ArcSight Logger

This Integration is part of the ArcSight Logger Pack.#

ArcSight Logger delivers a universal log management solution that unifies searching, reporting, alerting, and analysis across any type of enterprise machine data.

The Cortex XSOAR-ArcSight Logger integration allows you to run a search session, refine or limit the search and retrieve a list of events detected in the search.

To set up Arcsight Logger to work with Cortex XSOAR:

Make sure you have the Arcsight Logger server url.
Make sure you have credentials for Arcsight Logger.

To set up the integration on Cortex XSOAR:

Go to ‘Settings > Integrations > Servers & Services’
Locate ‘ArcSight Logger’ by searching for it using the search box on the top of the page.
Click ‘Add instance’ to create and configure a new integration. You should configure the following settings:
Name : A textual name for the integration instance.
Server URL and Port : The API server URL and port number.
Credentials and Password : User and password used to access ArcSight Logger.

Import events as incidents - Mark to automatically create Cortex XSOAR incidents from ArcSight Logger events.
Incident type : Choose the incident type from the drop-down list. This incident type will be triggered when an event is received from the integration.
Events query - The events query received from the integration.

Do not validate server certificate (insecure) - Select to avoid server certification validation. You may want to do this in case Cortex XSOAR cannot validate the integration server certificate (due to missing CA certificate).

Use system proxy settings : Select whether to communicate via the system proxy server or not.
Cortex XSOAR engine : If relevant, select the engine that acts as a proxy to the server.
Engines are used when you need to access a remote network segments and there are network devices such as proxies, firewalls, etc. that prevent the Cortex XSOAR server from accessing the remote networks.
For more information on Cortex XSOAR engines see:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Engines
Require users to enter additional password: Select whether you’d like an additional step where users are required to authenticate themselves with a password.
Press the ‘Test’ button to validate connection.
After completing the test successfully, press the ‘Done’ button.

Fetched incidents data:

The integration imports events as incidents. All events from 24 hours prior to the instance configuration and up to the current time will be fetched.

Top Use-case:

Arcsight Logger integration can be used to run a search session, refine or limit the search, and retrieve a list of events detected in the search.

This can be achieved in two possible ways:

Use ‘as-search-events’ for the complete flow of the use case to be executed.
‘as-search-events’ starts a new search session, waits until the search status is complete or reaches the required number of hits, and then returns the list of detected events.

Alternatively, the explicit commands can be used to ‘breakdown’ the search-events process. A possible flow of commands can be:
- Use ‘as-search’ to start a new search session and receive the session ID and search session ID to be used in the following commands.
- Use ‘as-drilldown’ to narrow-down the search results to the specified time range.
- Use ‘as-status’ to inquire if the search session is complete or still running, view the number of scanned events and hits.
- Use ‘as-events’ to get a list of all events detected in the search.
- Use ‘as-close’ to stop the execution of the search and clear the session data from the server.

Commands:

as-search-events

Input:

query, discover_fields, endTime, startTime, summary_fields, field_summary, local_search, timeout, lastDays, offset, length, dir, fields

for example:

!as-search-events
query=”deviceVendor= Arcsight AND name CONTAINS \”CPU\””
length=10

!as-search-events
offset=15
length=10
fields=name,deviceVendor

Find more query examples at wikis/ArcsightLogger .

Context output (example):

{

"ArcSightLogger": {

"Events": [

{

"destinationAddress": ##.##.##.##,

"agentSeverity": "1",

"Version": "0",

"Logger": "Local",

"ReceiptTime": 1513249919185,

"deviceCustomNumber1Label": "Percent Usage",

"deviceCustomNumber1": 2,

"deviceAddress": ##.##.##.##,

"deviceCustomString2Label": "timeframe",

"deviceVendor": "ArcSight",

"Device": "Logger",

"deviceProduct": "Logger",

"EventTime": 1513249440017,

"baseEventCount": 1,

"deviceReceiptTime": 1513249440017,

"startTime": 1513249440017,

"deviceEventClassId": "cpu:100",

"deviceCustomString2": "CurrentValue",

"name": "CPU Usage",

"deviceEventCategory": "/Monitor/CPU/Usage",

"rowId": "347259-26@Local",

"endTime": 1513249440017,

"deviceVersion": "6.2.0.7633.0"

…

]

}

Raw output (example):

[

{

Device:Logger

EventTime:1513249693332

Logger:Local

ReceiptTime:1513249693838

Version:0

agentSeverity:3

baseEventCount:1

cn1label:Session

destinationAddress: ##.##.##.##,

destinationUserId:1

destinationUserName:admin

deviceCustomNumber1: 741618068

deviceEventCategory:/Platform/Authentication/Login

deviceEventClassId:platform:230

deviceProduct:Logger

deviceVendor:ArcSight

deviceVersion:L7633

name:Successful login

rowId:347186-0@Local

sourceAddress: ##.##.##.##,

…

]

as-search

Input:

query, discover_fields, endTime, startTime, summary_fields, field_summary, local_search, timeout, lastDays

for example:

!as-search

startTime=2017-12-21T06:30:00.000Z

endTime=2017-12-21T07:30:00.000Z

local_search=false
!as-search

lastDays=1

Find more query examples at wikis/ArcsightLogger .

Context output (example):

{

"ArcSightLogger": {

"Search": {

"SearchSessionId": 1513260595933,

"SessionId": "3dxITLyDE9FyRiflQD7UFG_hSsUPq4uCTM4B6Y5D3p4."

}

Raw output (example):

{

searchSessionId:1513260595933

sessionId:3dxITLyDE9FyRiflQD7UFG_hSsUPq4uCTM4B6Y5D3p4.

}

as-drilldown

Input:

searchSessionId, sessionId, startTime, endTime, lastDays

for example:

!as-drilldown

lastDays=1
searchSessionId="1513875662638"
sessionId="18t2-5sQ4h1LcTqFwEUJj0XIatasCpM8l0T8NZlhxEg."
!as-drilldown
startTime=2017-12-21T06:30:00.000Z
endTime=2017-12-21T07:30:00.000Z
searchSessionId="1513875662638" sessionId="18t25sQ4h1LcTqFwEUJj0XIatasCpM8l0T8NZlhxEg."

Context output:

The command has no context.

Raw output:

The command has no raw output.

as-status

Input:

searchSessionId, sessionId

Context output (example):

{

"ArcSightLogger": {

"Status": {

"Status": "complete",

"Hit": 2462,

"Elapsed": "00:00:00.290",

"ResultType": "histogram",

"Scanned": 2520,

"SearchSessionId": "1513272858387",

"Message": []

}

Raw output (example):

{

elapsed: 00:00:00.290

message: []

result_type: histogram

scanned: 2520

status: complete

}

as-events

Input:

searchSessionId, sessionId, length, dir, offset, fields

Command use example

!as-events
searchSessionId="1513875662638" sessionId="18t25sQ4h1LcTqFwEUJj0XIatasCpM8l0T8NZlhxEg."
length=10
fields=name,deviceAddress,deviceVendor,EventTime

Context output (example):

{

"ArcSightLogger": {

"Events": [

{

"destinationAddress": ##.##.##.##,

"agentSeverity": "1",

"Version": "0",

"Logger": "Local",

"ReceiptTime": 1513249919185,

"deviceCustomNumber1Label": "Percent Usage",

"deviceCustomNumber1": 2,

"deviceAddress": ##.##.##.##,

"deviceCustomString2Label": "timeframe",

"deviceVendor": "ArcSight",

"Device": "Logger",

"deviceProduct": "Logger",

"EventTime": 1513249440017,

"baseEventCount": 1,

"deviceReceiptTime": 1513249440017,

"startTime": 1513249440017,

"deviceEventClassId": "cpu:100",

"deviceCustomString2": "CurrentValue",

"name": "CPU Usage",

"deviceEventCategory": "/Monitor/CPU/Usage",

"rowId": "347259-26@Local",

"endTime": 1513249440017,

"deviceVersion": "6.2.0.7633.0"

…

]

}

Raw output (example):

[

{

Device:Logger

EventTime:1513249693332

Logger:Local

ReceiptTime:1513249693838

Version:0

agentSeverity:3

baseEventCount:1

cn1label:Session

destinationAddress: ##.##.##.##,

destinationUserId:1

destinationUserName:admin

deviceCustomNumber1: 741618068

deviceEventCategory:/Platform/Authentication/Login

deviceEventClassId:platform:230

deviceProduct:Logger

deviceVendor:ArcSight

deviceVersion:L7633

name:Successful login

rowId:347186-0@Local

sourceAddress: ##.##.##.##,

…

]

{

as-stop

Input:

searchSessionId, sessionId

Context output (example):

The command has no context.

Raw output (example):

The command has no raw output.

as-close

Input:

searchSessionId, sessionId

Context output (example):

The command has no context.

Raw output (example):

The command has no raw output.

Additional info:

Search time range: When no time limitations are applied on a search session, Arcsight Logger will use its default time limitation and will search events in time range of the last 2 hours.
To set the search time range:
- When starting a new search session, using ‘as-search’ : pass both startTime and endTime parameters to set the time range for the search. Alternatively, you can use the lastDays parameter.
- When in an active search session: use ‘as-drilldown’ to narrow-down the search results to a specified time range.
- When starting a new search, using ‘as-search-events’: pass both startTime and endTime parameters to set the time range for the search. Alternatively, use lastDays parameter.
Date/time format: Use the compliant date/time format when passing startTime and endTime parameters.
Expected date/time format : yyyy-MM-dd’T’HH:mm:ss.SSSXXX.
For example, May 26 2014 at 21:49:46 PM could have a format like one of the following:
- Format in PDT: 2014-05-26T21:49:46.000-07:00
- Format in UTC: 2014-05-26T21:49:46.000Z
Events list default limitation: The default events list length is 100. To set a new length specify the path length parameter in the relevant commands.
Local/global search: In ‘as-search’ and ‘as-search-events’ you can optionally pass the ‘local_search’ parameter, to Indicate whether the search is local only, and does not include peers. Please note that local search is the default option for a search session.

Known Limitations

Session limitations: Arcsight Logger has default limitations for running maximum sessions simultaneously, and for inactive sessions.
To change the default limitation for both, use administrator credentials to login to Archsight Logger UI, navigate to ‘System Admin’->’Users/Groups’->’Authentication’ and set new limitations for ‘Max Simultaneous Logins/User’ and ‘Logout Inactive Session After’.

Troubleshooting

Reoccurring ‘timeout’ error when using commands ‘as-search-events’ or ‘as-events’:

This may indicate that a large amount of data returned from Arcsight Logger. To resolve this error, try to limit the search time range or the events list length. See additional ways to set the search time range in ‘Additional info’ above.
DBot error snap-shot

Reoccurring ‘Login failed’ error when using ‘as-search’ or ‘as-search-events’:

First eliminate the case of wrong credentials configured in the Arcsight Logger instance.

If this error still araises, it may indicate that Arcsight Logger is failing to generate a new search session. New sessions cannot be generated by Arcsight Logger when the maximum allowed number of simultaneous sessions was reached.

To resolve this problem, use administrator credentials to login to Archsight Logger UI and set a new limitation for maximum simultaneous sessions.
See ’Known Limitations’ above for more information.

If administrator credentials are not available for you, use ‘as-close’ to close the running sessions.

DBot error snap-shot

Reoccurring ‘User session id is not valid’ error:

The search session timed out.

Search session timeout can be caused by the followings:
- Low ‘timeout’ passed to ‘as-search’. This can be resolved by passing a higher ‘timeout’ value to ‘as-search’.
- Arcsight Logger limitation on inactive sessions - Inactive sessions are automatically terminated after a defined period of time determined by Arcsight Logger, even if the ‘timeout’ argument is changed to ‘as-search’.

To resolve this problem, use administrator credentials to login to Archsight Logger UI and set a new limitation for inactive sessions. See ’Known Limitations’ above for more information.

DBot error snap-shot