Micro Focus ArcSight Enterprise Security Manager (ESM) is a threat detection, analysis, triage, and compliance management SIEM platform, This connector can be use to ingesting events from Micro Focus ArcSight, search and case management
This document provides information about the Micro Focus ArcSight ESM Connector, which facilitates automated interactions, with a Micro Focus ArcSight ESM server using FortiSOAR™ playbooks. Add the Micro Focus ArcSight ESM connector as a step in FortiSOAR™ playbooks and perform automated operations with Micro Focus ArcSight ESM.
Connector Version: 4.0.0
FortiSOAR™ Version Tested on: 7.4.3-3294
Micro Focus ArcSight ESM Version Tested on: 7.6.0.2729.0
Authored By: Fortinet
Certified: Yes
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-arcsight
IMPORTANT: Upgrading the connector from 2.x to 3.x is not backward compatible because explicit changes are needed in the existing playbooks to delete the Active List Entries after alerts have been created in FortiSOAR™.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Micro Focus ArcSight ESM connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | IP Address or FQDN of the Micro Focus ArcSight ESM server to which you will connect and perform automated operations. |
| ESM Port | REST API port of the Micro Focus ArcSight ESM server. Defaults to 8443. |
| Username | Specify the username to access the endpoint to which you will connect and perform the automated operations |
| Password | Specify the password to access the endpoint to which you will connect and perform the automated operations |
| Active List ID | Resource ID of the active list for which you want to retrieve events from Micro Focus ArcSight ESM |
| API Version | Specify the API version to access the endpoint to which you will connect and perform the automated operations. Note: If not specified, it will take as default means without a API version. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Annotate Event | Updates a Micro Focus ArcSight event stage, assigns it to a user, and adds a comment based on the event ID, stage name, user and other input parameters you have specified. | annotate_event Investigation |
| Annotate Event By Stage ID | Updates a Micro Focus ArcSight event stage, assigns it to a user, and adds a comment based on resource ID of the stage, event ID, and other input parameters you have specified. | annotate_event_by_stage_id Investigation |
| Run Report with Default Parameters | Runs a report on the Micro Focus ArcSight ESM server based on an ID or a URI that you have specified. | run_report Investigation |
| Run Report | Runs a report on the Micro Focus ArcSight ESM server based on the report ID and other input parameters you have specified. | run_report Investigation |
| Delete Archive Report | Deletes an archived report from the Micro Focus ArcSight ESM server, based on the report ID that you have specified. | delete_report Remediation |
| Download Report | Downloads a report from the Micro Focus ArcSight ESM server based on the report ID and name of the report to download as an attachment in FortiSOAR™'s Attachments module. | download_report Investigation |
| Get Event Details | Retrieves information for a specific event from the Micro Focus ArcSight ESM server, based on the event IDs, date range, and other input parameters you have specified. | get_event_info Investigation |
| Get Active List Information | Retrieves information about an active list from Micro Focus ArcSight ESM, based on the Active List ID that you have specified. | get_active_list_info Investigation |
| Get Active List Entries | Retrieves entries for a specified active list, based on the Active List ID, count of entries, and other input parameters that you have specified. | get_active_list_entries Investigation |
| Add Active List Entries | Adds new items to a specified active list on the Micro Focus ArcSight ESM server, based on the Active List ID, column names, and other input parameters you have specified. | add_active_list_entries Investigation |
| Delete Active List Entries | Deletes entries from a specified active list on the Micro Focus ArcSight ESM server, based on the Active List ID, column names, and other input parameters you have specified. | delete_active_list_entries Investigation |
| Clear Active List Entries | Clears all entries from a specified active list, based on the Active List ID that you have specified. | clear_active_list_entries Remediation |
| Create Case | Creates a case on the Micro Focus ArcSight ESM server, based on the Parent Group ID, Case Name, and other input parameters that you have specified. | create_case Investigation |
| Add Events To Case | Adds the specified event to an existing case in the Micro Focus ArcSight ESM server, based on the Resource ID and Event ID that you have specified. | add_events Investigation |
| Get Case Information | Retrieves information about a case from the Micro Focus ArcSight ESM server, based on the case ID that you have specified. | get_case_info Investigation |
| Update Case | Updates an existing case in the Micro Focus ArcSight ESM server, based on the Resource ID, Case Name, and other input parameters that you have specified. | update_case Investigation |
| Delete Case Events | Delete specified events from an existing case on the Micro Focus ArcSight ESM server, based on the case and event IDs that you have specified. | delete_event Remediation |
| Get Event Fields | Retrieves a full list of security event fields from the Micro Focus ArcSight ESM server. | get_event_fields Investigation |
| Get Query Viewer Data | Retrieves query viewer data from the Micro Focus ArcSight ESM server, based on the query viewer ID you have specified | get_query_viewer_data Investigation |
| Search Query | Searches the Micro Focus ArcSight ESM server records based on the query and other input parameters that you have specified | search_query Investigation |
You can annotate Micro Focus ArcSight Events using the Micro Focus ArcSight Console to update the Stage and Assignee of the event and to add comments to the event.
You can also perform similar operations using the Annotate Event function in FortiSOAR™ playbooks.
| Parameter | Description |
|---|---|
| Event ID | Specify the ID of the Micro Focus ArcSight event to annotate. |
| Stage | Select the stage to be set for the event. You can choose from the following values:
|
| User | Specify an existing Micro Focus ArcSight user to assign the event being annotated. For example, admin. |
| Comment | Specify a comment to add to the event. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Event ID | Specify the ID of the Micro Focus ArcSight event to annotate |
| Stage ID | Specify the resource ID of the stage to set for the specified event. |
| User | (Optional) Specify an existing Micro Focus ArcSight user to assign the event being annotated. For example, admin. |
| Comment | (Optional) Specify a comment to add to the event. |
The output contains the following populated JSON schema:
{
"result": ""
}
You can get the ID for a report (Resource ID) from the Micro Focus ArcSight Console, as shown in the following image:
You can get the URI for a report from the Micro Focus ArcSight Console. To get the URI, you must add the report name to the parent resource, as shown in the following image:
| Parameter | Description |
|---|---|
| Run Report By | Select a parameter based on which to run a report on the Micro Focus ArcSight ESM server. You can choose from following options:
|
| Report URI or Report ID | Specify the ID or URI, depending on the selection in Run Report By field, of the report to run on the Micro Focus ArcSight ESM server. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Report Id | Specify the ID of the report to run on the Micro Focus ArcSight ESM server. |
| Input parameters | Specify the input parameters in JSON format. For example,
{"StartTime": "$Now - 3h", "Report Format": "0"}
The keys are the same as seen on the Micro Focus ArcSight console. NOTE: The values for the drop-down fields are their integer positions. For example, the Report Format should be specified as |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Report ID | Specify the ID of the archived report that you want to delete from the Micro Focus ArcSight ESM server. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Report ID | Specify the ID of the report to download from the Micro Focus ArcSight ESM server and upload as an attachment in FortiSOAR™. NOTE: You can get the ID of the report using the Run Report function. |
| Name of the file when added as an attachment in FortiSOAR | Specify a name of the downloaded report to save as an attachment in FortiSOAR™'s Attachments module. If you do not specify a name, the file is saved as ArcSight ID-of-the-report, by default. |
The JSON output contains the details of the attachment in FortiSOAR™.
{
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"size": "",
"uuid": "",
"@type": "",
"assignee": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"uuid": "",
"@type": "",
"tasks": [],
"alerts": [],
"assets": [],
"owners": [],
"people": [],
"tenant": {
"id": "",
"@id": "",
"name": "",
"role": "",
"uuid": "",
"@type": "",
"region": "",
"license": "",
"industry": "",
"tenantId": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": "",
"description": "",
"isDedicated": "",
"allowRemoteMMDModification": ""
},
"@context": "",
"assignee": "",
"comments": [],
"conflict": "",
"warrooms": [],
"incidents": [],
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"indicators": [],
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": [],
"userOwners": [],
"description": "",
"tenantRecordId": ""
}
| Parameter | Description |
|---|---|
| Event IDs | Specify an event ID to retrieve its details from the Micro Focus ArcSight ESM server. You can add multiple IDs using the CSV or list format. |
| From Date | Specify the start date of the range from when to retrieve the events from the Micro Focus ArcSight ESM server. |
| To Date | Specify the end date of the range till when to retrieve the events from the Micro Focus ArcSight ESM server. |
| Replace Null Values with Empty String? | Select to replace event field with a null value (empty string) if the event field is not set. By default, this is selected, i.e., set to true.
NOTE: Refer to the section API Returned |
| IP Address Keys to Parse | (Optional) Specify a comma-separated list of field names to convert from decimal to IP address format. Micro Focus ArcSight API returns the IP address fields in decimal format. Defaults to address. |
| MAC Address Keys to Parse | (Optional) Specify a comma-separated list of field names to convert from decimal to MAC address format. Micro Focus ArcSight API returns the MAC address fields in decimal format. Defaults to macAddress,translatedAddress. |
NULL ValuesThe Micro Focus ArcSight APIs returns following values if the event field is not set:
| Field Type | Returned value in place of NULL |
|---|---|
| Integer | -2147483648 (Integer.MIN_VALUE) |
| Long | -9223372036854775808 (Long.MIN_VALUE) |
| Double | 5e-324 (Double.MIN_VALUE) |
The output contains the following populated JSON schema:
[
{
"ttl": "",
"name": "",
"type": "",
"agent": {
"id": "",
"name": "",
"type": "",
"zone": {
"id": "",
"uri": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"address": "",
"mutable": "",
"version": "",
"hostName": "",
"macAddress": "",
"assetLocalId": "",
"addressAsBytes": "",
"translatedAddress": ""
},
"device": {
"zone": {
"id": "",
"uri": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"vendor": "",
"address": "",
"assetId": "",
"mutable": "",
"product": "",
"version": "",
"hostName": "",
"assetName": "",
"macAddress": "",
"assetLocalId": "",
"addressAsBytes": "",
"translatedAddress": ""
},
"bytesIn": "",
"endTime": "",
"eventId": "",
"bytesOut": "",
"category": {
"object": "",
"mutable": "",
"outcome": "",
"behavior": "",
"deviceGroup": "",
"significance": ""
},
"locality": "",
"priority": "",
"severity": "",
"domainFp1": "",
"domainFp2": "",
"domainFp3": "",
"domainFp4": "",
"domainFp5": "",
"domainFp6": "",
"domainFp7": "",
"domainFp8": "",
"flexDate1": "",
"managerId": "",
"relevance": "",
"sessionId": "",
"startTime": "",
"dummyField": "",
"originator": "",
"destination": {
"geo": {
"mutable": "",
"latitude": "",
"longitude": "",
"latitudeLong": "",
"longitudeLong": ""
},
"port": "",
"zone": {
"id": "",
"uri": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"address": "",
"assetId": "",
"mutable": "",
"hostName": "",
"assetName": "",
"processId": "",
"macAddress": "",
"assetLocalId": "",
"addressAsBytes": "",
"translatedPort": "",
"translatedAddress": ""
},
"domainDate1": "",
"domainDate2": "",
"domainDate3": "",
"domainDate4": "",
"domainDate5": "",
"domainDate6": "",
"finalDevice": {
"zone": {
"id": "",
"uri": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"vendor": "",
"address": "",
"assetId": "",
"mutable": "",
"product": "",
"version": "",
"hostName": "",
"assetName": "",
"macAddress": "",
"assetLocalId": "",
"addressAsBytes": "",
"translatedAddress": ""
},
"flexNumber1": "",
"flexNumber2": "",
"persistence": "",
"deviceCustom": {
"mutable": "",
"number1Label": "",
"string1Label": "",
"string2Label": ""
},
"agentSeverity": "",
"domainNumber1": "",
"domainNumber2": "",
"domainNumber3": "",
"domainNumber4": "",
"domainNumber5": "",
"domainNumber6": "",
"domainNumber7": "",
"domainNumber8": "",
"domainNumber9": "",
"originalAgent": {
"id": "",
"name": "",
"type": "",
"zone": {
"id": "",
"uri": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"address": "",
"mutable": "",
"version": "",
"hostName": "",
"macAddress": "",
"assetLocalId": "",
"addressAsBytes": "",
"translatedAddress": ""
},
"baseEventCount": "",
"deviceSeverity": "",
"domainNumber10": "",
"domainNumber11": "",
"domainNumber12": "",
"domainNumber13": "",
"objectTypeName": "",
"deviceDirection": "",
"deviceProcessId": "",
"domainIpv4addr1": "",
"domainIpv4addr2": "",
"domainIpv4addr3": "",
"domainIpv4addr4": "",
"eventAnnotation": {
"flags": "",
"stage": {
"id": "",
"uri": "",
"managerID": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"endTime": "",
"eventId": "",
"version": "",
"auditTrail": "",
"stageUpdateTime": "",
"modificationTime": "",
"managerReceiptTime": ""
},
"modelConfidence": "",
"agentReceiptTime": "",
"assetCriticality": "",
"deviceCustomDate1": "",
"deviceCustomDate2": "",
"deviceReceiptTime": "",
"concentratorAgents": [
{
"id": "",
"name": "",
"type": "",
"zone": {
"id": "",
"uri": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"address": "",
"mutable": "",
"version": "",
"hostName": "",
"macAddress": "",
"assetLocalId": "",
"addressAsBytes": "",
"translatedAddress": ""
}
],
"deviceEventClassId": "",
"managerReceiptTime": "",
"concentratorDevices": [
{
"zone": {
"id": "",
"uri": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"vendor": "",
"address": "",
"assetId": "",
"mutable": "",
"product": "",
"version": "",
"hostName": "",
"assetName": "",
"macAddress": "",
"assetLocalId": "",
"addressAsBytes": "",
"translatedAddress": ""
}
],
"deviceCustomNumber1": "",
"deviceCustomNumber2": "",
"deviceCustomNumber3": "",
"deviceCustomString1": "",
"deviceCustomString2": "",
"deviceEventCategory": "",
"aggregatedEventCount": "",
"correlatedEventCount": "",
"deviceCustomFloatingPoint1": "",
"deviceCustomFloatingPoint2": "",
"deviceCustomFloatingPoint3": "",
"deviceCustomFloatingPoint4": ""
}
]
| Parameter | Description |
|---|---|
| Active List ID | Specify the resource ID of the active list for which to retrieve details from the Micro Focus ArcSight ESM server. |
The output contains the following populated JSON schema:
{
"resourceId": "",
"name": "",
"alias": "",
"description": "",
"reference": {
"id": "",
"uri": "",
"externalID": "",
"referenceString": "",
"referenceID": "",
"managerID": "",
"referenceType": "",
"isModifiable": "",
"referenceName": ""
},
"type": "",
"typeName": "",
"subType": "",
"isAdditionalLoaded": "",
"modificationCount": "",
"externalID": "",
"createdTimestamp": "",
"modifiedTimestamp": "",
"versionID": "",
"contentVersionID": "",
"referencePage": "",
"disabled": "",
"disabledReason": "",
"inactive": "",
"inactiveReason": "",
"deprecated": "",
"localID": "",
"state": "",
"creatorName": "",
"modifierName": "",
"notificationGroupIDs": [],
"optimizeData": "",
"capacity": "",
"entryTimeToLive": "",
"multiMap": "",
"partialCache": "",
"timePartitioned": "",
"activeListType": "",
"caseSensitiveType": "",
"countLimit": "",
"cacheModel": "",
"initialized": "",
"inCache": "",
"uri": "",
"attributeInitializationInProgress": "",
"signature": {
"id": "",
"modificationCount": ""
},
"displayName": "",
"fields": [
{
"name": "",
"type": "",
"subType": "",
"key": ""
}
]
}
| Parameter | Description |
|---|---|
| Active List ID | (Optional) Specify a resource ID of the active list for which to retrieve entries from the Micro Focus ArcSight server. |
| Count | (Optional) Specify the maximum number of active list entries this operation should retrieve from the Micro Focus ArcSight ESM server. By default, all entries from the active list are returned. |
| Clear Active List Entries | Select this option, i.e., set it to True (default), to clear the entries of the specified active list after the active list is marked read. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Active List ID | (Optional) Specify a resource ID of the Active List to update on the Micro Focus ArcSight ESM server. |
| Column Names List | Specify a list of column names that you want to update on the Micro Focus ArcSight ESM server, i.e., columns in which you want to add entries. |
| Entry List | Specify a list of entries to add to the specified active list on the Micro Focus ArcSight ESM server. You must add the values in the same sequence as the columns specified. For example:
[
{
"fields": ["val1", "val2"]
},
{
"fields": ["val3", "val4"]
}
]
|
The output contains the following populated JSON schema:
{
"result": ""
}
| Parameter | Description |
|---|---|
| Active List ID | Specify a resource ID of the Active List from which to delete entries on the Micro Focus ArcSight ESM server.
NOTE: The default ID is taken from the connector configuration. For more information, see the Configuring the connector section. |
| Column Names List | Specify a list of column names that you want to delete from the specified active list. |
| Entry List | Specify a ist of entries to delete from the specified active list on the Micro Focus ArcSight ESM server. You must add the values in the same sequence as the columns specified. For example,
[
{
"fields": ["val1", "val2"]
},
{
"fields": ["val3", "val4"]
}
]
|
The output contains the following populated JSON schema:
{
"result": ""
}
| Parameter | Description |
|---|---|
| Active List ID | Specify a resource ID of the Active List for which to clear entries from the Micro Focus ArcSight ESM server. |
The output contains the following populated JSON schema:
{
"result": ""
}
| Parameter | Description |
|---|---|
| Parent Group ID | Specify the parent group ID of the case to create. |
| Case Name | Specify the name of the case to create. |
| Alias (Display Name) | (Optional) Specify the alias or display name of the case being created. |
| Ticket Type | (Optional) Specify the ticket type of the case being created. You can choose from the following options:
|
| Stage | (Optional) Specify the stage that you want to assign to the created case. You can choose from the following options:
|
| Frequency | (Optional) Specify the frequency that you want to assign to the created case. You can choose from the following options:
|
| Operational Impact | (Optional) Specify the operational impact that you want to assign to the created case. You can choose from the following options:
|
| Security Classification | (Optional) Specify the security classification that you want to assign to the created case. You can choose from the following options:
|
| Consequence Severity | (Optional) Specify the consequence severity that you want to assign to the created case. You can choose from the following options:
|
| External ID | (Optional) Specify a unique ID to the created case. |
| Description | (Optional) Specify a description of the created case. |
| Additional Attributes | (Optional) Specify additional attributes to set values for fields not displayed in FortiSOAR™. |
The output contains the following populated JSON schema:
{
"resourceId": "",
"name": "",
"alias": "",
"description": "",
"reference": {
"id": "",
"uri": "",
"externalID": "",
"referenceString": "",
"referenceID": "",
"managerID": "",
"referenceType": "",
"isModifiable": "",
"referenceName": ""
},
"type": "",
"typeName": "",
"subType": "",
"isAdditionalLoaded": "",
"modificationCount": "",
"externalID": "",
"createdTimestamp": "",
"modifiedTimestamp": "",
"versionID": "",
"contentVersionID": "",
"referencePage": "",
"disabled": "",
"disabledReason": "",
"inactive": "",
"inactiveReason": "",
"deprecated": "",
"localID": "",
"state": "",
"creatorName": "",
"modifierName": "",
"notificationGroupIDs": [],
"displayID": "",
"ticketType": "",
"stage": "",
"frequency": "",
"operationalImpact": "",
"securityClassification": "",
"consequenceSeverity": "",
"reportingLevel": "",
"originator": "",
"detectionTime": {
"year": "",
"month": "",
"day": "",
"hour": "",
"minute": "",
"second": "",
"milliSecond": "",
"timezoneID": ""
},
"estimatedStartTime": {
"year": "",
"month": "",
"day": "",
"hour": "",
"minute": "",
"second": "",
"milliSecond": "",
"timezoneID": ""
},
"estimatedRestoreTime": {
"year": "",
"month": "",
"day": "",
"hour": "",
"minute": "",
"second": "",
"milliSecond": "",
"timezoneID": ""
},
"affectedServices": "",
"affectedElements": "",
"estimatedImpact": "",
"affectedSites": "",
"attackMechanism": "",
"attackAgent": "",
"vulnerability": "",
"sensitivity": "",
"associatedImpact": "",
"action": "",
"securityClassificationCode": "",
"actionsTaken": "",
"plannedActions": "",
"recommendedActions": "",
"followupContact": "",
"attackTarget": "",
"attackService": "",
"attackProtocol": "",
"attackOS": "",
"attackProgram": "",
"attackImpact": "",
"attackTime": {
"year": "",
"month": "",
"day": "",
"hour": "",
"minute": "",
"second": "",
"milliSecond": "",
"timezoneID": ""
},
"finalReportAction": "",
"attackLocationID": "",
"attackNode": "",
"attackAddress": "",
"vulnerabilityType1": "",
"vulnerabilityType2": "",
"vulnerabilityEvidence": "",
"vulnerabilitySource": "",
"vulnerabilityData": "",
"history": "",
"numberOfOccurences": "",
"lastOccurenceTime": {
"year": "",
"month": "",
"day": "",
"hour": "",
"minute": "",
"second": "",
"milliSecond": "",
"timezoneID": ""
},
"resistance": "",
"recordedData": "",
"inspectionResults": "",
"conclusions": "",
"incidentSource1": "",
"incidentSource2": "",
"sourceAddress": "",
"attachmentIDs": [],
"eventIDs": [],
"initialized": "",
"uri": "",
"inCache": "",
"attributeInitializationInProgress": "",
"signature": {
"id": "",
"modificationCount": ""
},
"displayName": ""
}
| Parameter | Description |
|---|---|
| Resource ID | Specify the resource ID of the case in which you want to add events. |
| Event IDs | Specify the IDs of the events you want to add to the case. You must provide the Event IDs in a list format. |
The output contains the following populated JSON schema:
{
"result": ""
}
| Parameter | Description |
|---|---|
| Resource ID | Specify the resource ID of the case for which you want to retrieve the information from the Micro Focus ArcSight ESM server. |
The output contains the following populated JSON schema:
{
"uri": "",
"name": "",
"type": "",
"alias": "",
"stage": "",
"state": "",
"inCache": "",
"localID": "",
"disabled": "",
"eventIDs": [],
"inactive": "",
"typeName": "",
"displayID": "",
"frequency": "",
"reference": {
"id": "",
"uri": "",
"managerID": "",
"externalID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"signature": {
"id": "",
"modificationCount": ""
},
"deprecated": "",
"externalID": "",
"resourceId": "",
"ticketType": "",
"creatorName": "",
"description": "",
"displayName": "",
"initialized": "",
"modifierName": "",
"detectionTime": {
"day": "",
"hour": "",
"year": "",
"month": "",
"minute": "",
"second": "",
"timezoneID": "",
"milliSecond": ""
},
"reportingLevel": "",
"createdTimestamp": "",
"modificationCount": "",
"modifiedTimestamp": "",
"operationalImpact": "",
"estimatedStartTime": {
"day": "",
"hour": "",
"year": "",
"month": "",
"minute": "",
"second": "",
"timezoneID": "",
"milliSecond": ""
},
"isAdditionalLoaded": "",
"numberOfOccurences": "",
"consequenceSeverity": "",
"securityClassification": "",
"securityClassificationCode": "",
"attributeInitializationInProgress": ""
}
| Parameter | Description |
|---|---|
| Resource ID | Specify the resource ID of an existing case you want to update on the Micro Focus ArcSight ESM server. |
| Case Name | (Optional) Specify the name of an existing case to update. |
| Alias (Display Name) | (Optional) Specify the alias or display name of an existing case that you want to update. |
| Ticket Type | (Optional) Specify the ticket type of the case being updated. You can choose from the following options:
|
| Stage | (Optional) Specify the stage that you want to assign to the updated case. You can choose from the following options:
|
| Frequency | (Optional) Specify the frequency that you want to assign to the updated case. You can choose from the following options:
|
| Operational Impact | (Optional) Specify the operational impact that you want to assign to the updated case. You can choose from the following options:
|
| Security Classification | (Optional) Specify the security classification that you want to assign to the updated case. You can choose from the following options:
|
| Consequence Severity | (Optional) Specify the consequence severity that you want to assign to the updated case. You can choose from the following options:
|
| Estimated Restore Date Time | (Optional) Specify a date and time to update for restoring the case. |
| External ID | (Optional) Specify a unique ID to update in the existing case. |
| Description | (Optional) Specify a description to update in the existing case. |
| Additional Attributes | (Optional) Specify additional attributes to update or set values for fields not displayed in FortiSOAR™. |
The output contains the following populated JSON schema:
{
"resourceId": "",
"name": "",
"alias": "",
"description": "",
"reference": {
"id": "",
"uri": "",
"externalID": "",
"referenceString": "",
"referenceID": "",
"managerID": "",
"referenceType": "",
"isModifiable": "",
"referenceName": ""
},
"type": "",
"typeName": "",
"subType": "",
"isAdditionalLoaded": "",
"modificationCount": "",
"externalID": "",
"createdTimestamp": "",
"modifiedTimestamp": "",
"versionID": "",
"contentVersionID": "",
"referencePage": "",
"disabled": "",
"disabledReason": "",
"inactive": "",
"inactiveReason": "",
"deprecated": "",
"localID": "",
"state": "",
"creatorName": "",
"modifierName": "",
"notificationGroupIDs": [],
"displayID": "",
"ticketType": "",
"stage": "",
"frequency": "",
"operationalImpact": "",
"securityClassification": "",
"consequenceSeverity": "",
"reportingLevel": "",
"originator": "",
"detectionTime": {
"year": "",
"month": "",
"day": "",
"hour": "",
"minute": "",
"second": "",
"milliSecond": "",
"timezoneID": ""
},
"estimatedStartTime": {
"year": "",
"month": "",
"day": "",
"hour": "",
"minute": "",
"second": "",
"milliSecond": "",
"timezoneID": ""
},
"estimatedRestoreTime": {
"year": "",
"month": "",
"day": "",
"hour": "",
"minute": "",
"second": "",
"milliSecond": "",
"timezoneID": ""
},
"affectedServices": "",
"affectedElements": "",
"estimatedImpact": "",
"affectedSites": "",
"attackMechanism": "",
"attackAgent": "",
"vulnerability": "",
"sensitivity": "",
"associatedImpact": "",
"action": "",
"securityClassificationCode": "",
"actionsTaken": "",
"plannedActions": "",
"recommendedActions": "",
"followupContact": "",
"attackTarget": "",
"attackService": "",
"attackProtocol": "",
"attackOS": "",
"attackProgram": "",
"attackImpact": "",
"attackTime": {
"year": "",
"month": "",
"day": "",
"hour": "",
"minute": "",
"second": "",
"milliSecond": "",
"timezoneID": ""
},
"finalReportAction": "",
"attackLocationID": "",
"attackNode": "",
"attackAddress": "",
"vulnerabilityType1": "",
"vulnerabilityType2": "",
"vulnerabilityEvidence": "",
"vulnerabilitySource": "",
"vulnerabilityData": "",
"history": "",
"numberOfOccurences": "",
"lastOccurenceTime": {
"year": "",
"month": "",
"day": "",
"hour": "",
"minute": "",
"second": "",
"milliSecond": "",
"timezoneID": ""
},
"resistance": "",
"recordedData": "",
"inspectionResults": "",
"conclusions": "",
"incidentSource1": "",
"incidentSource2": "",
"sourceAddress": "",
"attachmentIDs": [],
"eventIDs": [],
"initialized": "",
"inCache": "",
"uri": "",
"attributeInitializationInProgress": "",
"signature": {
"id": "",
"modificationCount": ""
},
"displayName": ""
}
| Parameter | Description |
|---|---|
| Case ID | Specify the ID of the case from which to delete events. |
| Event IDs | Specify the IDs of the events to delete from the specified case. You must provide the Event IDs in a list format. |
The output contains a non-dictionary value.
None.
The output schema exceeds the document size.
| Parameter | Description |
|---|---|
| Query Viewer ID | Specify a resource ID of the query viewer for which to retrieve details from the Micro Focus ArcSight ESM server. |
The output contains the following populated JSON schema:
{
"resourceId": "",
"name": "",
"alias": "",
"description": "",
"reference": {
"id": "",
"uri": "",
"externalID": "",
"referenceString": "",
"referenceID": "",
"managerID": "",
"referenceType": "",
"isModifiable": "",
"referenceName": ""
},
"type": "",
"typeName": "",
"subType": "",
"isAdditionalLoaded": "",
"modificationCount": "",
"externalID": "",
"createdTimestamp": "",
"modifiedTimestamp": "",
"versionID": "",
"contentVersionID": "",
"referencePage": "",
"disabled": "",
"disabledReason": "",
"inactive": "",
"inactiveReason": "",
"deprecated": "",
"localID": "",
"state": "",
"creatorName": "",
"modifierName": "",
"notificationGroupIDs": [],
"supportsToggle": "",
"enabled": "",
"supportedDataTypes": [],
"queryViewerId": "",
"data": {
"timestamp": "",
"startTimestamp": "",
"endTimestamp": "",
"rows": [
{}
],
"columnHeaders": [],
"colHeaderTS": "",
"maxColumns": "",
"properties": {
"additionalProp1": {
"propertyValue": {}
}
}
},
"columnAliasMap": {
"additionalProp1": "",
"additionalProp2": "",
"additionalProp3": ""
},
"refreshInterval": "",
"drilldownList": {
"resourceId": "",
"name": "",
"alias": "",
"description": "",
"reference": {
"id": "",
"uri": "",
"externalID": "",
"referenceString": "",
"referenceID": "",
"managerID": "",
"referenceType": "",
"isModifiable": "",
"referenceName": ""
},
"type": "",
"typeName": "",
"subType": "",
"isAdditionalLoaded": "",
"modificationCount": "",
"externalID": "",
"createdTimestamp": "",
"modifiedTimestamp": "",
"versionID": "",
"contentVersionID": "",
"referencePage": "",
"disabled": "",
"disabledReason": "",
"inactive": "",
"inactiveReason": "",
"deprecated": "",
"localID": "",
"state": "",
"creatorName": "",
"modifierName": "",
"notificationGroupIDs": [],
"role": "",
"drilldowns": [
{
"resourceId": "",
"name": "",
"alias": "",
"description": "",
"reference": {
"id": "",
"uri": "",
"externalID": "",
"referenceString": "",
"referenceID": "",
"managerID": "",
"referenceType": "",
"isModifiable": "",
"referenceName": ""
},
"type": "",
"typeName": "",
"subType": "",
"isAdditionalLoaded": "",
"modificationCount": "",
"externalID": "",
"createdTimestamp": "",
"modifiedTimestamp": "",
"versionID": "",
"contentVersionID": "",
"referencePage": "",
"disabled": "",
"disabledReason": "",
"inactive": "",
"inactiveReason": "",
"deprecated": "",
"localID": "",
"state": "",
"creatorName": "",
"modifierName": "",
"notificationGroupIDs": [],
"drilldownDefinition": {
"destinationID": "",
"destinationDisplayName": "",
"destinationType": "",
"menuPrompt": "",
"type": ""
},
"initialized": "",
"inCache": "",
"uri": "",
"attributeInitializationInProgress": "",
"signature": {
"id": "",
"modificationCount": ""
},
"displayName": ""
}
],
"defaultDrilldown": {
"resourceId": "",
"name": "",
"alias": "",
"description": "",
"reference": {
"id": "",
"uri": "",
"externalID": "",
"referenceString": "",
"referenceID": "",
"managerID": "",
"referenceType": "",
"isModifiable": "",
"referenceName": ""
},
"type": "",
"typeName": "",
"subType": "",
"isAdditionalLoaded": "",
"modificationCount": "",
"externalID": "",
"createdTimestamp": "",
"modifiedTimestamp": "",
"versionID": "",
"contentVersionID": "",
"referencePage": "",
"disabled": "",
"disabledReason": "",
"inactive": "",
"inactiveReason": "",
"deprecated": "",
"localID": "",
"state": "",
"creatorName": "",
"modifierName": "",
"notificationGroupIDs": [],
"drilldownDefinition": {
"destinationID": "",
"destinationDisplayName": "",
"destinationType": "",
"menuPrompt": "",
"type": ""
},
"initialized": "",
"inCache": "",
"uri": "",
"attributeInitializationInProgress": "",
"signature": {
"id": "",
"modificationCount": ""
},
"displayName": ""
},
"default": "",
"initialized": "",
"inCache": "",
"uri": "",
"attributeInitializationInProgress": "",
"signature": {
"id": "",
"modificationCount": ""
},
"displayName": ""
},
"initialized": "",
"inCache": "",
"uri": "",
"attributeInitializationInProgress": "",
"signature": {
"id": "",
"modificationCount": ""
},
"displayName": ""
}
| Parameter | Description |
|---|---|
| Query | Specify a query using which to search the Micro Focus ArcSight ESM server. |
| Start Position | Specify a position from where you want to initiate the search. By default, this is set to 0. |
| Page Size | Specify the number of results that you want to display on one page. By default, this is set to 10. |
The output contains the following populated JSON schema:
{
"queryStr": "",
"rewrittenQueryString": "",
"statusString": "",
"elapsed": "",
"hitCount": "",
"searchHits": [
{
"uuid": "",
"score": "",
"name": "",
"uri": ""
}
],
"queryTerms": []
}
The Sample - Micro Focus ArcSight ESM - 4.0.0 playbook collection comes bundled with the Micro Focus ArcSight connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Micro Focus ArcSight connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Micro Focus ArcSight ESM and FortiSOAR™ integration is achieved by the following simple steps:
An Active List(AL) in Micro Focus ArcSight ESM holds correlated events, which can be read by FortiSOAR™ and then converted into alerts.
To ingest data from Micro Focus ArcSight, you need to create an Active List and configure Rules in the Micro Focus ArcSight ESM server, so that events from Micro Focus ArcSight ESM can be pulled into FortiSOAR™ as described in the following sections.
Use the FortiSOAR_ArcSight.arb package to create the Active List in Micro Focus ArcSight ESM and configure the Rule that forwards desired events to the created active list. You have to create and configure a rule to define the type of events you want to forward and investigate in FortiSOAR™. Once the active list is added and the rule is configured, FortiSOAR™ monitors the active list pulls the desired events from Micro Focus ArcSight ESM, and creates alerts in FortiSOAR™.
Download the FortiSOAR_ArcSight.arb package, which is attached to this article, and then import the same into Micro Focus ArcSight ESM, as described in the Importing the FortiSOAR_ArcSight.arb package in Micro Focus ArcSight section.
Alternatively, you can manually set up the active list and the rules using the standard Micro Focus ArcSight interface. Points to be considered while manually setting up rules:
Rule:
The following image displays a sample Micro Focus ArcSight Rule to Forward Events to an Active list:
The following image displays an Active List populated with desired events and the Resource ID is highlighted in the right pane:
FortiSOAR™ requires a user account and password to connect to the Micro Focus ArcSight ESM server. You could use an existing user, or create a new standard user for this purpose. This user account is used by FortiSOAR™ to fetch events, update events, or invoke other supported actions. Ensure that the user has following permissions:
The following image displays a FortiSOAR™ user in the Micro Focus ArcSight ESM server with Read and Write access to FortiSOAR™ AL:
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling event data from Micro Focus ArcSight ESM. Currently, event data ingested from Micro Focus ArcSight ESM is mapped to Alerts in FortiSOAR™. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming Micro Focus ArcSight ESM event data to FortiSOAR™'s Alerts.
The Data Ingestion Wizard helps you to configure the scheduled pulling of data from Micro Focus ArcSight ESM into FortiSOAR™. It also lets you pull some sample data from Micro Focus ArcSight ESM using which you can define the mapping of data between Micro Focus ArcSight ESM and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the Micro Focus ArcSight ESM event data.
To begin configuring data ingestion, click Configure Data Ingestion on the Micro Focus ArcSight ESM connector's Configurations page.
Click Let's Start by fetching some data, to open the Fetch Sample Data screen.
Sample data is required to create a field mapping between Micro Focus ArcSight ESM data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch event data from Micro Focus ArcSight ESM.
Users can pull event data from Micro Focus ArcSight ESM by selecting Event IDs, Maximum Events To Pull, and Maximum Base Events To Pull Per Event.
The fetched data is used to create a mapping between the event data from Micro Focus ArcSight ESM and FortiSOAR Alerts. Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of the ingested event data Micro Focus ArcSight ESM to the fields of a Alerts present in FortiSOAR™.
To map a field, click the key in the sample data to add the Jinja value of the field. For example, to map the path parameter of an ingested event data from Micro Focus ArcSight ESM to the File Path parameter of a FortiSOAR™ Alerts, click the File Path field and then click the path field to populate its keys:
The Data Ingestion Wizard uses the specified event IDs to pull sample data from Micro Focus ArcSight ESM into FortiSOAR™. The specified event IDs are used only as sample data and not used for subsequent data ingestion.
For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Micro Focus ArcSight ESM, so that the content gets pulled from the Micro Focus ArcSight ESM integration into FortiSOAR™
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron expression for the schedule. For example, if you want to pull data from Micro Focus ArcSight ESM every day, click Daily, and in the minute, hour, and day of month boxes enter 0, 5, and * respectively. This means that the event data will be pulled from Micro Focus ArcSight ESM every day at 5:00 AM:
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
FortiSOAR_ArcSight.arb package in Micro Focus ArcSightNote: The 'FortiSOAR_ArcSight.arb' package included with this version has been updated to remove the 'Active List Rule' from the package.
FortiSOAR_ArcSight.arb file that is attached to this document.To import the FortiSOAR_ArcSight.arb package in Micro Focus ArcSight, navigate to the Packages tab in Micro Focus ArcSight as shown in the following image:
Click Import and select the FortiSOAR_ArcSight.arb.
The FortiSOAR_ArcSight.arb package contains the Active List (FortiSOAR_Event_collector).
Once the FortiSOAR_ArcSight.arb package is imported successfully, the FortiSOAR Active List will appear in Micro Focus ArcSight as follows:
Micro Focus ArcSight Enterprise Security Manager (ESM) is a threat detection, analysis, triage, and compliance management SIEM platform, This connector can be use to ingesting events from Micro Focus ArcSight, search and case management
This document provides information about the Micro Focus ArcSight ESM Connector, which facilitates automated interactions, with a Micro Focus ArcSight ESM server using FortiSOAR™ playbooks. Add the Micro Focus ArcSight ESM connector as a step in FortiSOAR™ playbooks and perform automated operations with Micro Focus ArcSight ESM.
Connector Version: 4.0.0
FortiSOAR™ Version Tested on: 7.4.3-3294
Micro Focus ArcSight ESM Version Tested on: 7.6.0.2729.0
Authored By: Fortinet
Certified: Yes
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-arcsight
IMPORTANT: Upgrading the connector from 2.x to 3.x is not backward compatible because explicit changes are needed in the existing playbooks to delete the Active List Entries after alerts have been created in FortiSOAR™.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Micro Focus ArcSight ESM connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | IP Address or FQDN of the Micro Focus ArcSight ESM server to which you will connect and perform automated operations. |
| ESM Port | REST API port of the Micro Focus ArcSight ESM server. Defaults to 8443. |
| Username | Specify the username to access the endpoint to which you will connect and perform the automated operations |
| Password | Specify the password to access the endpoint to which you will connect and perform the automated operations |
| Active List ID | Resource ID of the active list for which you want to retrieve events from Micro Focus ArcSight ESM |
| API Version | Specify the API version to access the endpoint to which you will connect and perform the automated operations. Note: If not specified, it will take as default means without a API version. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Annotate Event | Updates a Micro Focus ArcSight event stage, assigns it to a user, and adds a comment based on the event ID, stage name, user and other input parameters you have specified. | annotate_event Investigation |
| Annotate Event By Stage ID | Updates a Micro Focus ArcSight event stage, assigns it to a user, and adds a comment based on resource ID of the stage, event ID, and other input parameters you have specified. | annotate_event_by_stage_id Investigation |
| Run Report with Default Parameters | Runs a report on the Micro Focus ArcSight ESM server based on an ID or a URI that you have specified. | run_report Investigation |
| Run Report | Runs a report on the Micro Focus ArcSight ESM server based on the report ID and other input parameters you have specified. | run_report Investigation |
| Delete Archive Report | Deletes an archived report from the Micro Focus ArcSight ESM server, based on the report ID that you have specified. | delete_report Remediation |
| Download Report | Downloads a report from the Micro Focus ArcSight ESM server based on the report ID and name of the report to download as an attachment in FortiSOAR™'s Attachments module. | download_report Investigation |
| Get Event Details | Retrieves information for a specific event from the Micro Focus ArcSight ESM server, based on the event IDs, date range, and other input parameters you have specified. | get_event_info Investigation |
| Get Active List Information | Retrieves information about an active list from Micro Focus ArcSight ESM, based on the Active List ID that you have specified. | get_active_list_info Investigation |
| Get Active List Entries | Retrieves entries for a specified active list, based on the Active List ID, count of entries, and other input parameters that you have specified. | get_active_list_entries Investigation |
| Add Active List Entries | Adds new items to a specified active list on the Micro Focus ArcSight ESM server, based on the Active List ID, column names, and other input parameters you have specified. | add_active_list_entries Investigation |
| Delete Active List Entries | Deletes entries from a specified active list on the Micro Focus ArcSight ESM server, based on the Active List ID, column names, and other input parameters you have specified. | delete_active_list_entries Investigation |
| Clear Active List Entries | Clears all entries from a specified active list, based on the Active List ID that you have specified. | clear_active_list_entries Remediation |
| Create Case | Creates a case on the Micro Focus ArcSight ESM server, based on the Parent Group ID, Case Name, and other input parameters that you have specified. | create_case Investigation |
| Add Events To Case | Adds the specified event to an existing case in the Micro Focus ArcSight ESM server, based on the Resource ID and Event ID that you have specified. | add_events Investigation |
| Get Case Information | Retrieves information about a case from the Micro Focus ArcSight ESM server, based on the case ID that you have specified. | get_case_info Investigation |
| Update Case | Updates an existing case in the Micro Focus ArcSight ESM server, based on the Resource ID, Case Name, and other input parameters that you have specified. | update_case Investigation |
| Delete Case Events | Delete specified events from an existing case on the Micro Focus ArcSight ESM server, based on the case and event IDs that you have specified. | delete_event Remediation |
| Get Event Fields | Retrieves a full list of security event fields from the Micro Focus ArcSight ESM server. | get_event_fields Investigation |
| Get Query Viewer Data | Retrieves query viewer data from the Micro Focus ArcSight ESM server, based on the query viewer ID you have specified | get_query_viewer_data Investigation |
| Search Query | Searches the Micro Focus ArcSight ESM server records based on the query and other input parameters that you have specified | search_query Investigation |
You can annotate Micro Focus ArcSight Events using the Micro Focus ArcSight Console to update the Stage and Assignee of the event and to add comments to the event.
You can also perform similar operations using the Annotate Event function in FortiSOAR™ playbooks.
| Parameter | Description |
|---|---|
| Event ID | Specify the ID of the Micro Focus ArcSight event to annotate. |
| Stage | Select the stage to be set for the event. You can choose from the following values:
|
| User | Specify an existing Micro Focus ArcSight user to assign the event being annotated. For example, admin. |
| Comment | Specify a comment to add to the event. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Event ID | Specify the ID of the Micro Focus ArcSight event to annotate |
| Stage ID | Specify the resource ID of the stage to set for the specified event. |
| User | (Optional) Specify an existing Micro Focus ArcSight user to assign the event being annotated. For example, admin. |
| Comment | (Optional) Specify a comment to add to the event. |
The output contains the following populated JSON schema:
{
"result": ""
}
You can get the ID for a report (Resource ID) from the Micro Focus ArcSight Console, as shown in the following image:
You can get the URI for a report from the Micro Focus ArcSight Console. To get the URI, you must add the report name to the parent resource, as shown in the following image:
| Parameter | Description |
|---|---|
| Run Report By | Select a parameter based on which to run a report on the Micro Focus ArcSight ESM server. You can choose from following options:
|
| Report URI or Report ID | Specify the ID or URI, depending on the selection in Run Report By field, of the report to run on the Micro Focus ArcSight ESM server. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Report Id | Specify the ID of the report to run on the Micro Focus ArcSight ESM server. |
| Input parameters | Specify the input parameters in JSON format. For example,
{"StartTime": "$Now - 3h", "Report Format": "0"}
The keys are the same as seen on the Micro Focus ArcSight console. NOTE: The values for the drop-down fields are their integer positions. For example, the Report Format should be specified as |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Report ID | Specify the ID of the archived report that you want to delete from the Micro Focus ArcSight ESM server. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Report ID | Specify the ID of the report to download from the Micro Focus ArcSight ESM server and upload as an attachment in FortiSOAR™. NOTE: You can get the ID of the report using the Run Report function. |
| Name of the file when added as an attachment in FortiSOAR | Specify a name of the downloaded report to save as an attachment in FortiSOAR™'s Attachments module. If you do not specify a name, the file is saved as ArcSight ID-of-the-report, by default. |
The JSON output contains the details of the attachment in FortiSOAR™.
{
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"size": "",
"uuid": "",
"@type": "",
"assignee": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"uuid": "",
"@type": "",
"tasks": [],
"alerts": [],
"assets": [],
"owners": [],
"people": [],
"tenant": {
"id": "",
"@id": "",
"name": "",
"role": "",
"uuid": "",
"@type": "",
"region": "",
"license": "",
"industry": "",
"tenantId": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": "",
"description": "",
"isDedicated": "",
"allowRemoteMMDModification": ""
},
"@context": "",
"assignee": "",
"comments": [],
"conflict": "",
"warrooms": [],
"incidents": [],
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"indicators": [],
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"uuid": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": [],
"userOwners": [],
"description": "",
"tenantRecordId": ""
}
| Parameter | Description |
|---|---|
| Event IDs | Specify an event ID to retrieve its details from the Micro Focus ArcSight ESM server. You can add multiple IDs using the CSV or list format. |
| From Date | Specify the start date of the range from when to retrieve the events from the Micro Focus ArcSight ESM server. |
| To Date | Specify the end date of the range till when to retrieve the events from the Micro Focus ArcSight ESM server. |
| Replace Null Values with Empty String? | Select to replace event field with a null value (empty string) if the event field is not set. By default, this is selected, i.e., set to true.
NOTE: Refer to the section API Returned |
| IP Address Keys to Parse | (Optional) Specify a comma-separated list of field names to convert from decimal to IP address format. Micro Focus ArcSight API returns the IP address fields in decimal format. Defaults to address. |
| MAC Address Keys to Parse | (Optional) Specify a comma-separated list of field names to convert from decimal to MAC address format. Micro Focus ArcSight API returns the MAC address fields in decimal format. Defaults to macAddress,translatedAddress. |
NULL ValuesThe Micro Focus ArcSight APIs returns following values if the event field is not set:
| Field Type | Returned value in place of NULL |
|---|---|
| Integer | -2147483648 (Integer.MIN_VALUE) |
| Long | -9223372036854775808 (Long.MIN_VALUE) |
| Double | 5e-324 (Double.MIN_VALUE) |
The output contains the following populated JSON schema:
[
{
"ttl": "",
"name": "",
"type": "",
"agent": {
"id": "",
"name": "",
"type": "",
"zone": {
"id": "",
"uri": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"address": "",
"mutable": "",
"version": "",
"hostName": "",
"macAddress": "",
"assetLocalId": "",
"addressAsBytes": "",
"translatedAddress": ""
},
"device": {
"zone": {
"id": "",
"uri": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"vendor": "",
"address": "",
"assetId": "",
"mutable": "",
"product": "",
"version": "",
"hostName": "",
"assetName": "",
"macAddress": "",
"assetLocalId": "",
"addressAsBytes": "",
"translatedAddress": ""
},
"bytesIn": "",
"endTime": "",
"eventId": "",
"bytesOut": "",
"category": {
"object": "",
"mutable": "",
"outcome": "",
"behavior": "",
"deviceGroup": "",
"significance": ""
},
"locality": "",
"priority": "",
"severity": "",
"domainFp1": "",
"domainFp2": "",
"domainFp3": "",
"domainFp4": "",
"domainFp5": "",
"domainFp6": "",
"domainFp7": "",
"domainFp8": "",
"flexDate1": "",
"managerId": "",
"relevance": "",
"sessionId": "",
"startTime": "",
"dummyField": "",
"originator": "",
"destination": {
"geo": {
"mutable": "",
"latitude": "",
"longitude": "",
"latitudeLong": "",
"longitudeLong": ""
},
"port": "",
"zone": {
"id": "",
"uri": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"address": "",
"assetId": "",
"mutable": "",
"hostName": "",
"assetName": "",
"processId": "",
"macAddress": "",
"assetLocalId": "",
"addressAsBytes": "",
"translatedPort": "",
"translatedAddress": ""
},
"domainDate1": "",
"domainDate2": "",
"domainDate3": "",
"domainDate4": "",
"domainDate5": "",
"domainDate6": "",
"finalDevice": {
"zone": {
"id": "",
"uri": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"vendor": "",
"address": "",
"assetId": "",
"mutable": "",
"product": "",
"version": "",
"hostName": "",
"assetName": "",
"macAddress": "",
"assetLocalId": "",
"addressAsBytes": "",
"translatedAddress": ""
},
"flexNumber1": "",
"flexNumber2": "",
"persistence": "",
"deviceCustom": {
"mutable": "",
"number1Label": "",
"string1Label": "",
"string2Label": ""
},
"agentSeverity": "",
"domainNumber1": "",
"domainNumber2": "",
"domainNumber3": "",
"domainNumber4": "",
"domainNumber5": "",
"domainNumber6": "",
"domainNumber7": "",
"domainNumber8": "",
"domainNumber9": "",
"originalAgent": {
"id": "",
"name": "",
"type": "",
"zone": {
"id": "",
"uri": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"address": "",
"mutable": "",
"version": "",
"hostName": "",
"macAddress": "",
"assetLocalId": "",
"addressAsBytes": "",
"translatedAddress": ""
},
"baseEventCount": "",
"deviceSeverity": "",
"domainNumber10": "",
"domainNumber11": "",
"domainNumber12": "",
"domainNumber13": "",
"objectTypeName": "",
"deviceDirection": "",
"deviceProcessId": "",
"domainIpv4addr1": "",
"domainIpv4addr2": "",
"domainIpv4addr3": "",
"domainIpv4addr4": "",
"eventAnnotation": {
"flags": "",
"stage": {
"id": "",
"uri": "",
"managerID": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"endTime": "",
"eventId": "",
"version": "",
"auditTrail": "",
"stageUpdateTime": "",
"modificationTime": "",
"managerReceiptTime": ""
},
"modelConfidence": "",
"agentReceiptTime": "",
"assetCriticality": "",
"deviceCustomDate1": "",
"deviceCustomDate2": "",
"deviceReceiptTime": "",
"concentratorAgents": [
{
"id": "",
"name": "",
"type": "",
"zone": {
"id": "",
"uri": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"address": "",
"mutable": "",
"version": "",
"hostName": "",
"macAddress": "",
"assetLocalId": "",
"addressAsBytes": "",
"translatedAddress": ""
}
],
"deviceEventClassId": "",
"managerReceiptTime": "",
"concentratorDevices": [
{
"zone": {
"id": "",
"uri": "",
"referenceID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"vendor": "",
"address": "",
"assetId": "",
"mutable": "",
"product": "",
"version": "",
"hostName": "",
"assetName": "",
"macAddress": "",
"assetLocalId": "",
"addressAsBytes": "",
"translatedAddress": ""
}
],
"deviceCustomNumber1": "",
"deviceCustomNumber2": "",
"deviceCustomNumber3": "",
"deviceCustomString1": "",
"deviceCustomString2": "",
"deviceEventCategory": "",
"aggregatedEventCount": "",
"correlatedEventCount": "",
"deviceCustomFloatingPoint1": "",
"deviceCustomFloatingPoint2": "",
"deviceCustomFloatingPoint3": "",
"deviceCustomFloatingPoint4": ""
}
]
| Parameter | Description |
|---|---|
| Active List ID | Specify the resource ID of the active list for which to retrieve details from the Micro Focus ArcSight ESM server. |
The output contains the following populated JSON schema:
{
"resourceId": "",
"name": "",
"alias": "",
"description": "",
"reference": {
"id": "",
"uri": "",
"externalID": "",
"referenceString": "",
"referenceID": "",
"managerID": "",
"referenceType": "",
"isModifiable": "",
"referenceName": ""
},
"type": "",
"typeName": "",
"subType": "",
"isAdditionalLoaded": "",
"modificationCount": "",
"externalID": "",
"createdTimestamp": "",
"modifiedTimestamp": "",
"versionID": "",
"contentVersionID": "",
"referencePage": "",
"disabled": "",
"disabledReason": "",
"inactive": "",
"inactiveReason": "",
"deprecated": "",
"localID": "",
"state": "",
"creatorName": "",
"modifierName": "",
"notificationGroupIDs": [],
"optimizeData": "",
"capacity": "",
"entryTimeToLive": "",
"multiMap": "",
"partialCache": "",
"timePartitioned": "",
"activeListType": "",
"caseSensitiveType": "",
"countLimit": "",
"cacheModel": "",
"initialized": "",
"inCache": "",
"uri": "",
"attributeInitializationInProgress": "",
"signature": {
"id": "",
"modificationCount": ""
},
"displayName": "",
"fields": [
{
"name": "",
"type": "",
"subType": "",
"key": ""
}
]
}
| Parameter | Description |
|---|---|
| Active List ID | (Optional) Specify a resource ID of the active list for which to retrieve entries from the Micro Focus ArcSight server. |
| Count | (Optional) Specify the maximum number of active list entries this operation should retrieve from the Micro Focus ArcSight ESM server. By default, all entries from the active list are returned. |
| Clear Active List Entries | Select this option, i.e., set it to True (default), to clear the entries of the specified active list after the active list is marked read. |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Active List ID | (Optional) Specify a resource ID of the Active List to update on the Micro Focus ArcSight ESM server. |
| Column Names List | Specify a list of column names that you want to update on the Micro Focus ArcSight ESM server, i.e., columns in which you want to add entries. |
| Entry List | Specify a list of entries to add to the specified active list on the Micro Focus ArcSight ESM server. You must add the values in the same sequence as the columns specified. For example:
[
{
"fields": ["val1", "val2"]
},
{
"fields": ["val3", "val4"]
}
]
|
The output contains the following populated JSON schema:
{
"result": ""
}
| Parameter | Description |
|---|---|
| Active List ID | Specify a resource ID of the Active List from which to delete entries on the Micro Focus ArcSight ESM server.
NOTE: The default ID is taken from the connector configuration. For more information, see the Configuring the connector section. |
| Column Names List | Specify a list of column names that you want to delete from the specified active list. |
| Entry List | Specify a ist of entries to delete from the specified active list on the Micro Focus ArcSight ESM server. You must add the values in the same sequence as the columns specified. For example,
[
{
"fields": ["val1", "val2"]
},
{
"fields": ["val3", "val4"]
}
]
|
The output contains the following populated JSON schema:
{
"result": ""
}
| Parameter | Description |
|---|---|
| Active List ID | Specify a resource ID of the Active List for which to clear entries from the Micro Focus ArcSight ESM server. |
The output contains the following populated JSON schema:
{
"result": ""
}
| Parameter | Description |
|---|---|
| Parent Group ID | Specify the parent group ID of the case to create. |
| Case Name | Specify the name of the case to create. |
| Alias (Display Name) | (Optional) Specify the alias or display name of the case being created. |
| Ticket Type | (Optional) Specify the ticket type of the case being created. You can choose from the following options:
|
| Stage | (Optional) Specify the stage that you want to assign to the created case. You can choose from the following options:
|
| Frequency | (Optional) Specify the frequency that you want to assign to the created case. You can choose from the following options:
|
| Operational Impact | (Optional) Specify the operational impact that you want to assign to the created case. You can choose from the following options:
|
| Security Classification | (Optional) Specify the security classification that you want to assign to the created case. You can choose from the following options:
|
| Consequence Severity | (Optional) Specify the consequence severity that you want to assign to the created case. You can choose from the following options:
|
| External ID | (Optional) Specify a unique ID to the created case. |
| Description | (Optional) Specify a description of the created case. |
| Additional Attributes | (Optional) Specify additional attributes to set values for fields not displayed in FortiSOAR™. |
The output contains the following populated JSON schema:
{
"resourceId": "",
"name": "",
"alias": "",
"description": "",
"reference": {
"id": "",
"uri": "",
"externalID": "",
"referenceString": "",
"referenceID": "",
"managerID": "",
"referenceType": "",
"isModifiable": "",
"referenceName": ""
},
"type": "",
"typeName": "",
"subType": "",
"isAdditionalLoaded": "",
"modificationCount": "",
"externalID": "",
"createdTimestamp": "",
"modifiedTimestamp": "",
"versionID": "",
"contentVersionID": "",
"referencePage": "",
"disabled": "",
"disabledReason": "",
"inactive": "",
"inactiveReason": "",
"deprecated": "",
"localID": "",
"state": "",
"creatorName": "",
"modifierName": "",
"notificationGroupIDs": [],
"displayID": "",
"ticketType": "",
"stage": "",
"frequency": "",
"operationalImpact": "",
"securityClassification": "",
"consequenceSeverity": "",
"reportingLevel": "",
"originator": "",
"detectionTime": {
"year": "",
"month": "",
"day": "",
"hour": "",
"minute": "",
"second": "",
"milliSecond": "",
"timezoneID": ""
},
"estimatedStartTime": {
"year": "",
"month": "",
"day": "",
"hour": "",
"minute": "",
"second": "",
"milliSecond": "",
"timezoneID": ""
},
"estimatedRestoreTime": {
"year": "",
"month": "",
"day": "",
"hour": "",
"minute": "",
"second": "",
"milliSecond": "",
"timezoneID": ""
},
"affectedServices": "",
"affectedElements": "",
"estimatedImpact": "",
"affectedSites": "",
"attackMechanism": "",
"attackAgent": "",
"vulnerability": "",
"sensitivity": "",
"associatedImpact": "",
"action": "",
"securityClassificationCode": "",
"actionsTaken": "",
"plannedActions": "",
"recommendedActions": "",
"followupContact": "",
"attackTarget": "",
"attackService": "",
"attackProtocol": "",
"attackOS": "",
"attackProgram": "",
"attackImpact": "",
"attackTime": {
"year": "",
"month": "",
"day": "",
"hour": "",
"minute": "",
"second": "",
"milliSecond": "",
"timezoneID": ""
},
"finalReportAction": "",
"attackLocationID": "",
"attackNode": "",
"attackAddress": "",
"vulnerabilityType1": "",
"vulnerabilityType2": "",
"vulnerabilityEvidence": "",
"vulnerabilitySource": "",
"vulnerabilityData": "",
"history": "",
"numberOfOccurences": "",
"lastOccurenceTime": {
"year": "",
"month": "",
"day": "",
"hour": "",
"minute": "",
"second": "",
"milliSecond": "",
"timezoneID": ""
},
"resistance": "",
"recordedData": "",
"inspectionResults": "",
"conclusions": "",
"incidentSource1": "",
"incidentSource2": "",
"sourceAddress": "",
"attachmentIDs": [],
"eventIDs": [],
"initialized": "",
"uri": "",
"inCache": "",
"attributeInitializationInProgress": "",
"signature": {
"id": "",
"modificationCount": ""
},
"displayName": ""
}
| Parameter | Description |
|---|---|
| Resource ID | Specify the resource ID of the case in which you want to add events. |
| Event IDs | Specify the IDs of the events you want to add to the case. You must provide the Event IDs in a list format. |
The output contains the following populated JSON schema:
{
"result": ""
}
| Parameter | Description |
|---|---|
| Resource ID | Specify the resource ID of the case for which you want to retrieve the information from the Micro Focus ArcSight ESM server. |
The output contains the following populated JSON schema:
{
"uri": "",
"name": "",
"type": "",
"alias": "",
"stage": "",
"state": "",
"inCache": "",
"localID": "",
"disabled": "",
"eventIDs": [],
"inactive": "",
"typeName": "",
"displayID": "",
"frequency": "",
"reference": {
"id": "",
"uri": "",
"managerID": "",
"externalID": "",
"isModifiable": "",
"referenceName": "",
"referenceType": "",
"referenceString": ""
},
"signature": {
"id": "",
"modificationCount": ""
},
"deprecated": "",
"externalID": "",
"resourceId": "",
"ticketType": "",
"creatorName": "",
"description": "",
"displayName": "",
"initialized": "",
"modifierName": "",
"detectionTime": {
"day": "",
"hour": "",
"year": "",
"month": "",
"minute": "",
"second": "",
"timezoneID": "",
"milliSecond": ""
},
"reportingLevel": "",
"createdTimestamp": "",
"modificationCount": "",
"modifiedTimestamp": "",
"operationalImpact": "",
"estimatedStartTime": {
"day": "",
"hour": "",
"year": "",
"month": "",
"minute": "",
"second": "",
"timezoneID": "",
"milliSecond": ""
},
"isAdditionalLoaded": "",
"numberOfOccurences": "",
"consequenceSeverity": "",
"securityClassification": "",
"securityClassificationCode": "",
"attributeInitializationInProgress": ""
}
| Parameter | Description |
|---|---|
| Resource ID | Specify the resource ID of an existing case you want to update on the Micro Focus ArcSight ESM server. |
| Case Name | (Optional) Specify the name of an existing case to update. |
| Alias (Display Name) | (Optional) Specify the alias or display name of an existing case that you want to update. |
| Ticket Type | (Optional) Specify the ticket type of the case being updated. You can choose from the following options:
|
| Stage | (Optional) Specify the stage that you want to assign to the updated case. You can choose from the following options:
|
| Frequency | (Optional) Specify the frequency that you want to assign to the updated case. You can choose from the following options:
|
| Operational Impact | (Optional) Specify the operational impact that you want to assign to the updated case. You can choose from the following options:
|
| Security Classification | (Optional) Specify the security classification that you want to assign to the updated case. You can choose from the following options:
|
| Consequence Severity | (Optional) Specify the consequence severity that you want to assign to the updated case. You can choose from the following options:
|
| Estimated Restore Date Time | (Optional) Specify a date and time to update for restoring the case. |
| External ID | (Optional) Specify a unique ID to update in the existing case. |
| Description | (Optional) Specify a description to update in the existing case. |
| Additional Attributes | (Optional) Specify additional attributes to update or set values for fields not displayed in FortiSOAR™. |
The output contains the following populated JSON schema:
{
"resourceId": "",
"name": "",
"alias": "",
"description": "",
"reference": {
"id": "",
"uri": "",
"externalID": "",
"referenceString": "",
"referenceID": "",
"managerID": "",
"referenceType": "",
"isModifiable": "",
"referenceName": ""
},
"type": "",
"typeName": "",
"subType": "",
"isAdditionalLoaded": "",
"modificationCount": "",
"externalID": "",
"createdTimestamp": "",
"modifiedTimestamp": "",
"versionID": "",
"contentVersionID": "",
"referencePage": "",
"disabled": "",
"disabledReason": "",
"inactive": "",
"inactiveReason": "",
"deprecated": "",
"localID": "",
"state": "",
"creatorName": "",
"modifierName": "",
"notificationGroupIDs": [],
"displayID": "",
"ticketType": "",
"stage": "",
"frequency": "",
"operationalImpact": "",
"securityClassification": "",
"consequenceSeverity": "",
"reportingLevel": "",
"originator": "",
"detectionTime": {
"year": "",
"month": "",
"day": "",
"hour": "",
"minute": "",
"second": "",
"milliSecond": "",
"timezoneID": ""
},
"estimatedStartTime": {
"year": "",
"month": "",
"day": "",
"hour": "",
"minute": "",
"second": "",
"milliSecond": "",
"timezoneID": ""
},
"estimatedRestoreTime": {
"year": "",
"month": "",
"day": "",
"hour": "",
"minute": "",
"second": "",
"milliSecond": "",
"timezoneID": ""
},
"affectedServices": "",
"affectedElements": "",
"estimatedImpact": "",
"affectedSites": "",
"attackMechanism": "",
"attackAgent": "",
"vulnerability": "",
"sensitivity": "",
"associatedImpact": "",
"action": "",
"securityClassificationCode": "",
"actionsTaken": "",
"plannedActions": "",
"recommendedActions": "",
"followupContact": "",
"attackTarget": "",
"attackService": "",
"attackProtocol": "",
"attackOS": "",
"attackProgram": "",
"attackImpact": "",
"attackTime": {
"year": "",
"month": "",
"day": "",
"hour": "",
"minute": "",
"second": "",
"milliSecond": "",
"timezoneID": ""
},
"finalReportAction": "",
"attackLocationID": "",
"attackNode": "",
"attackAddress": "",
"vulnerabilityType1": "",
"vulnerabilityType2": "",
"vulnerabilityEvidence": "",
"vulnerabilitySource": "",
"vulnerabilityData": "",
"history": "",
"numberOfOccurences": "",
"lastOccurenceTime": {
"year": "",
"month": "",
"day": "",
"hour": "",
"minute": "",
"second": "",
"milliSecond": "",
"timezoneID": ""
},
"resistance": "",
"recordedData": "",
"inspectionResults": "",
"conclusions": "",
"incidentSource1": "",
"incidentSource2": "",
"sourceAddress": "",
"attachmentIDs": [],
"eventIDs": [],
"initialized": "",
"inCache": "",
"uri": "",
"attributeInitializationInProgress": "",
"signature": {
"id": "",
"modificationCount": ""
},
"displayName": ""
}
| Parameter | Description |
|---|---|
| Case ID | Specify the ID of the case from which to delete events. |
| Event IDs | Specify the IDs of the events to delete from the specified case. You must provide the Event IDs in a list format. |
The output contains a non-dictionary value.
None.
The output schema exceeds the document size.
| Parameter | Description |
|---|---|
| Query Viewer ID | Specify a resource ID of the query viewer for which to retrieve details from the Micro Focus ArcSight ESM server. |
The output contains the following populated JSON schema:
{
"resourceId": "",
"name": "",
"alias": "",
"description": "",
"reference": {
"id": "",
"uri": "",
"externalID": "",
"referenceString": "",
"referenceID": "",
"managerID": "",
"referenceType": "",
"isModifiable": "",
"referenceName": ""
},
"type": "",
"typeName": "",
"subType": "",
"isAdditionalLoaded": "",
"modificationCount": "",
"externalID": "",
"createdTimestamp": "",
"modifiedTimestamp": "",
"versionID": "",
"contentVersionID": "",
"referencePage": "",
"disabled": "",
"disabledReason": "",
"inactive": "",
"inactiveReason": "",
"deprecated": "",
"localID": "",
"state": "",
"creatorName": "",
"modifierName": "",
"notificationGroupIDs": [],
"supportsToggle": "",
"enabled": "",
"supportedDataTypes": [],
"queryViewerId": "",
"data": {
"timestamp": "",
"startTimestamp": "",
"endTimestamp": "",
"rows": [
{}
],
"columnHeaders": [],
"colHeaderTS": "",
"maxColumns": "",
"properties": {
"additionalProp1": {
"propertyValue": {}
}
}
},
"columnAliasMap": {
"additionalProp1": "",
"additionalProp2": "",
"additionalProp3": ""
},
"refreshInterval": "",
"drilldownList": {
"resourceId": "",
"name": "",
"alias": "",
"description": "",
"reference": {
"id": "",
"uri": "",
"externalID": "",
"referenceString": "",
"referenceID": "",
"managerID": "",
"referenceType": "",
"isModifiable": "",
"referenceName": ""
},
"type": "",
"typeName": "",
"subType": "",
"isAdditionalLoaded": "",
"modificationCount": "",
"externalID": "",
"createdTimestamp": "",
"modifiedTimestamp": "",
"versionID": "",
"contentVersionID": "",
"referencePage": "",
"disabled": "",
"disabledReason": "",
"inactive": "",
"inactiveReason": "",
"deprecated": "",
"localID": "",
"state": "",
"creatorName": "",
"modifierName": "",
"notificationGroupIDs": [],
"role": "",
"drilldowns": [
{
"resourceId": "",
"name": "",
"alias": "",
"description": "",
"reference": {
"id": "",
"uri": "",
"externalID": "",
"referenceString": "",
"referenceID": "",
"managerID": "",
"referenceType": "",
"isModifiable": "",
"referenceName": ""
},
"type": "",
"typeName": "",
"subType": "",
"isAdditionalLoaded": "",
"modificationCount": "",
"externalID": "",
"createdTimestamp": "",
"modifiedTimestamp": "",
"versionID": "",
"contentVersionID": "",
"referencePage": "",
"disabled": "",
"disabledReason": "",
"inactive": "",
"inactiveReason": "",
"deprecated": "",
"localID": "",
"state": "",
"creatorName": "",
"modifierName": "",
"notificationGroupIDs": [],
"drilldownDefinition": {
"destinationID": "",
"destinationDisplayName": "",
"destinationType": "",
"menuPrompt": "",
"type": ""
},
"initialized": "",
"inCache": "",
"uri": "",
"attributeInitializationInProgress": "",
"signature": {
"id": "",
"modificationCount": ""
},
"displayName": ""
}
],
"defaultDrilldown": {
"resourceId": "",
"name": "",
"alias": "",
"description": "",
"reference": {
"id": "",
"uri": "",
"externalID": "",
"referenceString": "",
"referenceID": "",
"managerID": "",
"referenceType": "",
"isModifiable": "",
"referenceName": ""
},
"type": "",
"typeName": "",
"subType": "",
"isAdditionalLoaded": "",
"modificationCount": "",
"externalID": "",
"createdTimestamp": "",
"modifiedTimestamp": "",
"versionID": "",
"contentVersionID": "",
"referencePage": "",
"disabled": "",
"disabledReason": "",
"inactive": "",
"inactiveReason": "",
"deprecated": "",
"localID": "",
"state": "",
"creatorName": "",
"modifierName": "",
"notificationGroupIDs": [],
"drilldownDefinition": {
"destinationID": "",
"destinationDisplayName": "",
"destinationType": "",
"menuPrompt": "",
"type": ""
},
"initialized": "",
"inCache": "",
"uri": "",
"attributeInitializationInProgress": "",
"signature": {
"id": "",
"modificationCount": ""
},
"displayName": ""
},
"default": "",
"initialized": "",
"inCache": "",
"uri": "",
"attributeInitializationInProgress": "",
"signature": {
"id": "",
"modificationCount": ""
},
"displayName": ""
},
"initialized": "",
"inCache": "",
"uri": "",
"attributeInitializationInProgress": "",
"signature": {
"id": "",
"modificationCount": ""
},
"displayName": ""
}
| Parameter | Description |
|---|---|
| Query | Specify a query using which to search the Micro Focus ArcSight ESM server. |
| Start Position | Specify a position from where you want to initiate the search. By default, this is set to 0. |
| Page Size | Specify the number of results that you want to display on one page. By default, this is set to 10. |
The output contains the following populated JSON schema:
{
"queryStr": "",
"rewrittenQueryString": "",
"statusString": "",
"elapsed": "",
"hitCount": "",
"searchHits": [
{
"uuid": "",
"score": "",
"name": "",
"uri": ""
}
],
"queryTerms": []
}
The Sample - Micro Focus ArcSight ESM - 4.0.0 playbook collection comes bundled with the Micro Focus ArcSight connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Micro Focus ArcSight connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Micro Focus ArcSight ESM and FortiSOAR™ integration is achieved by the following simple steps:
An Active List(AL) in Micro Focus ArcSight ESM holds correlated events, which can be read by FortiSOAR™ and then converted into alerts.
To ingest data from Micro Focus ArcSight, you need to create an Active List and configure Rules in the Micro Focus ArcSight ESM server, so that events from Micro Focus ArcSight ESM can be pulled into FortiSOAR™ as described in the following sections.
Use the FortiSOAR_ArcSight.arb package to create the Active List in Micro Focus ArcSight ESM and configure the Rule that forwards desired events to the created active list. You have to create and configure a rule to define the type of events you want to forward and investigate in FortiSOAR™. Once the active list is added and the rule is configured, FortiSOAR™ monitors the active list pulls the desired events from Micro Focus ArcSight ESM, and creates alerts in FortiSOAR™.
Download the FortiSOAR_ArcSight.arb package, which is attached to this article, and then import the same into Micro Focus ArcSight ESM, as described in the Importing the FortiSOAR_ArcSight.arb package in Micro Focus ArcSight section.
Alternatively, you can manually set up the active list and the rules using the standard Micro Focus ArcSight interface. Points to be considered while manually setting up rules:
Rule:
The following image displays a sample Micro Focus ArcSight Rule to Forward Events to an Active list:
The following image displays an Active List populated with desired events and the Resource ID is highlighted in the right pane:
FortiSOAR™ requires a user account and password to connect to the Micro Focus ArcSight ESM server. You could use an existing user, or create a new standard user for this purpose. This user account is used by FortiSOAR™ to fetch events, update events, or invoke other supported actions. Ensure that the user has following permissions:
The following image displays a FortiSOAR™ user in the Micro Focus ArcSight ESM server with Read and Write access to FortiSOAR™ AL:
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling event data from Micro Focus ArcSight ESM. Currently, event data ingested from Micro Focus ArcSight ESM is mapped to Alerts in FortiSOAR™. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming Micro Focus ArcSight ESM event data to FortiSOAR™'s Alerts.
The Data Ingestion Wizard helps you to configure the scheduled pulling of data from Micro Focus ArcSight ESM into FortiSOAR™. It also lets you pull some sample data from Micro Focus ArcSight ESM using which you can define the mapping of data between Micro Focus ArcSight ESM and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the Micro Focus ArcSight ESM event data.
To begin configuring data ingestion, click Configure Data Ingestion on the Micro Focus ArcSight ESM connector's Configurations page.
Click Let's Start by fetching some data, to open the Fetch Sample Data screen.
Sample data is required to create a field mapping between Micro Focus ArcSight ESM data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch event data from Micro Focus ArcSight ESM.
Users can pull event data from Micro Focus ArcSight ESM by selecting Event IDs, Maximum Events To Pull, and Maximum Base Events To Pull Per Event.
The fetched data is used to create a mapping between the event data from Micro Focus ArcSight ESM and FortiSOAR Alerts. Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of the ingested event data Micro Focus ArcSight ESM to the fields of a Alerts present in FortiSOAR™.
To map a field, click the key in the sample data to add the Jinja value of the field. For example, to map the path parameter of an ingested event data from Micro Focus ArcSight ESM to the File Path parameter of a FortiSOAR™ Alerts, click the File Path field and then click the path field to populate its keys:
The Data Ingestion Wizard uses the specified event IDs to pull sample data from Micro Focus ArcSight ESM into FortiSOAR™. The specified event IDs are used only as sample data and not used for subsequent data ingestion.
For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Micro Focus ArcSight ESM, so that the content gets pulled from the Micro Focus ArcSight ESM integration into FortiSOAR™
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron expression for the schedule. For example, if you want to pull data from Micro Focus ArcSight ESM every day, click Daily, and in the minute, hour, and day of month boxes enter 0, 5, and * respectively. This means that the event data will be pulled from Micro Focus ArcSight ESM every day at 5:00 AM:
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
FortiSOAR_ArcSight.arb package in Micro Focus ArcSightNote: The 'FortiSOAR_ArcSight.arb' package included with this version has been updated to remove the 'Active List Rule' from the package.
FortiSOAR_ArcSight.arb file that is attached to this document.To import the FortiSOAR_ArcSight.arb package in Micro Focus ArcSight, navigate to the Packages tab in Micro Focus ArcSight as shown in the following image:
Click Import and select the FortiSOAR_ArcSight.arb.
The FortiSOAR_ArcSight.arb package contains the Active List (FortiSOAR_Event_collector).
Once the FortiSOAR_ArcSight.arb package is imported successfully, the FortiSOAR Active List will appear in Micro Focus ArcSight as follows: