ArcSight ESM v2
This Integration is part of the ArcSight ESM Pack.#
ArcSight ESM#
ArcSight ESM is a security information and event management (SIEM) product. It collects security log data from an enterpriseās security technologies, operating systems, applications and other log sources, and analyzes that data for signs of compromise, attacks or other malicious activity. The product generates cases to security administrators and analysts.
NOTE#
ArcSight XML is no longer supported. Use the ArcSight ESM integration instead.
Use Cases#
- Fetching events and cases based on a query viewer.
- Getting additional information by event or case ID.
- Searching for events.
- Updating a case or deleting it.
- Getting all entries from an active list, updating an entry and clearing the list.
Set up ArcSight ESM to work with Cortex XSOAR#
The set up for using ArcSight ESM to work with Cortex XSOAR depends on whether you will be using the integration to fetch events or cases.
For fetching Events/Cases#
Create an Event/Case query.
Add a row limit (1000).
Add a start time limit (e.g. $Now-10m).
Go to the following fields and add conditions if needed:
- Select the Event ID and Start Time fields for Events (mandatory).
- Select the ID and Create Time fields for Cases (mandatory).
- Select additional fields of your choice.
- Add conditions if needed (malicious/suspicious behavior such as malware found, failed login, access to a known malicious site and/or conditions like severity, criticality, assets etc).
Note#
Cortex XSOAR is designed for an automatic response, so make sure to define conditions for actionable/sever/critical events only.
5.Create a query viewer based on the query.
6.Save the Query Viewer resource ID integration configuration in Cortex XSOAR.
Configure ArcSight ESM on Cortex XSOAR#
- Navigate to Settings>Integrations>Servers & Services.
- Search for ArcSight ESM.
- Click Add instance to create and configure a new integration instance.
- Name: a textual name for the integration instance.
- Server URL (e.g. https://192.168.0.1:8443): The hostname or IP address of the appliance being used, for example,
https://your_arcsight_esm:port. - Credentials and Password: Use the username and password used to access the ArcSight ESM account. By default, a user with the admin role will have all the necessary permissions to run all integration commands. For more granular authorization, refer to the ESM documentation on how to create custom roles.
- Fetch Events as incidents via Query Viewer ID: Must have Start Time and Event ID fields.
- Fetch Cases as incidents via Query Viewer ID: Must have Create Time and ID fields.
- The maximum number of unique IDs expected to be fetched: If unique IDs exceeds the maximum, duplicates will be fetched.
- Do not validate server certificate (unsecured): Select to avoid server certification validation. You may want to do this in case Cortex XSOAR cannot validate the integration server certificate (due to missing CA certificate).
- Use system proxy settings: Select whether to communicate via the system proxy server or not.
- Fetch incidents: Mark the Fetch incidents checkbox to automatically create Cortex XSOAR incidents from this integration instance.
- Incident type: Select the incident type to trigger.
- Product Version: Select the ArcSight ESM version. 7.4 above using the new Swagger detect-api. Note - not all the commands are using the new API at the moment.
- Use REST Endpoints: Mark this checkbox to use REST endpoints for the commands related to 'entries' instead of the default legacy SOAP endpoints.
- Click Test to validate the URLs, token, and connection. If you are experiencing issues with the service configuration, please contact Cortex XSOAR support at support@paloaltonetworks.com.
- After completing the test successfully, press the āDoneā button.
Use-Cases#
- Fetch events - New events that match the predefined condition will be fetched to Cortex XSOAR as an incident and will trigger playbooks for automation and response. Such events could be any kind of security events.
- Fetch cases - New cases that match the predefined condition will be fetched to Cortex XSOAR as an incident and will trigger playbooks for automation and response. Such cases could include any kind of security events. The final step of the playbook could be updating, closing or deleting the case.
- Search events - Query specific events based on an existing query viewer.
- Getting active list entries - Returning active list entries (such as āBlock list IPSā, āMalicious MD5sā, etc) by using as-get-entries and providing the resource ID of the active list. The entries can be added as a list in Cortex XSOAR for cross-platform usage, additional automation, and data enrichment.
Fetched Incidents Data#
The integration can fetch events and cases.
- When first turned on, the integration fetches all events/cases from the query viewer.
- The fetched incidents are later filtered by timestamp (start time/create time).
- In case of slowness, timeouts or crashes try reducing the max fetch parameter.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- (Deprecated) Get all case resource IDs: as-get-all-cases
- Get information for a single case: as-get-case
- Get query viewer results: as-get-matrix-data
- Add entries to the Active List: as-add-entries
- Delete all entries from the Active List: as-clear-entries
- Get all entries on the Active List: as-get-entries
- Get details for security event: as-get-security-events
- Get all case event IDs: as-get-case-event-ids
- Update a single case: as-update-case
- Get all query viewer IDs: as-get-all-query-viewers
- Delete a single case: as-case-delete
- Get all query viewer results: as-get-query-viewer-results
- Fetches incidents: as-fetch-incidents
- Delete entries from the Active List: as-delete-entries
as-get-all-cases#
(Deprecated) Retrieves all case resource IDs.
Base Command#
as-get-all-cases
Input#
There are no input arguments for this command.
Context Output#
| Path | Type | Description |
|---|---|---|
| ArcSightESM.AllCaseIDs | Unknown | All case resource IDs |
Command Example#
!as-get-all-cases
Context Example#
Human Readable Output#
All cases#
caseID 1234DfGkBABCenF0601F2Ww== 456mUEWcBABD6cSFwTn5Fog== 789pEo2gBABCBcJbK9kU04Q==
as-get-case#
Gets information about a single case.
Base Command#
as-get-case
Input#
| Argument Name | Description | Required |
|---|---|---|
| resourceId | Resource ID of the case to get information for | Required |
| withBaseEvents | If "true", then will return case and base events of that case | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| ArcSightESM.Cases.resourceid | string | Case ID |
| ArcSightESM.Cases.name | string | Case name |
| ArcSightESM.Cases.eventIDs | Unknown | Related base event IDs |
| ArcSightESM.Cases.createdTimestamp | number | Time the case was created (in milliseconds) |
| ArcSightESM.Cases.createdTime | string | Created time (dd-mm-yyyyTHH:MM:SS.SSS timezone) |
| ArcSightESM.Cases.modifiedTimestamp | number | Modified timestamp (in milliseconds) |
| ArcSightESM.Cases.modifiedTime | date | Modified time (dd-mm-yyyyTHH:MM:SS.SSS timezone) |
| ArcSightESM.Cases.action | string | Action (e.g., BLOCK_OR_SHUTDOWN) |
| ArcSightESM.Cases.associatedImpact | string | Associated impact (e.g., AVAILABILITY) |
| ArcSightESM.Cases.attackAgent | string | Attack agent (e.g., INSIDER) |
| ArcSightESM.Cases.attackMechanism | string | Attack mechanism (e.g., PHYSICAL) |
| ArcSightESM.Cases.consequenceSeverity | string | Consequence severity (e.g., NONE) |
| ArcSightESM.Cases.detectionTime | date | Detection time (dd-mm-yyyyTHH:MM:SS.SSS timezone) |
| ArcSightESM.Cases.displayID | number | Display ID |
| ArcSightESM.Cases.estimatedStartTime | date | Estimated start time (dd-mm-yyyyTHH:MM:SS.SSS timezone) |
| ArcSightESM.Cases.eventIDs | unknown | Base event IDs |
| ArcSightESM.Cases.frequency | string | Frequency (e.g., NEVER_OR_ONCE) |
| ArcSightESM.Cases.history | Unknown | History (e.g., KNOWN_OCCURENCE) |
| ArcSightESM.Cases.numberOfOccurences | number | Number Of Occurences |
| ArcSightESM.Cases.resistance | string | Resistance (e.g., HIGH) |
| ArcSightESM.Cases.securityClassification | string | Security Classification (e.g., UNCLASSIFIED) |
| ArcSightESM.Cases.sensitivity | string | Sensitivity (e.g., UNCLASSIFIED) |
| ArcSightESM.Cases.stage | string | Stage (e.g., QUEUED,INITIAL,FOLLOW_UP,FINAL,CLOSED) |
| ArcSightESM.Cases.ticketType | string | Ticket type (e.g., INTERNAL,CLIENT,INCIDENT) |
| ArcSightESM.Cases.vulnerability | string | Vulnerability (e.g., DESIGN) |
Command Example#
!as-get-case resourceId="12ax-uGgBABCWb2puJdY8ZA=="
Context Example#
Human Readable Output#
Case 12ax-uGgBABCWb2puJdY8ZA==#
Action CaseID CreatedTime EventIDs Name Severity Stage BLOCK_OR_SHUTDOWN 12ax-uGgBABCWb2puJdY8ZA== 2019-02-04 12:33:21 12395741, 45696713, 7896719 test INSIGNIFICANT QUEUED
as-get-matrix-data#
Retrieves query viewer results (query viewer must be configured to be refreshed every minute, see documentation)
Base Command#
as-get-matrix-data
Input#
| Argument Name | Description | Required |
|---|---|---|
| id | Resource ID of a query viewer | Required |
| onlyColumns | If "true", will return only the columns of the query. If "false", will return the column headers and all query results. | Optional |
Context Output#
There is no context output for this command.
Command Example#
!as-get-matrix-data id=aBBnu5XEBABCJHuGRQA-nwg==
Context Example#
Human Readable Output#
| Column Headers |
|---|
| Name |
| ID |
| Create Time |
| Event-Name |
| Originator |
| Alias |
| Display ID |
Query Viewer Results: aBBnu5XEBABCJHuGRQA-nwg==#
| Create Time | Display ID | Event-Name | ID | Name |
|---|---|---|---|---|
| 1582763229550 | 30001 | 123nu5XEBABCJHuGRQA-nwg== | test1 | |
| 1589103446811 | 30003 | 123gfy-XEBABCAD7Y9AVwrTA== | test2 | |
| 1588004035004 | 30002 | Login succeeded for user name 'admin' | 123lqvHEBABDmMHb-MM+jnA== | test3 |
| 1588004035004 | 30002 | ArcSight User Login | 123lqvHEBABDmMHb-MM+jnA== | test4 |
as-add-entries#
Adds new entries to the Active List.
Base Command#
as-add-entries
Input#
| Argument Name | Description | Required |
|---|---|---|
| resourceId | Resource ID of the Active List | Required |
| entries | Entries are in JSON format. JSON must be an array of entries. Each entry must contain the same columns as they appear in the Active List, e.g., [{ "UserName": "john", "IP":"19.12.13.11"},{ "UserName": "bob", "IP":"22.22.22.22"}] | Required |
Context Output#
There is no context output for this command.
Command Example#
!as-add-entries resourceId="A1LvlmWgBABCA5+HbRyHZoQ==" entries="[{\"name\": \"t3\", \"EventID\": \"9\"},{\"name\": \"t4\", \"EventID\": \"9\"}]"
Context Example#
Human Readable Output#
Success
as-clear-entries#
Deletes all entries in the Active List.
Base Command#
as-clear-entries
Input#
| Argument Name | Description | Required |
|---|---|---|
| resourceId | Resource ID of a specific Active List | Required |
Context Output#
There is no context output for this command.
Command Example#
!as-clear-entries resourceId="A1LvlmWgBABCA5+HbRyHZoQ=="
Context Example#
Human Readable Output#
Success
as-get-entries#
Returns all entries in the Active List
Limitations#
Returns up to 2000 entries.
Base Command#
as-get-entries
Input#
| Argument Name | Description | Required |
|---|---|---|
| resourceId | Resource ID of a specific Active List | Required |
| entryFilter | Filters the entries, e.g., entryFilter="moo:moo1" | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| ArcSightESM.ActiveList | Unknown | Active List is a map of active list resource id => active list entries |
| ArcSightESM.ActiveList.ListID | list | The ActiveList ID |
| ArcSightESM.ActiveList.Entries | Unknown | Active List is a map of active list resource id => active list |
Command Example#
!as-get-entries resourceId=A1LvlmWgBABCA5+HbRyHZoQ==
Context Example#
Human Readable Output#
Columns eventId name startTime Active List has no entries
as-get-security-events#
Returns the security event details
Base Command#
as-get-security-events
Input#
| Argument Name | Description | Required |
|---|---|---|
| ids | ID or multiple ids separated by comma of security events. Event ID is ArcSight is always a number. Example: 13906590 | Required |
| lastDateRange | Query last events. Format follows 'number date_range_unit', e.g., 2 hours, 4 minutes, 6 month, 1 day | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| ArcSightESM.SecurityEvents | Unknown | List of security events |
| ArcSightESM.SecurityEvents.name | string | Event name |
| ArcSightESM.SecurityEvents.eventId | number | Event ID |
| ArcSightESM.SecurityEvents.type | string | Event type (e.g., CORRELATION) |
| ArcSightESM.SecurityEvents.baseEventIds | Unknown | Base event IDs |
| ArcSightESM.SecurityEvents.source.address | Unknown | Event source address |
| ArcSightESM.SecurityEvents.destination.address | Unknown | Event destination address |
| ArcSightESM.SecurityEvents.startTime | date | Start time in milliseconds |
Command Example#
!as-get-security-events ids=12352349,45652798
Context Example#
Human Readable Output#
Destination Address Event ID Name Source Address Time 1.1.1.1 12352349 Monitor Event 2020-05-07, 14:43:00 1.1.1.1 45652798 Login succeeded for user name 'admin' 2.2.2.2 2020-05-07, 14:48:54
as-get-case-event-ids#
Returns all case event IDs.
Base Command#
as-get-case-event-ids
Input#
| Argument Name | Description | Required |
|---|---|---|
| caseId | Case ID, e.g., 7e6LEbF8BABCfA-dlp1rl1A== | Required |
| withCorrelatedEvents | If "true", then will return case and correlated events | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| ArcSightESM.CaseEvents | Unknown | Map of caseId => related event ids |
| ArcSightESM.CaseEvents.LatestResult | Unknown | Event IDs of the last execution of this command |
Command Example#
!as-get-case-event-ids caseId="12ax-uGgBABCWb2puJdY8ZA==" withCorrelatedEvents="true"
Context Example#
Human Readable Output#
Case 12ax-uGgBABCWb2puJdY8ZA== Event IDs 12396713 45695741 78996719
as-update-case#
Updates a specific case.
Base Command#
as-update-case
Input#
| Argument Name | Description | Required |
|---|---|---|
| caseId | Case resource ID to update. The case must be unlocked, and the user should have edit permissions. | Required |
| stage | Stage the case is in | Optional |
| severity | Ticket consequence Severity | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| ArcSightESM.Cases | unknown | List of cases |
| ArcSightESM.Cases.resourceid | string | Case resource ID |
| ArcSightESM.Cases.stage | string | Case stage |
| ArcSightESM.Cases.consequenceSeverity | string | Case severity |
Command Example#
!as-update-case caseId="12ax-uGgBABCWb2puJdY8ZA==" stage="QUEUED" severity="INSIGNIFICANT"
Context Example#
Human Readable Output#
Case 12ax-uGgBABCWb2puJdY8ZA==#
Action CaseID CreatedTime EventIDs Name Severity Stage BLOCK_OR_SHUTDOWN 12ax-uGgBABCWb2puJdY8ZA== 2019-02-04 12:33:21 12395741, 45696713, 78996719 test INSIGNIFICANT QUEUED
as-get-all-query-viewers#
Returns all the query viewer IDs.
Base Command#
as-get-all-query-viewers
Input#
There are no input arguments for this command.
Context Output#
| Path | Type | Description |
|---|---|---|
| ArcSightESM.AllQueryViewers | Unknown | List of all query viewer IDs |
Command Example#
!as-get-all-query-viewers
Context Example#
Human Readable Output#
Query Viewers 123457WYBABCw9lZRkCjVIQ== 54321rlkBABCJREkQ7PrIRg== 56789py4BABCN9NYml6MSoA==
as-case-delete#
Deletes a case
Base Command#
as-case-delete
Input#
| Argument Name | Description | Required |
|---|---|---|
| caseId | Resource ID of the case | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| ArcSightESM.Cases.resourceid | string | Resource ID of case |
| ArcSightESM.Cases.Deleted | boolean | Boolean flag. "True" if deleted. |
Command Example#
!as-case-delete caseId=123WHEWcBABD6VdKLNcKE2Q==
Context Example#
Human Readable Output#
Case 123WHEWcBABD6VdKLNcKE2Q== successfully deleted
as-get-query-viewer-results#
Retrieves query viewer results (query viewer must be configured to be refreshed every minute, see documentation)
Base Command#
as-get-query-viewer-results
Input#
| Argument Name | Description | Required |
|---|---|---|
| id | Resource ID of the query viewer | Required |
| onlyColumns | If "true", will return only the columns of the query. If "false", will return the column headers and all query results. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| ArcSight.QueryViewerResults | Unknown | Query viewer results |
Command Example#
!as-get-query-viewer-results id="123457WYBABCw9lZRkCjVIQ=="
Context Example#
Human Readable Output#
Column Headers Name End Time Attacker Zone URI Attacker Address Event ID Start Time Query Viewer Results: 123457WYBABCw9lZRkCjVIQ==#
Attacker Address Attacker Zone URI End Time Event ID Name Start Time 1.1.1.1 /All Zones/ArcSight System/Public Address Space Zones/E.I. duPont de Nemours and Co. Inc. 1589028174502 12345678 Login succeeded for user name 'admin' 1589028174502 2.2.2.2 /All Zones/ArcSight System/Public Address Space Zones/E.I. duPont de Nemours and Co. Inc. 1589028234536 87654321 Login succeeded for user name 'admin' 1589028234536 3.3.3.3 /All Zones/ArcSight System/Public Address Space Zones/E.I. duPont de Nemours and Co. Inc. 1589028294471 14725836 Login succeeded for user name 'admin' 1589028294471
as-fetch-incidents#
Fetches incidents
Base Command#
as-fetch-incidents
Input#
| Argument Name | Description | Required |
|---|---|---|
| last_run | Last run to start fetching incidents from | Optional |
Context Output#
There is no context output for this command.
Command Example#
!as-fetch-incidents
Context Example#
as-delete-entries#
Delete entries from the Active List.
Base Command#
as-delete-entries
Input#
| Argument Name | Description | Required |
|---|---|---|
| resourceId | Resource ID of the Active List | Required |
| entries | Entries are in JSON format. JSON must be an array of entries. Each entry must contain the same columns as they appear in the Active List, e.g., [{ "UserName": "john", "IP":"19.12.13.11"},{ "UserName": "bob", "IP":"22.22.22.22"}] | Required |
Context Output#
There is no context output for this command.
Command Example#
!as-delete-entries resourceId="A1LvlmWgBABCA5+HbRyHZoQ==" entries="[{\"name\": \"t3\", \"EventID\": \"9\"},{\"name\": \"t4\", \"EventID\": \"9\"}]"
Context Example#
Human Readable Output#
Success