": ""
},
"domainDate1": "",
"domainDate2": "",
"domainDate3": "",
"domainDate4": "",
"domainDate5": "",
"domainDate6": "",
"finalDevice": {
"zone": {
"id": "",
"uri": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"vendor": "",
"address": "",
"assetId": "",
"mutable": "",
"product": "",
"version": "",
"hostName": "",
"assetName": "",
"macAddress": "",
"assetLocalId": "",
"addressAsBytes": "",
"translatedAddress": ""
},
"flexNumber1": "",
"flexNumber2": "",
"persistence": "",
"deviceCustom": {
"mutable": "",
"number1Label": "",
"string1Label": "",
"string2Label": ""
},
"agentSeverity": "",
"domainNumber1": "",
"domainNumber2": "",
"domainNumber3": "",
"domainNumber4": "",
"domainNumber5": "",
"domainNumber6": "",
"domainNumber7": "",
"domainNumber8": "",
"domainNumber9": "",
"originalAgent": {
"id": "",
"name": "",
"type": "",
"zone": {
"id": "",
"uri": "",
"managerID": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"address": "",
"assetId": "",
"mutable": "",
"version": "",
"hostName": "",
"assetName": "",
"macAddress": "",
"assetLocalId": "",
"addressAsBytes": "",
"translatedAddress": ""
},
"baseEventCount": "",
"deviceSeverity": "",
"domainNumber10": "",
"domainNumber11": "",
"domainNumber12": "",
"domainNumber13": "",
"deviceDirection": "",
"deviceProcessId": "",
"domainIpv4addr1": "",
"domainIpv4addr2": "",
"domainIpv4addr3": "",
"domainIpv4addr4": "",
"eventAnnotation": {
"flags": "",
"stage": {
"id": "",
"uri": "",
"managerID": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"comment": "",
"endTime": "",
"eventId": "",
"version": "",
"stageUser": {
"id": "",
"uri": "",
"managerID": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"auditTrail": "",
"modifiedBy": {
"id": "",
"uri": "",
"managerID": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"stageUpdateTime": "",
"modificationTime": "",
"managerReceiptTime": ""
},
"modelConfidence": "",
"agentReceiptTime": "",
"assetCriticality": "",
"deviceCustomDate1": "",
"deviceCustomDate2": "",
"deviceReceiptTime": "",
"concentratorAgents": {
"id": "",
"name": "",
"type": "",
"zone": {
"id": "",
"uri": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"address": "",
"assetId": "",
"mutable": "",
"version": "",
"hostName": "",
"assetName": "",
"macAddress": "",
"assetLocalId": "",
"addressAsBytes": "",
"translatedAddress": ""
},
"deviceEventClassId": "",
"managerReceiptTime": "",
"concentratorDevices": {
"zone": {
"id": "",
"uri": "",
"managerID": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"vendor": "",
"address": "",
"assetId": "",
"mutable": "",
"product": "",
"version": "",
"hostName": "",
"assetName": "",
"macAddress": "",
"assetLocalId": "",
"addressAsBytes": "",
"translatedAddress": ""
},
"deviceCustomNumber1": "",
"deviceCustomNumber2": "",
"deviceCustomNumber3": "",
"deviceCustomString1": "",
"deviceCustomString2": "",
"deviceEventCategory": "",
"aggregatedEventCount": "",
"correlatedEventCount": "",
"deviceCustomFloatingPoint1": "",
"deviceCustomFloatingPoint2": "",
"deviceCustomFloatingPoint3": "",
"deviceCustomFloatingPoint4": ""
}]
You can get the ID for a report (Resource ID) from the ArcSight Console, as shown in the following image:
You can get the URI for a report from the ArcSight Console. To get the URI, you must add the report name to the parent resource, as shown in the following image:
| Parameter | Description |
|---|---|
| Run Report By | Parameter of the report based on which you want to run a report on ArcSight ESM. You can choose between Report ID or Report URI. |
| Report URI or Report ID | ID or URI of the ArcSight report that you want to run on ArcSight ESM. |
The JSON output returns the Download ID of the report. You can use this Download ID to download the report subsequently when the report is ready. You can use the "Download Report" operation to download the report and add it as an attachment in FortiSOAR™.
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Report Id | ID of the ArcSight report that you want to run. |
| Input parameters | Input parameters in the JSON format. For example, {'StartTime': '$Now - 3h', 'Report Format': '0'}.The keys are the same as seen on the ArcSight console. Note that the values for the drop-down fields are their integer positions. For example, the Report Format should be specified as 0, 1, 2, etc., and not as pdf, csv, html, etc. |
The JSON output returns the Download ID of the report. You can use this Download ID to download the report subsequently when the report is ready. You can use the "Download Report" operation to download the report and add it as an attachment to FortiSOAR™.
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Report ID | ID of the archived ArcSight report that you want to delete from ArcSight ESM. |
The JSON output returns a Success message if the specified report is deleted from ArcSight ESM, or an Error message containing the reason for failure.
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Parent Group ID | Parent Group ID of the case you want to create. |
| Case Name | Name of the case that you want to create. |
| Alias (Display Name) | (Optional) Alias or Display Name of the case that you want to create. |
| Ticket Type | (Optional) Ticket type of the case you want to create. You can choose from the following options: INTERNAL, CLIENT, or INCIDENT. |
| Stage | (Optional) Stage that you want to assign to the created case. You can choose from the following options: QUEUED, INITIAL, FOLLOW_UP, FINAL, or CLOSED. |
| Frequency | (Optional) Frequency that you want to assign to the created case. You can choose from the following options: TEN_TO_FIFTEEN, NEVER_OR_ONCE, FIFTEEN, LESS_THAN_TEN, or MORE_THAN_FIFTEEN. |
| Operational Impact | (Optional) Operational Impact that you want to assign to the created case. You can choose from the following options: NO_IMPACT, NO_IMMEDIATE_IMPACT, LOW_PRIORITY_IMPACT, HIGH_PRIORITY_IMPACT, or IMMEDIATE_IMPACT. |
| Security Classification | (Optional) Security Classification that you want to assign to the created case. You can choose from the following options: UNCLASSIFIED, CONFIDENTIAL, SECRET, or TOP_SECRET. |
| Consequence Severity | (Optional) Consequence Severity that you want to assign to the created case. You can choose from the following options: NONE, INSIGNIFICANT, MARGINAL, CRITICAL, or CATASTROPHIC. |
| External ID | (Optional) Unique ID of the case you want to create. |
| Description | (Optional) Description of the case you want to create. |
| Deprecated | (Optional) Whether or not the created case is deprecated. |
| Additional attributes in json format | (Optional) Use this field to set values that are not displayed in FortiSOAR™. |
The JSON output contains the case ID and the details of the case created on ArcSight ESM.
The output contains the following populated JSON schema:
{
"modifierName": "",
"creatorName": "",
"type": "",
"reference": {
"referenceType": "",
"uri": "",
"referenceString": "",
"referenceName": "",
"isModifiable": "",
"id": "",
"managerID": ""
},
"displayID": "",
"createdTimestamp": "",
"attributeInitializationInProgress": "",
"deprecated": "",
"isAdditionalLoaded": "",
"state": "",
"estimatedRestoreTime": {
"day": "",
"minute": "",
"year": "",
"hour": "",
"timezoneID": "",
"second": "",
"milliSecond": "",
"month": ""
},
"modifiedTimestamp": "",
"name": "",
"localID": "",
"description": "",
"URI": "",
"initialized": "",
"disabled": "",
"reportingLevel": "",
"numberOfOccurences": "",
"inCache": "",
"inactive": "",
"resourceid": "",
"typeName": "",
"modificationCount": "",
"createdTime": {
"day": "",
"minute": "",
"year": "",
"hour": "",
"timezoneID": "",
"second": "",
"milliSecond": "",
"month": ""
},
"modifiedTime": {
"day": "",
"minute": "",
"year": "",
"hour": "",
"timezoneID": "",
"second": "",
"milliSecond": "",
"month": ""
}
}
| Parameter | Description |
|---|---|
| Case ID | ID of the case you want to update. |
| Case Name | (Optional) Updated case name, if you want to update the name of an existing case. |
| Alias (Display Name) | (Optional) Alias or Display Name of the case that you want to update. |
| Ticket Type | (Optional) Ticket type of the case you want to update. You can choose from the following options: INTERNAL, CLIENT, or INCIDENT. |
| Stage | (Optional) Updated stage, if you want to update the stage of an existing case. You can choose from the following options: QUEUED, INITIAL, FOLLOW_UP, FINAL, or CLOSED. |
| Frequency | (Optional) Updated frequency, if you want to update the frequency of an existing case. You can choose from the following options: TEN_TO_FIFTEEN, NEVER_OR_ONCE, FIFTEEN, LESS_THAN_TEN, or MORE_THAN_FIFTEEN. |
| Operational Impact | (Optional) Updated operational impact, if you want to update the operational impact of an existing case. You can choose from the following options: NO_IMPACT, NO_IMMEDIATE_IMPACT, LOW_PRIORITY_IMPACT, HIGH_PRIORITY_IMPACT, or IMMEDIATE_IMPACT. |
| Security Classification | (Optional) Updated security classification, if you want to update the security classification of an existing case. You can choose from the following options: UNCLASSIFIED, CONFIDENTIAL, SECRET, or TOP_SECRET. |
| Consequence Severity | (Optional) Updated consequence severity, if you want to update the consequence severity of an existing case. You can choose from the following options: NONE, INSIGNIFICANT, MARGINAL, CRITICAL, or CATASTROPHIC. |
| Estimated Restore Date Time | (Optional) Updates the Date and time for restoring the case, if required. |
| External ID | (Optional) Updated External ID, if you want to update the Unique ID of the case. |
| Description | (Optional) Updated description of the case. |
| Deprecated | (Optional) Updates whether or not the case is deprecated. |
| Notification Group IDs | (Optional) IDs of groups that should be notified when the case is updated. |
| Custom Fields | (Optional) Use this field to set or update values that are not displayed in FortiSOAR™. |
The JSON output contains the details of the case updated on ArcSight ESM.
The output contains the following populated JSON schema:
{
"modifierName": "",
"creatorName": "",
"alias": "",
"type": "",
"reference": {
"referenceType": "",
"uri": "",
"referenceString": "",
"referenceName": "",
"isModifiable": "",
"id": "",
"managerID": ""
},
"displayID": "",
"initialized": "",
"createdTimestamp": "",
"attributeInitializationInProgress": "",
"deprecated": "",
"isAdditionalLoaded": "",
"state": "",
"estimatedRestoreTime": {
"day": "",
"minute": "",
"year": "",
"hour": "",
"timezoneID": "",
"second": "",
"milliSecond": "",
"month": ""
},
"modifiedTimestamp": "",
"name": "",
"localID": "",
"description": "",
"URI": "",
"estimatedStartTime": {
"day": "",
"minute": "",
"year": "",
"hour": "",
"timezoneID": "",
"second": "",
"milliSecond": "",
"month": ""
},
"disabled": "",
"reportingLevel": "",
"numberOfOccurences": "",
"inCache": "",
"inactive": "",
"resourceid": "",
"typeName": "",
"modificationCount": "",
"createdTime": {
"day": "",
"minute": "",
"year": "",
"hour": "",
"timezoneID": "",
"second": "",
"milliSecond": "",
"month": ""
},
"modifiedTime": {
"day": "",
"minute": "",
"year": "",
"hour": "",
"timezoneID": "",
"second": "",
"milliSecond": "",
"month": ""
},
"eventIDs": "",
"detectionTime": {
"day": "",
"minute": "",
"year": "",
"hour": "",
"timezoneID": "",
"second": "",
"milliSecond": "",
"month": ""
}
}
| Parameter | Description |
|---|---|
| Case ID | ID of the case for which you want to retrieve the information from ArcSight ESM. |
The JSON output contains the details of the case, retrieved from ArcSight ESM, based on the specified case ID.
The output contains the following populated JSON schema:
{
"modifierName": "",
"creatorName": "",
"type": "",
"reference": {
"referenceType": "",
"uri": "",
"referenceString": "",
"referenceName": "",
"isModifiable": "",
"id": "",
"managerID": ""
},
"displayID": "",
"initialized": "",
"createdTimestamp": "",
"attributeInitializationInProgress": "",
"deprecated": "",
"isAdditionalLoaded": "",
"state": "",
"estimatedRestoreTime": {
"day": "",
"minute": "",
"year": "",
"hour": "",
"timezoneID": "",
"second": "",
"milliSecond": "",
"month": ""
},
"modifiedTimestamp": "",
"name": "",
"localID": "",
"description": "",
"URI": "",
"estimatedStartTime": {
"day": "",
"minute": "",
"year": "",
"hour": "",
"timezoneID": "",
"second": "",
"milliSecond": "",
"month": ""
},
"disabled": "",
"reportingLevel": "",
"numberOfOccurences": "",
"inCache": "",
"inactive": "",
"resourceid": "",
"typeName": "",
"modificationCount": "",
"createdTime": {
"day": "",
"minute": "",
"year": "",
"hour": "",
"timezoneID": "",
"second": "",
"milliSecond": "",
"month": ""
},
"modifiedTime": {
"day": "",
"minute": "",
"year": "",
"hour": "",
"timezoneID": "",
"second": "",
"milliSecond": "",
"month": ""
},
"eventIDs": "",
"detectionTime": {
"day": "",
"minute": "",
"year": "",
"hour": "",
"timezoneID": "",
"second": "",
"milliSecond": "",
"month": ""
}
}
| Parameter | Description |
|---|---|
| Case ID | ID of the case in which you want to add events. |
| Events IDs | IDs of the events that you want to add to the specified case. You must provide the Event IDs in the list format. |
The JSON output returns a Success message if the events are successfully added to the specified case ID, or an Error message containing the reason for failure.
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Case ID | ID of the case from which you want to delete events. |
| Events IDs | IDs of the events that you want to delete from the specified case. You must provide the Event IDs in the list format. |
The JSON output returns a Success message if the events are successfully deleted from the specified case ID, or an Error message containing the reason for failure.
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Query | Query using which you want to search ArcSight ESM. |
| Start Position | Position from where you want to start the search. By default, this is set to 0. |
| Page Size | Number of result records that you want to display on one page. By default, this is set to 10. |
The JSON output contains the search results retrieved from ArcSight ESM, based on the specified query.
The output contains the following populated JSON schema:
{
"elapsed": "",
"queryStr": "",
"hitCount": "",
"statusString": "",
"searchHits": [
{
"uri": "",
"score": "",
"uuid": "",
"name": ""
}
],
"queryTerms": [],
"rewrittenQueryString": ""
}
| Parameter | Description |
|---|---|
| Report ID | Download ID of the ArcSight report that you want to upload as an attachment in FortiSOAR™. Note: You can get the ID of the report using the Run Report function. |
| Name of the file when added as an attachment in Cybersponse | Name of the file when it is added as an attachment in FortiSOAR™. If you do not specify any name, then the file by default is named as 'ArcSight Report'. |
The JSON output contains the details of the attachment in FortiSOAR™.
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Active List ID | Resource ID of the Active List for which you want to retrieve details from ArcSight ESM. |
The JSON output contains the details of the active list, retrieved from ArcSight ESM, based on the specified active list ID.
The output contains the following populated JSON schema:
{
"modifierName": "",
"multiMap": "",
"creatorName": "",
"inactive": "",
"type": "",
"reference": {
"referenceType": "",
"referenceString": "",
"isModifiable": "",
"referenceName": "",
"id": "",
"managerID": "",
"uri": ""
},
"caseSensitiveType": "",
"capacity": "",
"isAdditionalLoaded": "",
"keyFields": "",
"createdTimestamp": "",
"modifiedTimestamp": "",
"deprecated": "",
"timePartitioned": "",
"state": "",
"optimizeData": "",
"activeListType": "",
"attributeInitializationInProgress": "",
"name": "",
"localID": "",
"fieldTypes": "",
"fieldSubTypes": {},
"URI": "",
"initialized": "",
"entryTimeToLive": "",
"disabled": "",
"partialCache": "",
"inCache": "",
"fieldNames": "",
"resourceid": "",
"typeName": "",
"modificationCount": "",
"createdTime": {
"day": "",
"timezoneID": "",
"milliSecond": "",
"month": "",
"second": "",
"year": "",
"minute": "",
"hour": ""
},
"modifiedTime": {
"day": "",
"timezoneID": "",
"milliSecond": "",
"month": "",
"second": "",
"year": "",
"minute": "",
"hour": ""
}
}
| Parameter | Description |
|---|---|
| Active List ID | (Optional) Resource ID of the Active List that you want to update on ArcSight ESM. |
| Column Names List | (Optional) List of column names that you want to update, i.e., columns in which you want to add entries. By default, all the column names are included. |
| Entry List | (Optional) List of entries to add to the specified active list. You must add the values in the same sequence as the columns specified. For example, [[“val1”, “val2”], [“val3”, “val4”]] |
The JSON output returns a Entry list added successfully message if the active list is successfully updated on ArcSight or an Error message containing the reason for failure.
operation: Get Active List Entries
| Parameter | Description |
|---|---|
| Active List ID | (Optional) Resource ID of the active list for which you want to retrieve entries from Micro Focus ArcSight. |
| Clear Active List Entries | Select this option, i.e., set it to True (default), to clear the entries of the specified active list after the active list is read. |
No output schema is available at this time.
| Parameter | Description |
|---|---|
| Active List ID | Resource ID of the Active List for which you want to clear entries from ArcSight ESM. |
The output response appears as follows if the entries are cleared successfully from the specified Active List:
Active List: <Active List ID> entries are cleared successfully.
| Parameter | Description |
|---|---|
| Active List ID | Resource ID of the Active List from which you want to delete entries on ArcSight ESM. Note: The default ID is taken from the connector configuration. For more information, see the Configuring the connector section. |
| Entry List | List of entries that you want to delete from the specified active list. You must add the values in the same sequence as the columns specified. For example, [[“val1”, “val2”], [“val3”, “val4”]] |
The JSON output returns a Entries deleted successfully message if the active list entries are is successfully deleted on ArcSight or an Error message containing the reason for failure.
None.
The output contains the following populated JSON schema:
{
"sei.getFieldsResponse": {
"sei.return": [
{
"fieldDisplayName": "",
"fieldType": {
"type": "",
"javaTypeName": "",
"name": ""
},
"sidetable": "",
"derived": "",
"groupDisplayName": "",
"simple": "",
"fieldName": "",
"reference": "",
"fieldIndex": "",
"copyOfFieldName": "",
"groupName": ""
}
]
}
}
| Parameter | Description |
|---|---|
| Query Viewer ID | Resource ID of the query viewer for which you want to retrieve details from ArcSight ESM. |
No output schema is available at this time.
The Sample - Micro Focus ArcSight ESM - 3.1.1 playbook collection comes bundled with the Micro Focus ArcSight connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Micro Focus ArcSight connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
For troubleshooting, any issues with the Pull ArcSight Events Service, see the /var/log/cyops/cyops-integrations/arcsight/arcsight_reader.log log file.
This generally occurs in the case of self-signed SSL certificates. If you are using self-signed certificates for testing or staging, keep in mind this problem will not occur in production, and you might need to switch the certificates on or off.
Resolution:
Ensure that the SSL certificates are trusted or that SSL checking is turned off in the wrapper script. This is not advised for production instances.
There are many reasons for a playbook failure, for example, if a required field is null in the target module record, or there are problems with the Playbook Appliance keys.
Resolution:
Investigate the reason for failure using the Running Playbooks tab in the Playbook Administration page. Review the step in which the failure is being generated and the result of the step, which should contain the trace of the error. Once you have identified the error and if you cannot troubleshoot the error, contact Fortinet support for further assistance.
When you upgrade your connector and select the Enable Pull ArcSight Events Service checkbox, then sometimes the connector goes into the "Disconnected" state, due to an issue with the notification service.
Resolution
To resolve this issue, deactivate and then again activate the connector.
ArcSight ESM and FortiSOAR™ integration is achieved by the following simple steps:
An Active List in ArcSight ESM holds correlated events, which can be read by FortiSOAR™ and then converted into alerts.
To ingest data from ArcSight, you need to create an “Active List” and configure “Rules” in ArcSight ESM, so that events from ArcSight ESM can be pulled into FortiSOAR™ as described in the following sections.
Use the “FortiSOAR_ArcSight.arb” package to create the Active List in ArcSight ESM and configure the Rule that forwards desired events to the created active list. You have to create and configure a rule to define the type of events you want to forward and investigate in FortiSOAR™. Once the active list is added and the rule is configured, FortiSOAR™ monitors the active list pulls the desired events from ArcSight ESM, and creates alerts in FortiSOAR™.
Download the FortiSOAR_ArcSight.arb package, which is attached to this article, and then import the same into ArcSight ESM, as described Importing the FortiSOAR_ArcSight.arb package in ArcSight section.
Alternatively, you can manually set up the active list and the rules using the standard ArcSight interface. Points to be considered while manually setting up rules:
Rule:
The following image displays a sample ArcSight Rule to Forward Events to an Active list:
The following image displays an Active List populated with desired events and the Resource ID is highlighted in the right pane:
FortiSOAR™ requires a user account and password to connect to ArcSight ESM. You could use an existing user, or create a new standard user for this purpose. This user account will be used by FortiSOAR™ to fetch and/or update events and invoke other supported actions. Ensure that the user has the following permissions:
The following image displays a FortiSOAR user in ArcSight ESM with "Read" and "Write" access to FortiSOAR AL:
Install and configure the Micro Focus ArcSight Connector in FortiSOAR™ as described in the Installing the connector and Configuring the connector sections.
Configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming ArcSight ESM correlated event data into a FortiSOAR™ alert.
The Data Ingestion Wizard enables you to configure scheduled pulling of data from ArcSight ESM into FortiSOAR™. It also lets you pull some sample data from ArcSight ESM using which you can define mapping of data between ArcSight ESM and FortiSOAR™. Mapping of common fields are generally already done by the Data Ingestion Wizard; users mostly require to only map any custom fields that are added in the ArcSight event.
For additional information about the “Data Ingestion Wizard” and installing and configuring connectors, see the "Connectors Guide" in the FortiSOAR™ product documentation.
FortiSOAR_ArcSight.arb package in ArcSightNote: The 'FortiSOAR_ArcSight.arb' package included with this version has been updated to remove the 'Active List Rule' from the package.
FortiSOAR_ArcSight.arb file that is attached to this document.FortiSOAR_ArcSight.arb package in ArcSight, navigate to the Packages tab in ArcSight as shown in the following image:FortiSOAR_ArcSight.arb.FortiSOAR_ArcSight.arb package contains the Active List (FortiSOAR_Event_collector).FortiSOAR_ArcSight.arb package is imported successfully, the FortiSOAR Active List will appear in ArcSight as follows:To avoid data loss while using data ingestion playbooks, do the following:
'Error message' in vars.steps.Fetch_Event_Details_And_Create_Record condition: