Skip to main content

RSA Archer v2

The RSA Archer GRC Platform provides a common foundation for managing policies, controls, risks, assessments and deficiencies across lines of business.

Configure RSA Archer v2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for RSA Archer v2.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlServer URL (e.g. https://example.net\)True
credentialsUsernameTrue
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
instanceNameInstance nameTrue
userDomainUser domainFalse
applicationIdApplication ID for fetchTrue
applicationDateFieldApplication date field for fetchTrue
fetch_limitHow many incidents to fetch each timeFalse
fetch_timeFirst fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)False
fields_to_fetchList of fields from the application to gets into the incidentFalse
  1. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

archer-search-applications#


Gets application details or list of all applications.

Base Command#

archer-search-applications

Input#

Argument NameDescriptionRequired
applicationIdGet application by ID (leave empty to get all applications)Optional

Context Output#

PathTypeDescription
Archer.Application.GuidStringThe application Guid
Archer.Application.IdNumberUnique Id of application
Archer.Application.StatusNumberThe application Status
Archer.Application.TypeNumberThe application Type
Archer.Application.NameStringThe application name

Command Example#

!archer-search-applications applicationId=75

Context Example#

{
"Archer": {
"Application": {
"Guid": "982fc3be-7c43-4d79-89a1-858ed262b930",
"Id": 75,
"LanguageId": 1,
"Name": "Incidents",
"Status": 1,
"Type": 2
}
}
}

Human Readable Output#

Search applications results#

GuidIdLanguageIdNameStatusType
982fc3be-7c43-4d79-89a1-858ed262b930751Incidents12

archer-get-application-fields#


Gets all application fields by application ID

Base Command#

archer-get-application-fields

Input#

Argument NameDescriptionRequired
applicationIdID of the application to search fields inRequired

Context Output#

PathTypeDescription
Archer.ApplicationField.FieldIdNumberUnique Id of field
Archer.ApplicationField.FieldNameStringThe field name
Archer.ApplicationField.FieldTypeStringThe field type
Archer.ApplicationField.LevelIDNumberThe field level Id

Command Example#

!archer-get-application-fields applicationId=75

Context Example#

{
"Archer": {
"ApplicationField": [
{
"FieldId": 296,
"FieldName": "Incident ID",
"FieldType": "TrackingID",
"LevelID": 67
},
{
"FieldId": 297,
"FieldName": "Date Created",
"FieldType": "First Published",
"LevelID": 67
},
{
"FieldId": 298,
"FieldName": "Last Updated",
"FieldType": "Last Updated Field",
"LevelID": 67
},
{
"FieldId": 302,
"FieldName": "Status",
"FieldType": "Values List",
"LevelID": 67
},
{
"FieldId": 303,
"FieldName": "Date/Time Occurred",
"FieldType": "Date",
"LevelID": 67
},
{
"FieldId": 304,
"FieldName": "Priority",
"FieldType": "Values List",
"LevelID": 67
}
]
}
}

Human Readable Output#

Application fields#

FieldIdFieldNameFieldTypeLevelID
296Incident IDTrackingID67
297Date CreatedFirst Published67
298Last UpdatedLast Updated Field67
302StatusValues List67
303Date/Time OccurredDate67
304PriorityValues List67

archer-get-field#


Returns mapping from list value name to list value id

Base Command#

archer-get-field

Input#

Argument NameDescriptionRequired
fieldIDId of the fieldRequired

Context Output#

PathTypeDescription
Archer.ApplicationField.FieldIdNumberUnique Id of field
Archer.ApplicationField.FieldNameStringThe field name
Archer.ApplicationField.FieldTypeStringThe field type
Archer.ApplicationField.LevelIDNumberThe field level Id

Command Example#

!archer-get-field fieldID=350

Context Example#

{
"Archer": {
"ApplicationField": {
"FieldId": 350,
"FieldName": "Reported to Police",
"FieldType": "Values List",
"LevelID": 67
}
}
}

Human Readable Output#

Application field#

FieldIdFieldNameFieldTypeLevelID
350Reported to PoliceValues List67

archer-get-mapping-by-level#


Return mapping of fields by level id

Base Command#

archer-get-mapping-by-level

Input#

Argument NameDescriptionRequired
levelId of the levelRequired

Context Output#

PathTypeDescription
Archer.LevelMapping.IdNumberUnique Id of field
Archer.LevelMapping.NameStringThe field name
Archer.LevelMapping.TypeStringThe field type
Archer.LevelMapping.LevelIdNumberThe field level Id

Command Example#

!archer-get-mapping-by-level level=67

Context Example#

{
"Archer": {
"LevelMapping": [
{
"Id": 296,
"LevelId": 67,
"Name": "Incident ID",
"Type": "TrackingID"
},
{
"Id": 297,
"LevelId": 67,
"Name": "Date Created",
"Type": "First Published"
},
{
"Id": 298,
"LevelId": 67,
"Name": "Last Updated",
"Type": "Last Updated Field"
},
{
"Id": 302,
"LevelId": 67,
"Name": "Status",
"Type": "Values List"
}
]
}
}

Human Readable Output#

Level mapping for level 67#

IdLevelIdNameType
29667Incident IDTrackingID
29767Date CreatedFirst Published
29867Last UpdatedLast Updated Field
30267StatusValues List

archer-get-record#


Gets information about a content record in the given application

Base Command#

archer-get-record

Input#

Argument NameDescriptionRequired
contentIdThe record idRequired
applicationIdThe application IdRequired

Context Output#

PathTypeDescription
Archer.Record.IdNumberUnique Id of record

Command Example#

!archer-get-record applicationId=75 contentId=227602

Context Example#

{
"Archer": {
"Record": {
"Current Status": {
"OtherText": null,
"ValuesListIds": [
6412
]
},
"Date/Time Occurred": "2018-03-23T07:00:00",
"Date/Time Reported": "2018-03-26T10:03:32.243",
"Days Open": 805,
"Default Record Permissions": {
"GroupList": [
{
"HasDelete": true,
"HasRead": true,
"HasUpdate": true,
"Id": 50
},
{
"HasDelete": false,
"HasRead": true,
"HasUpdate": false,
"Id": 51
}
],
"UserList": []
},
"Google Map": "<a target='_new' href='http://maps.google.com/maps?f=q&ie=UTF8&om=1&hl=en&q=, , , '>Google Map</a>",
"Id": 227602,
"Incident Details": "Incident Details",
"Incident Result": {
"OtherText": null,
"ValuesListIds": [
531
]
},
"Incident Summary": "Summary...",
"Is BSA (Bank Secrecy Act) reporting required in the US?": {
"OtherText": null,
"ValuesListIds": [
835
]
},
"Notify Incident Owner": {
"OtherText": null,
"ValuesListIds": [
6422
]
},
"Override Rejected Submission": {
"OtherText": null,
"ValuesListIds": [
9565
]
},
"Status": {
"OtherText": null,
"ValuesListIds": [
466
]
},
"Status Change": {
"OtherText": null,
"ValuesListIds": [
156
]
},
"Supporting Documentation": [
125
]
}
}
}

Human Readable Output#

Record details#

Current StatusDate/Time OccurredDate/Time ReportedDays OpenDefault Record PermissionsGoogle MapIdIncident DetailsIncident ResultIncident SummaryIs BSA (Bank Secrecy Act) reporting required in the US?Notify Incident OwnerOverride Rejected SubmissionStatusStatus ChangeSupporting Documentation
ValuesListIds: 6412
OtherText: null
2018-03-23T07:00:002018-03-26T10:03:32.243805.0UserList:
GroupList: {'Id': 50, 'HasRead': True, 'HasUpdate': True, 'HasDelete': True},
{'Id': 51, 'HasRead': True, 'HasUpdate': False, 'HasDelete': False}
Google Map227602Incident DetailsValuesListIds: 531
OtherText: null
Summary...ValuesListIds: 835
OtherText: null
ValuesListIds: 6422
OtherText: null
ValuesListIds: 9565
OtherText: null
ValuesListIds: 466
OtherText: null
ValuesListIds: 156
OtherText: null
125

archer-create-record#


Creates a new content record in the given application.

In this command when creating a new record, it is important to pay attention to the way the values are sent through the argument - fieldsToValues.

when field type is Values List - example: {"Type": ["Switch"], fieldname: [value1, value2]}

when field type is External Links - example: {"Patch URL": [{"value":"github", "link": "https://github.com"}]}

when field type is Users/Groups List - example: {"Policy Owner":{"users":ֿ [20],"groups": [30]}}

when field type is Cross- Reference - for example: {"Area Reference(s)": [20]}

In other cases the value can be sent as is.

To know what the type of the value you are using, you can use archer-get-application-fields command with the applicationId to get the list of all FieldType by FieldName.

Base Command#

archer-create-record

Input#

Argument NameDescriptionRequired
applicationIdThe application IdRequired
fieldsToValuesRecord fields in JSON format: { "Name1": Value1, "Name2": Value2 }. Field name is case sensitiveRequired

Context Output#

PathTypeDescription
Archer.Record.IdNumberUnique Id of record

Command Example#

!archer-create-record applicationId=75 fieldsToValues={"Incident Summary":"This is the incident summary","Priority":["High"]}

Context Example#

{
"Archer": {
"Record": {
"Id": 239643
}
}
}

Human Readable Output#

Record created successfully, record id: 239643

archer-delete-record#


Delete existing content record in the given application

Base Command#

archer-delete-record

Input#

Argument NameDescriptionRequired
contentIdThe record Id to deleteRequired

Context Output#

There is no context output for this command.

Command Example#

!archer-delete-record contentId=239642

Context Example#

{}

Human Readable Output#

Record 239642 deleted successfully

archer-update-record#


Updates existing content record in the given application. When updating a record, it is important to pay attention to the way the values are sent through the argument - fieldsToValues. For more information regarding this argument see archer-create-record description.

Base Command#

archer-update-record

Input#

Argument NameDescriptionRequired
applicationIdThe application IdRequired
fieldsToValuesRecord fields in JSON format: { "Name1": Value1, "Name2": Value2 }. Field name is case sensitiveRequired
contentIdThe record Id to updateRequired

Context Output#

There is no context output for this command.

Command Example#

!archer-update-record applicationId=75 contentId=239326 fieldsToValues={"Priority":["High"]}

Context Example#

{}

Human Readable Output#

Record 239326 updated successfully

archer-execute-statistic-search-by-report#


Performs statistic search by report Guid

Base Command#

archer-execute-statistic-search-by-report

Input#

Argument NameDescriptionRequired
reportGuidThe report GUIDRequired
maxResultsMaximum pages of the reportsRequired

Context Output#

There is no context output for this command.

Command Example#

!archer-execute-statistic-search-by-report maxResults=100 reportGuid=e4b18575-52c0-4f70-b41b-3ff8b6f13b1c

Context Example#

{}

Human Readable Output#

{ "Groups": { "@count": "3", "Metadata": { "FieldDefinitions": { "FieldDefinition": [ { "@alias": "Classification", "@guid": "769b2548-6a98-49b6-95c5-03e391f0a40e", "@id": "76", "@name": "Classification" }, { "@alias": "Standard_Name", "@guid": "a569fd34-16f9-4965-93b0-889fcb91ba7a", "@id": "1566", "@name": "Standard Name" } ] } }, "Total": { "Aggregate": { "@Count": "1497", "@FieldId": "1566" } } } }

archer-get-reports#


Gets all the reports from Archer

Base Command#

archer-get-reports

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

archer-get-reports

Context Example#

{
"Archer": {
"Report": [
{
"ApplicationGUID": "982fc3be-7c43-4d79-89a1-858ed262b930",
"ApplicationName": "Policies",
"ApplicationDescription": "This report displays a listing of all security Policies.",
"ReportGUID": "22961b81-4866-40ea-a298-99afb348598d",
"ReportName": "Policies - Summary view"
}
]
}
}

Human Readable Output#

archer-get-search-options-by-guid#


Returns search criteria by report GUID

Base Command#

archer-get-search-options-by-guid

Input#

Argument NameDescriptionRequired
reportGuidThe report GUIDRequired

Context Output#

There is no context output for this command.

Command Example#

!archer-get-search-options-by-guid reportGuid=bce4222c-ecfe-4cef-a556-fe746e959f12

Context Example#

{}

Human Readable Output#

{ "SearchReport": { "Criteria": { "ModuleCriteria": { "BuildoutRelationship": "Union", "IsKeywordModule": "True", "Module": "421", "SortFields": { "SortField": [ { "Field": "15711", "SortType": "Ascending" }, { "Field": "15683", "SortType": "Ascending" } ] } } }, "DisplayFields": { "DisplayField": [ "15683", "15686", "15687", "15690", "15706", "15711", "15710", "15712", "15713", "15714", "15715", "15716", "15725", "15717", "15718" ] }, "PageSize": "50" } }

archer-reset-cache#


Reset Archer's integration cache. Run this command if you change the fields of your Archer application

Base Command#

archer-reset-cache

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

!archer-reset-cache

Context Example#

{}

Human Readable Output#

archer-get-valuelist#


Returns a list of values for a specified field, e.g., fieldID=16114. This command only works for value list fields (type 4).

Base Command#

archer-get-valuelist

Input#

Argument NameDescriptionRequired
fieldIDThe field IdRequired

Context Output#

PathTypeDescription
Archer.ApplicationField.ValuesList.IdNumberThe field value Id
Archer.ApplicationField.ValuesList.IsSelectableBooleanSpecifies whether the field value is selectable
Archer.ApplicationField.ValuesList.NameStringThe field value name

Command Example#

!archer-get-valuelist fieldID=302

Context Example#

{
"Archer": {
"ApplicationField": {
"FieldId": "302",
"ValuesList": [
{
"Id": 466,
"IsSelectable": true,
"Name": "New"
},
{
"Id": 467,
"IsSelectable": true,
"Name": "Assigned"
},
{
"Id": 468,
"IsSelectable": true,
"Name": "In Progress"
},
{
"Id": 469,
"IsSelectable": true,
"Name": "On Hold"
},
{
"Id": 470,
"IsSelectable": true,
"Name": "Closed"
}
]
}
}
}

Human Readable Output#

Value list for field 302#

IdIsSelectableName
466trueNew
467trueAssigned
468trueIn Progress
469trueOn Hold
470trueClosed

archer-upload-file#


Uploads a file to Archer. Can associate the file to a record. To associate to a record, must provide all of the following arguments: applicationId, contentId, associatedField.

Base Command#

archer-upload-file

Input#

Argument NameDescriptionRequired
entryIdThe entry id of the file in Cortex XSOAR's contextRequired
contentIdThe Content (record) ID to update.Optional
applicationIdID of the application which we want to upload the file to.Optional
associatedFieldArcher field name to associate the file with.Optional

Context Output#

There is no context output for this command.

Command Example#

!archer-upload-file entryId=16695@b32fdf18-1c65-43af-8918-7f85a1fab951

Context Example#

{}

Human Readable Output#

File uploaded succsessfully, attachment ID: 126

archer-get-file#


Downloads file from Archer to Cortex XSOAR's war room context

Base Command#

archer-get-file

Input#

Argument NameDescriptionRequired
fileIdThe attachment IdRequired

Context Output#

There is no context output for this command.

Command Example#

!archer-get-file fileId=125

Context Example#

{
"File": {
"EntryID": "16680@b32fdf18-1c65-43af-8918-7f85a1fab951",
"Extension": "jpg",
"Info": "image/jpeg",
"MD5": "fb80f3fc41f2524",
"Name": "11.jpg",
"SHA1": "6898512eaa3",
"SHA256": "f4bed94abd752",
"SHA512": "ecce92345fb8b6aa",
"SSDeep": "768:XYDWR",
"Size": 52409,
"Type": "JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 750x561, frames 3"
}
}

Human Readable Output#

archer-list-users#


Gets user details or list of all users.

Base Command#

archer-list-users

Input#

Argument NameDescriptionRequired
userIdGet user by ID (leave empty to get all users)Optional

Context Output#

PathTypeDescription
Archer.User.AccountStatusStringThe status of the user
Archer.User.DisplayNameStringDisplay name of the user
Archer.User.FirstNameStringThe first name of the user
Archer.User.IdNumberUnique Id of user
Archer.User.LastLoginDateDateLast login date of user
Archer.User.LastNameStringThe last name of the user
Archer.User.MiddleNameStringThe middle name of the user
Archer.User.UserNameStringThe username of the account

Command Example#

!archer-list-users

Context Example#

{
"Archer": {
"User": {
"AccountStatus": "Locked",
"DisplayName": "cash, johnny",
"FirstName": "johnny",
"Id": 202,
"LastLoginDate": "2018-09-03T07:56:51.027",
"LastName": "cash",
"MiddleName": null,
"UserName": "johnnyCash"
}
}
}

Human Readable Output#

Users list#

AccountStatusDisplayNameFirstNameIdLastLoginDateLastNameMiddleNameUserName
Lockedcash, johnnyjohnny2022018-09-03T07:56:51.027cashjohnnyCash

archer-search-records#


Search for records inside the given application

Base Command#

archer-search-records

Input#

Argument NameDescriptionRequired
applicationIdId of the application to search records inRequired
fieldToSearchOnName of field to search on (leave empty to search for all)Optional
searchValueSearch value (leave empty to search for all)Optional
maxResultsMaximum results to return from the search (default is 10)Optional
fieldsToDisplayFields to present in the search results in array format (for example: "Title,Incident Summary")Optional
numericOperatorNumeric search operatorOptional
dateOperatorDate search operatorOptional
fieldsToGetFields to fetch from the the applicationOptional
fullDataGet an extended responses with all of the data regarding this search. For example, "fullData=true"Required
isDescendingWhether to order by descending order. Possible values are: "true", "false".Optional

Context Output#

PathTypeDescription
Archer.RecordUnknownThe content object
Archer.Record.IdNumberThe content Id

Command Example#

!archer-search-records applicationId=75 fullData=False fieldsToDisplay=`Date/Time Occurred,Days Open` fieldsToGet=`Date/Time Occurred,Days Open` fieldToSearchOn=`Date/Time Occurred` dateOperator=GreaterThan searchValue=2018-06-23T07:00:00Z maxResults=100

Context Example#

{
"Archer": {
"Record": {
"Date/Time Occurred": "2018-07-10T08:00:00Z",
"Days Open": "30",
"Id": "227664"
}
}
}

Human Readable Output#

Search records results#

Date/Time OccurredDays Open
2018-07-10T08:00:00Z30

archer-search-records-by-report#


Search records by report Guid

Base Command#

archer-search-records-by-report

Input#

Argument NameDescriptionRequired
reportGuidThe report GUIDRequired

Context Output#

PathTypeDescription
Archer.SearchByReport.ReportGUIDStringThe report GUID
Archer.SearchByReport.RecordsAmountNumberAmount of records found by the search
Archer.SearchByReport.RecordUnknownThe records found by the search

Command Example#

!archer-search-records-by-report reportGuid=bce4222c-ecfe-4cef-a556-fe746e959f12

Context Example#

{
"Archer": {
"SearchByReport": {
"Record": [
{
"Description": "<p>\u00a0test_procedure_0</p>",
"Id": "227528",
"Procedure Name": "test_procedure_0",
"Threat Category": "Malware",
"Tracking ID": "227528"
},
{
"Description": "<p>\u00a0test_procedure_1</p>",
"Id": "227529",
"Procedure Name": "test_procedure_1",
"Threat Category": "Malware",
"Tracking ID": "227529"
},
{
"Description": "<p>test_procedure_2\u00a0</p>",
"Id": "227531",
"Procedure Name": "test_procedure_2",
"Threat Category": "Malware",
"Tracking ID": "227531"
},
{
"Description": "<p>test_procedure_3</p>",
"Id": "227532",
"Procedure Name": "test_procedure_3",
"Threat Category": "Malware",
"Tracking ID": "227532"
}
],
"RecordsAmount": 4,
"ReportGUID": "bce4222c-ecfe-4cef-a556-fe746e959f12"
}
}
}

Human Readable Output#

Search records by report results#

DescriptionIdProcedure NameThreat CategoryTracking ID

 test_procedure_0

227528test_procedure_0Malware227528

 test_procedure_1

227529test_procedure_1Malware227529

test_procedure_2 

227531test_procedure_2Malware227531

test_procedure_3

227532test_procedure_3Malware227532

archer-print-cache#


prints Archer's integration cache.

Base Command#

archer-print-cache

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

!archer-print-cache

Context Example#

{}

Human Readable Output#

{ "75": [ { "level": 67, "mapping": { "10052": { "FieldId": "10052", "IsRequired": false, "Name": "Related Incidents (2)", "RelatedValuesListId": null, "Type": 23 }, "10172": { "FieldId": "10172", "IsRequired": false, "Name": "Source", "RelatedValuesListId": 1176, "Type": 4 }, "10183": { "FieldId": "10183", "IsRequired": false, "Name": "Is BSA (Bank Secrecy Act) reporting required in the US?", "RelatedValuesListId": 152, "Type": 4 }, "10188": { "FieldId": "10188", "IsRequired": false, "Name": "Batch File Format", "RelatedValuesListId": 1183, "Type": 4 } } } ], "fieldValueList": { "7782": { "FieldId": "7782", "ValuesList": [ { "Id": 6412, "IsSelectable": true, "Name": "New" }, { "Id": 6413, "IsSelectable": true, "Name": "Assigned" }, { "Id": 6414, "IsSelectable": true, "Name": "In Progress" }, { "Id": 6415, "IsSelectable": true, "Name": "On Hold" }, { "Id": 6416, "IsSelectable": true, "Name": "Closed" } ] } } }