ArcSight Logger delivers a universal log management solution that unifies searching, reporting, alerting, and analysis across any type of enterprise machine data.
The Cortex XSOAR-ArcSight Logger integration allows you to run a search session, refine or limit the search and retrieve a list of events detected in the search.
To set up Arcsight Logger to work with Cortex XSOAR:
Make sure you have the Arcsight Logger server url.
Make sure you have credentials for Arcsight Logger.
To set up the integration on Cortex XSOAR:
Go to âSettings > Integrations > Servers & Servicesâ
Locate âArcSight Loggerâ by searching for it using the search box on the top of the page.
Click âAdd instanceâ to create and configure a new integration. You should configure the following settings:
Name
: A textual name for the integration instance.
Server URL and Port
: The API server URL and port number.
Credentials and Password
: User and password used to access ArcSight Logger.
to automatically create Cortex XSOAR incidents from ArcSight Logger events.
Incident type
: Choose the incident type from the drop-down list. This incident type will be triggered when an event is received from the integration.
Events query
- The events query received from the integration.
Do not validate server certificate (insecure)
-Â Select to avoid server certification validation. You may want to do this in case Cortex XSOAR cannot validate the integration server certificate (due to missing CA certificate).
Use system proxy settings
: Select whether to communicate via the system proxy server or not.
Cortex XSOAR engine
: If relevant, select the engine that acts as a proxy to the server.
Engines are used when you need to access a remote network segments and there are network devices such as proxies, firewalls, etc. that prevent the Cortex XSOAR server from accessing the remote networks.
For more information on Cortex XSOAR engines see:
Cortex XSOAR 6.13 - Engines
Cortex XSOAR 8 Cloud- Engines
Cortex XSOAR 8.7 On-prem - Engines
Require users to enter additional password:
Select whether youâd like an additional step where users are required to authenticate themselves with a password.
Press the âTestâ button to validate connection.
After completing the test successfully, press the âDoneâ button.
Fetched incidents data:
The integration imports events as incidents. All events from 24 hours prior to the instance configuration and up to the current time will be fetched.
Top Use-case:
Arcsight Logger integration can be used to run a search session, refine or limit the search, and retrieve a list of events detected in the search.
This can be achieved in two possible ways:
Use âas-search-eventsâ for the complete flow of the use case to be executed.
âas-search-eventsâ starts a new search session, waits until the search status is complete or reaches the required number of hits, and then returns the list of detected events.
Alternatively, the explicit commands can be used to âbreakdownâ the search-events process. A possible flow of commands can be:
Use âas-searchâ to start a new search session and receive the session ID and search session ID to be used in the following commands.
Use âas-drilldownâ to narrow-down the search results to the specified time range.
Use âas-statusâ to inquire if the search session is complete or still running, view the number of scanned events and hits.
Use âas-eventsâ to get a list of all events detected in the search.
Use âas-closeâ to stop the execution of the search and clear the session data from the server.
Search time range:
When no time limitations are applied on a search session, Arcsight Logger will use its default time limitation and will search events in time range of the last 2 hours.
To set the search time range:
When starting a new search session, using âas-searchâ
: pass both startTime and endTime parameters to set the time range for the search. Alternatively, you can use the lastDays parameter.
When in an active search session:
use âas-drilldownâ to narrow-down the search results to a specified time range.
When starting a new search, using âas-search-eventsâ:
pass both startTime and endTime parameters to set the time range for the search. Alternatively, use lastDays parameter.
Date/time format:
Use the compliant date/time format when passing startTime and endTime parameters.
Expected date/time format
: yyyy-MM-ddâTâHH:mm:ss.SSSXXX.
For example, May 26 2014 at 21:49:46 PM could have a format like one of the following:
Format in PDT: 2014-05-26T21:49:46.000-07:00
Format in UTC: 2014-05-26T21:49:46.000Z
Events list default limitation:
The default events list length is 100. To set a new length specify the path length parameter in the relevant commands.
Local/global search:
In âas-searchâ and âas-search-eventsâ you can optionally pass the âlocal_searchâ parameter, to Indicate whether the search is local only, and does not include peers.
Please note
that local search is the default option for a search session.
Known Limitations
Session limitations:
Arcsight Logger has default limitations for running maximum sessions simultaneously, and for inactive sessions.
To change the default limitation for both, use administrator credentials to login to Archsight Logger UI, navigate to âSystem Adminâ->âUsers/Groupsâ->âAuthenticationâ and set new limitations for âMax Simultaneous Logins/Userâ and âLogout Inactive Session Afterâ.
Troubleshooting
Reoccurring âtimeoutâ error
when using commands âas-search-eventsâ or âas-eventsâ:
This may indicate that a large amount of data returned from Arcsight Logger. To resolve this error, try to limit the search time range or the events list length. Â See additional ways to set the search time range in âAdditional infoâ above.
DBot error snap-shot
Reoccurring âLogin failedâ error when using âas-searchâ or âas-search-eventsâ:
First eliminate the case of wrong credentials configured in the Arcsight Logger instance.
If this error still araises, it may indicate that Arcsight Logger is failing to generate a new search session. New sessions cannot be generated by Arcsight Logger when the maximum allowed number of simultaneous sessions was reached.
To resolve this problem, use administrator credentials to login to Archsight Logger UI and set a new limitation for maximum simultaneous sessions.
See âKnown Limitationsâ above for more information.
If administrator credentials are not available for you, use âas-closeâ to close the running sessions.
DBot error snap-shot
Reoccurring âUser session id is not validâ error:
The search session timed out.
Search session timeout can be caused by the followings:
- Low âtimeoutâ passed to âas-searchâ. This can be resolved by passing a higher âtimeoutâ   value to âas-searchâ.
- Arcsight Logger limitation on inactive sessions - Inactive sessions are automatically terminated after a defined period of time determined by Arcsight Logger, even if the âtimeoutâ argument is changed to âas-searchâ.
To resolve this problem, use administrator credentials to login to Archsight Logger UI and set a new limitation for inactive sessions. See âKnown Limitationsâ above for more information.