RSA Archer (Deprecated)
This Integration is part of the RSA Archer Pack.#
Deprecated
Use the RSA Archer v2 integration instead.
Overview
Deprecated. Use the RSA Archer v2 integration instead.
Configure the RSA Archer integration on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for RSA Archer.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL
- Instance name
- Username
- Password
- Trust any certificate (not secure)
- Use system proxy settings
- Fetch incidents
- Incident type
- Timezone offset in minutes of the RSA Archer server machine (+60, -60, in minutes)
- Application ID for fetch
- The application's base ID. For example "Incident ID"
- fetchFilter - Specific filters for fetching in the form of an xml string
- Use Archer's REST API instead of its SOAP API
- Use European Time format (dd/mm/yyyy) instead of the American one
- Click Test to validate the URLs and connection.
Fetched Incidents Data
Fetches incidents data from RSA Archer, by using the
archer-fetch-incidents
command. In the first fetch, the program fetches incidents from the previous day until the time you run the command.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Create a record:Â archer-create-record
- Update a record: archer-update-record
- Get record information: archer-get-record
- Get application details or list of all applications: archer-search-applications
- Search for records: archer-search-records
- Get all application fields: archer-get-application-fields
- Delete a record: archer-delete-record
- Map list value name to list value ID: archer-get-field
- Get all reports: archer-get-reports
- Perform statistic search: archer-execute-statistic-search-by-report
- Get search criteria:Â archer-get-search-options-by-guid
- Search records by report: archer-search-records-by-report
- Get field mapping by level ID: archer-get-mapping-by-level
- Fetch Archer incidents: archer-manually-fetch-incident
- Download Archer file to the War Room: archer-get-file
- Upload a file from Cortex XSOAR to Archer: archer-upload-file
- Add data to the detailed analysis field: archer-add-to-detailed-analysis
- Get an Archer user's user ID: archer-get-user-id
- Get a list of values for a field: archer-get-valuelist
Create a record
Creates a new content record in a specified application.
Base Command
archer-create-record
Input
| Input Parameter | Description |
| applicationId | ID of the application to create a record in |
| fieldsToValues |
Record fields in JSON format. Field name is case sensitive.
Example:
|
Context Data
| Path | Description |
| Archer.Record.Id | Record Content ID |
| Archer.Record.Fields | Record property fields |
Command Example
!archer-create-record applicationId="75" fieldsToValues="{\"Description\":\"Demisto Fraud Referrer \",\"Date/Time Occurred\":\"3/23/2018 7:00 AM\",\"Date/Time Identified\":\"3/23/2018 7:00 AM\",\"Date/Time Reported\":\"3/23/2018 7:00 AM\",\"Executive Summary\":\"test\", \"Incident Report\": \"test incident report from Demisto\"}"
Raw Output
{
"Record":{
"Fields":{
"Date/Time Identified":"3/23/2018 7:00 AM",
"Date/Time Occurred":"3/23/2018 7:00 AM",
"Date/Time Reported":"3/23/2018 7:00 AM",
"Description":"Demisto Fraud Referrer ",
"Executive Summary":"test",
"Incident Report":"test incident report from Demisto"
},
"Id":"227645"
}
}
Update a record
Updates an existing content record in a specified application.
Base Command
archer-update-record
Input
| Parameter | Description |
| contentId | Content (record) ID to update |
| applicationId |
ID of the application to update a record in |
| fieldsToValues |
Record fields in JSON format. Field name is case sensitive.
Example:
|
| incidentId |
Incident ID of the record.
Example:
|
Context Data
There is no context data for this command.
Command Example
!archer-update-record applicationId=433 contentId=227538 fieldsToValues={\"Title\":\"test\"}
Raw Output
content id = 227538 was updated successfully.
Get record information
Returns information for a content record in a specified application.
Base Command
archer-get-record
Input
| Parameter | Description |
| contentId | Incident (record) ID to get details for |
| applicationId | ID of the application to get the record from |
| incidentId |
Incident ID of the record.
Example:
|
Context Data
| Path | Description |
| Archer.Record.Id | Content ID of the record |
| Archer.Record.Fields | Content property fields |
| Archer.Record.Fields.Incident Status | Incident status |
| Archer.Record.Fields.Record Status | Record status |
| Archer.Record.Fields.Last Updated | Last updated |
| Archer.Record.Fields.Days Open | Days open |
| Archer.Record.Fields.Date Created | Date created |
| Archer.Record.Fields.Title | Title |
| Archer.Record.Fields.Incident Summary | Incident summary |
| Archer.Record.Fields.Threat Category | Threat category |
| Archer.Record.Fields.Threat Valid | Threat valid |
Command Example
!archer-get-record applicationId=433 contentId=227538
Raw Output
"Record": {
"Fields": {
"Actor, Tactics \u0026 Techniques": null,
"Affected Facility": null,
"Archive": null,
"Attach to InfoSec Briefing": null,
"Attack Category": null,
"Automatic Incident Handler Access": "SOC: L2 Incident Handler,SOC: L1 Incident Handler",
"Count of Risks": "0",
"Count of Risks Increased": "No",
"Date Created": "2018-02-18T10:45:47+02:00",
"Date/Time Assigned": null,
"Date/Time Closed": null,
"Date/Time Modified": "2018-02-22T14:32:46+02:00",
"Date/Time Returned": null,
"Days Open": "0",
"Generate Incident Response Tasks": "No",
"Incident Details": null,
"Incident ID": "227538",
"Incident ID (DFM)": "227538",
"Incident ID (KPI)": "227538",
"Incident Journal": null,
"Incident Owner": null,
"Incident Queue": "L1 Incident Handlers",
"Incident Response Procedures": null,
"Incident Status": "New",
"Incident Summary": "inside_record_test_1_summary"...
Get application details or list of all applications
Returns details for an application or a list of all applications.
Base Command
archer-search-applications
Input
| Parameter | Description |
| findByName | Get application by the application name. To return all applications, leave this parameter empty. |
| findById | Get application by the application ID. To return all applications, leave this parameter empty. |
Context Data
| Path | Description |
| Archer.Record.Id | Content ID of the record |
| Archer.Record.Fields | Content property fields |
| Archer.Record.Fields.Incident Status | Incident status |
| Archer.Record.Fields.Record Status | Record status |
| Archer.Record.Fields.Last Updated | Last updated |
| Archer.Record.Fields.Days Open | Days open |
| Archer.Record.Fields.Date Created | Date created |
| Archer.Record.Fields.Title | Title |
| Archer.Record.Fields.Incident Summary | Incident summary |
| Archer.Record.Fields.Threat Category | Threat category |
| Archer.Record.Fields.Threat Valid | Threat valid |
Command Example
!archer-search-applications findById=433
Raw Output
[
{
"Guid":"fa254559-4922-4aea-8d53-66b4e3442585",
"Id":433,
"LanguageId":1,
"Name":"Security Incidents",
"Status":1,
"Type":2
},
{
"Guid":"6fda8f2c-d74d-4bf1-aada-def95cba4aaf",
"Id":17,
"LanguageId":1,
"Name":"Vulnerabilities",
"Status":1,
"Type":2
} ...
]
Search for records
Search for records within a specified application.
Base Command
archer-search-records
Input
| Parameter | Description |
| applicationId | ID of the application to search records in |
| fieldsToDisplay |
Fields to display in the search results, in array format.
Example:
|
| maxResults |
Maximum search results to return. Default is 100. |
| searchValue |
Search value. To search for all, leave this parameter empty. |
| fieldToSearchOn |
Name of field to search on. To search for all, leave this parameter empty. |
| numericOperator |
Numeric search operator |
| dateOperator |
Date search operator |
Context Data
| Path | Description |
| Archer.Record.Id | Content of the record |
| Archer.Record.ApplicationId | Application ID of the record |
| Archer.Record.Fields | Property fields of the record |
Command Example
!archer-search-records applicationId=433 maxResults=1
Raw Output
{
"Fields":
{
"Incident ID": "225828",
"Record":
{
"Actor, Tactics \u0026 Techniques": null,
"Affected Facility": null,
"Archive": null,
"Attach to InfoSec Briefing": null,
"Attack Category": null,
"Automatic Incident Handler Access": "SOC: L2 Incident Handler,SOC: L1 Incident Handler",...
"Date Created": "2017-10-14T09:55:25+03:00",
"Date/Time Assigned": null,
"Date/Time Closed": null,
"Date/Time Escalated": null,
"Date/Time Modified": "2017-10-14T09:55:25+03:00",
"Date/Time Returned": null,
"Days Open": "0",
"Incident ID": "225828",...
"Record Status": "New",...
}
},
"Id": "225828",
"ModuleId": "433"
}
Get all application fields
Returns all application fields by application ID.
Base Command
archer-get-application-fields
Input
| Parameter | Description |
| applicationId | ID of the application to search fields in |
Context Data
| Path | Description |
| Archer.ApplicationFields | Application property fields |
Command Example
!archer-get-application-fields applicationId=433
Raw Output
{
"ApplicationFields": [
{
"FieldId": "15698",
"FieldName": "Incident Response Procedures",
"FieldType": 9,
"LevelId": 232
},
{
"FieldId": "15700",
"FieldName": "Not Applicable Incident Response Procedures",
"FieldType": 9,
"LevelId": 232
},
{
"FieldId": "15742",
"FieldName": "CAST - SOC Incident Procs - DO NOT DELETE",
"FieldType": 1001,
"LevelId": 232
}...
}
Delete a record
Deletes an existing record from a specified application.
Base Command
archer-delete-record
Input
| Parameter | Description |
| applicationId | ID of the application to delete a record from |
| contentId | Content (record) ID to delete |
| incidentId |
Incident ID of the record.
Example:
|
Context Data
There is no context data for this command.
Command Example
!archer-delete-record applicationId=423 contentId=227542
Raw Output
content id = 227542 was deleted successfully
Map list value name to list value ID
Returns mapping from list value name to list value ID.
Base Command
archer-get-field
Input
| Parameter | Description |
| fieldId | ID of the field |
| applicationId | ID of the application to get the field value from |
Context Data
There is no context data for this command.
Command Example
!archer-get-field applicationId=433 fieldID=16107
Raw Output
{
"FieldId": "16107",
"Name": "Last Updated",
"Type": 22,
"levelId": 232
}
Get all reports
Returns all reports from Archer.
Base Command
archer-get-reports
Input
There is no input for this command.
Context Data
There is no context data for this command.
Command Example
!archer-get-reports
Raw Output
{
"ReportValues":
{
"ReportValue":[
{
"ApplicationGUID":"4cf0d0c6-4b51-404c-91c2-40ade972e95b",
"ApplicationName":"Policies",
"ReportDescription":"This report displays a listing of all security Policies.",
"ReportGUID":"22961b81-4866-40ea-a298-99afb348598d",
"ReportName":"Policies - Summary view"
},
{
"ApplicationGUID":"138d3151-c1f5-4e7d-b6c9-4399e1d922ae",...
Perform statistic search
Performs a statistic search by report GUID.
Base Command
archer-execute-statistic-search-by-report
Input
| Parameter | Description |
| reportGuid | GUID of the report |
| maxResults | Maximum number of pages of the reports |
Context Data
| Path | Description |
| Archer.StatisticSearch | Search results |
Command Example
!archer-get-application-fields applicationId=433
Raw Output
{
"Groups": {
"-count": "3",
"Metadata": {
"FieldDefinitions": {
"FieldDefinition": [
{
"-alias": "Classification",
"-guid": "769b2548-6a98-49b6-95c5-03e391f0a40e",
"-id": "76",
"-name": "Classification"
},
{
"-alias": "Standard_Name",
"-guid": "a569fd34-16f9-4965-93b0-889fcb91ba7a",
"-id": "1566",
"-name": "Standard Name"
}
]
}
},
"Total": {
"Aggregate": {
"-Count": "1497",
"-FieldId": "1566"
}
}
}
}
Get search criteria
Returns search criteria by report GUID.
Base Command
archer-get-search-options-by-guid
Input
| Parameter | Description |
| reportGuid | GUID of the report |
Context Data
There is no context data for this command.
Command Example
!archer-get-search-options-by-guid reportGuid=246b1d4b294e46c4a4713853456234f7
Raw Output
{
"SearchReport": {
"Criteria": {
"Filter": {
"Conditions": {
"ValueListFilterCondition": [
{
"Field": "302",
"IncludeChildren": "False",
"IsNoSelectionIncluded": "False",
"Operator": "DoesNotContain",
"Values": {
"Value": "470"
}
},
{
"Field": "304",
"IncludeChildren": "False",
"IsNoSelectionIncluded": "False",
"Operator": "Contains",
"Values": {
"Value": "473"
}
}
]
},
"OperatorLogic": ""
},
"ModuleCriteria": {
"BuildoutRelationship": "Union",
"IsKeywordModule": "False",
"Module": "75",
"SortFields": {
"SortField": {
"Field": "296",
"SortType": "Descending"
}
}
}
},
"DisplayFields": {
"DisplayField": [
"296",
"302",
"304",
"7850",
"342"
]
},
"PageSize": "20"
}
}
Search records by report
Searches records by report GUID.
Base Command
archer-search-records-by-report
Input
| Parameter | Description |
| reportGuid | GUID of the report |
| maxResults | Maximum number of pages of the reports |
Context Data
| Path | Description |
| Archer.StatisticSearch.Records.Record | Search results (records) |
Command Example
!archer-search-records-by-report reportGuid=365121a3-6145-48ea-8a01-5d000c5c65cf
Raw Output
{
"Records": {
"-count": "20",
"LevelCounts": {
"LevelCount": {
"-count": "20",
"-guid": "4d664bbf-4f15-4f5c-a81f-888f5901ba26",
"-id": "3"
}
},
"Metadata": {
"FieldDefinitions": {
"FieldDefinition": [
{
"-alias": "Policy_ID",
"-guid": "4b765f84-d381-4543-9d7c-1f9e716d4c4d",
"-id": "1578",
"-name": "Policy ID"
}...
Get field mapping by level ID
Returns mapping of fields by level ID.
Base Command
archer-get-mapping-by-level
Input
| Parameter | Description |
| level | Level ID |
Context Data
There is no context data for this command.
Command Example
!archer-get-mapping-by-level level=232
Raw Output
{
"15698": {
"Name": "Incident Response Procedures",
"Type": 9,
"levelId": "232"
},
"15700": {
"Name": "Not Applicable Incident Response Procedures",
"Type": 9,
"levelId": "232"
}...
Fetch Archer incidents
Fetches specific incidents from Archer to the Cortex XSOAR War Room. You can also manually fetch automations.
Base Command
archer-manually-fetch-incident
Input
| Parameter | Description |
| applicationId |
ID of the application to get the incident from. |
| incidentIds | IDs of incidents to get details for, comma separated |
Context Data
There is no context data for this command.
Command Example
!archer-manually-fetch-incident applicationId=433 incidentIds=227536
Raw Output
{
"details": "Incident Summary: inside_record_test_0_summary",
"labels": [
{
"Related Security Incidents (Direct Link)-Incident Summary": "inside_record_test_1_summary"
}...
Download Archer file to the War Room
Downloads a file from Archer to the Cortex XSOAR War Room context.
Base Command
archer-get-file
Input
| Parameter | Description |
| fieldId |
Archer file ID |
Context Data
There is no context data for this command.
Command Example
!archer-get-file fileId=3
Raw Output
Uploaded file: Screen Shot 2018-02-22 at 11.09.33.png'
Upload a file from Cortex XSOAR to Archer
Uploads a file from Cortex XSOAR to Archer.
Base Command
archer-upload-file
Input
| Parameter | Description |
| contentId |
Content (record) ID to add the file to |
| applicationId |
ID of the application to upload the file to |
| incidentId |
Incident ID to add the file to |
| entryId |
Entry ID of the file in the Cortex XSOAR context |
Context Data
There is no context data for this command.
Command Example
!archer-upload-file applicationId=433 contentId=227610 entryId=61@95
Raw Output
File uploaded successfully.
Add data to the detailed analysis field
Adds data to the detailed analysis field.
Base Command
archer-add-to-detailed-analysis
Input
| Parameter | Description |
| contentId |
Incident (record) ID to set the field's data |
| applicationId |
ID of the application to set the record's field |
| incidentId |
Incident ID to add the file to |
| value |
Value to add to the Detailed Analysis |
Context Data
There is no context data for this command.
Command Example
!archer-set-detailed-analysis applicationId=433 contentId=227610 value="test string"
Raw Output
Detailed Analysis updated successfully.
Get an Archer user's user ID
Returns the user ID of an Archer user.
Base Command
archer-get-user-id
Input
| Argument Name | Description | Required |
| userInfo | Username in the form of "Domain\username". For example, userInfo="mydomain\myusername" | Required |
Context Output
| Path | Description |
| Archer.User.UserId | User ID of the Archer user |
Get a list of values for a field
Returns list of values for a specified field, e.g., fieldID=16114. This command only works for value list fields (type 4).
Base Command
archer-get-valuelist
Input
| Argument Name | Description | Required |
| fieldID | Field ID | Required |
Context Output
There is no context output for this command.