RSA Archer v2
The RSA Archer GRC Platform provides a common foundation for managing policies, controls, risks, assessments and deficiencies across lines of business.
#
Configure RSA Archer v2 on Cortex XSOAR- Navigate to Settings > Integrations > Servers & Services.
- Search for RSA Archer v2.
- Click Add instance to create and configure a new integration instance.
Parameter | Description | Required |
---|---|---|
url | Server URL (e.g. https://example.net\) | True |
credentials | Username | True |
isFetch | Fetch incidents | False |
incidentType | Incident type | False |
insecure | Trust any certificate (not secure) | False |
proxy | Use system proxy settings | False |
instanceName | Instance name | True |
userDomain | User domain | False |
applicationId | Application ID for fetch | True |
applicationDateField | Application date field for fetch | True |
fetch_limit | How many incidents to fetch each time | False |
fetch_time | First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year) | False |
fields_to_fetch | List of fields from the application to gets into the incident | False |
- Click Test to validate the URLs, token, and connection.
#
CommandsYou can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
archer-search-applicationsGets application details or list of all applications.
#
Base Commandarcher-search-applications
#
InputArgument Name | Description | Required |
---|---|---|
applicationId | Get application by ID (leave empty to get all applications) | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Archer.Application.Guid | String | The application Guid |
Archer.Application.Id | Number | Unique Id of application |
Archer.Application.Status | Number | The application Status |
Archer.Application.Type | Number | The application Type |
Archer.Application.Name | String | The application name |
#
Command Example!archer-search-applications applicationId=75
#
Context Example#
Human Readable Output#
Search applications results
Guid Id LanguageId Name Status Type 982fc3be-7c43-4d79-89a1-858ed262b930 75 1 Incidents 1 2
#
archer-get-application-fieldsGets all application fields by application ID
#
Base Commandarcher-get-application-fields
#
InputArgument Name | Description | Required |
---|---|---|
applicationId | ID of the application to search fields in | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Archer.ApplicationField.FieldId | Number | Unique Id of field |
Archer.ApplicationField.FieldName | String | The field name |
Archer.ApplicationField.FieldType | String | The field type |
Archer.ApplicationField.LevelID | Number | The field level Id |
#
Command Example!archer-get-application-fields applicationId=75
#
Context Example#
Human Readable Output#
Application fields
FieldId FieldName FieldType LevelID 296 Incident ID TrackingID 67 297 Date Created First Published 67 298 Last Updated Last Updated Field 67 302 Status Values List 67 303 Date/Time Occurred Date 67 304 Priority Values List 67
#
archer-get-fieldReturns mapping from list value name to list value id
#
Base Commandarcher-get-field
#
InputArgument Name | Description | Required |
---|---|---|
fieldID | Id of the field | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Archer.ApplicationField.FieldId | Number | Unique Id of field |
Archer.ApplicationField.FieldName | String | The field name |
Archer.ApplicationField.FieldType | String | The field type |
Archer.ApplicationField.LevelID | Number | The field level Id |
#
Command Example!archer-get-field fieldID=350
#
Context Example#
Human Readable Output#
Application field
FieldId FieldName FieldType LevelID 350 Reported to Police Values List 67
#
archer-get-mapping-by-levelReturn mapping of fields by level id
#
Base Commandarcher-get-mapping-by-level
#
InputArgument Name | Description | Required |
---|---|---|
level | Id of the level | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Archer.LevelMapping.Id | Number | Unique Id of field |
Archer.LevelMapping.Name | String | The field name |
Archer.LevelMapping.Type | String | The field type |
Archer.LevelMapping.LevelId | Number | The field level Id |
#
Command Example!archer-get-mapping-by-level level=67
#
Context Example#
Human Readable Output#
Level mapping for level 67
Id LevelId Name Type 296 67 Incident ID TrackingID 297 67 Date Created First Published 298 67 Last Updated Last Updated Field 302 67 Status Values List
#
archer-get-recordGets information about a content record in the given application
#
Base Commandarcher-get-record
#
InputArgument Name | Description | Required |
---|---|---|
contentId | The record id | Required |
applicationId | The application Id | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Archer.Record.Id | Number | Unique Id of record |
#
Command Example!archer-get-record applicationId=75 contentId=227602
#
Context Example#
Human Readable Output#
Record details
Current Status Date/Time Occurred Date/Time Reported Days Open Default Record Permissions Google Map Id Incident Details Incident Result Incident Summary Is BSA (Bank Secrecy Act) reporting required in the US? Notify Incident Owner Override Rejected Submission Status Status Change Supporting Documentation ValuesListIds: 6412
OtherText: null2018-03-23T07:00:00 2018-03-26T10:03:32.243 805.0 UserList:
GroupList: {'Id': 50, 'HasRead': True, 'HasUpdate': True, 'HasDelete': True},
{'Id': 51, 'HasRead': True, 'HasUpdate': False, 'HasDelete': False}Google Map 227602 Incident Details ValuesListIds: 531
OtherText: nullSummary... ValuesListIds: 835
OtherText: nullValuesListIds: 6422
OtherText: nullValuesListIds: 9565
OtherText: nullValuesListIds: 466
OtherText: nullValuesListIds: 156
OtherText: null125
#
archer-create-recordCreates a new content record in the given application.
In this command when creating a new record, it is important to pay attention to the way the values are sent through the argument - fieldsToValues.
when field type is Values List - example: {"Type": ["Switch"], fieldname: [value1, value2]}
when field type is External Links - example: {"Patch URL": [{"value":"github", "link": "https://github.com"}]}
when field type is Users/Groups List - example: {"Policy Owner":{"users":Ö¿ [20],"groups": [30]}}
when field type is Cross- Reference - for example: {"Area Reference(s)": [20]}
In other cases the value can be sent as is.
To know what the type of the value you are using, you can use archer-get-application-fields
command with the applicationId
to get the list of all FieldType by FieldName.
#
Base Commandarcher-create-record
#
InputArgument Name | Description | Required |
---|---|---|
applicationId | The application Id | Required |
fieldsToValues | Record fields in JSON format: { "Name1": Value1, "Name2": Value2 }. Field name is case sensitive | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Archer.Record.Id | Number | Unique Id of record |
#
Command Example!archer-create-record applicationId=75 fieldsToValues={"Incident Summary":"This is the incident summary","Priority":["High"]}
#
Context Example#
Human Readable OutputRecord created successfully, record id: 239643
#
archer-delete-recordDelete existing content record in the given application
#
Base Commandarcher-delete-record
#
InputArgument Name | Description | Required |
---|---|---|
contentId | The record Id to delete | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!archer-delete-record contentId=239642
#
Context Example#
Human Readable OutputRecord 239642 deleted successfully
#
archer-update-recordUpdates existing content record in the given application. When updating a record, it is important to pay attention to the way the values are sent through the argument - fieldsToValues. For more information regarding this argument see archer-create-record description.
#
Base Commandarcher-update-record
#
InputArgument Name | Description | Required |
---|---|---|
applicationId | The application Id | Required |
fieldsToValues | Record fields in JSON format: { "Name1": Value1, "Name2": Value2 }. Field name is case sensitive | Required |
contentId | The record Id to update | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!archer-update-record applicationId=75 contentId=239326 fieldsToValues={"Priority":["High"]}
#
Context Example#
Human Readable OutputRecord 239326 updated successfully
#
archer-execute-statistic-search-by-reportPerforms statistic search by report Guid
#
Base Commandarcher-execute-statistic-search-by-report
#
InputArgument Name | Description | Required |
---|---|---|
reportGuid | The report GUID | Required |
maxResults | Maximum pages of the reports | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!archer-execute-statistic-search-by-report maxResults=100 reportGuid=e4b18575-52c0-4f70-b41b-3ff8b6f13b1c
#
Context Example#
Human Readable Output{ "Groups": { "@count": "3", "Metadata": { "FieldDefinitions": { "FieldDefinition": [ { "@alias": "Classification", "@guid": "769b2548-6a98-49b6-95c5-03e391f0a40e", "@id": "76", "@name": "Classification" }, { "@alias": "Standard_Name", "@guid": "a569fd34-16f9-4965-93b0-889fcb91ba7a", "@id": "1566", "@name": "Standard Name" } ] } }, "Total": { "Aggregate": { "@Count": "1497", "@FieldId": "1566" } } } }
#
archer-get-reportsGets all the reports from Archer
#
Base Commandarcher-get-reports
#
InputThere are no input arguments for this command.
#
Context OutputThere is no context output for this command.
#
Command Examplearcher-get-reports
#
Context Example#
Human Readable Output#
archer-get-search-options-by-guidReturns search criteria by report GUID
#
Base Commandarcher-get-search-options-by-guid
#
InputArgument Name | Description | Required |
---|---|---|
reportGuid | The report GUID | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!archer-get-search-options-by-guid reportGuid=bce4222c-ecfe-4cef-a556-fe746e959f12
#
Context Example#
Human Readable Output{ "SearchReport": { "Criteria": { "ModuleCriteria": { "BuildoutRelationship": "Union", "IsKeywordModule": "True", "Module": "421", "SortFields": { "SortField": [ { "Field": "15711", "SortType": "Ascending" }, { "Field": "15683", "SortType": "Ascending" } ] } } }, "DisplayFields": { "DisplayField": [ "15683", "15686", "15687", "15690", "15706", "15711", "15710", "15712", "15713", "15714", "15715", "15716", "15725", "15717", "15718" ] }, "PageSize": "50" } }
#
archer-reset-cacheReset Archer's integration cache. Run this command if you change the fields of your Archer application
#
Base Commandarcher-reset-cache
#
InputThere are no input arguments for this command.
#
Context OutputThere is no context output for this command.
#
Command Example!archer-reset-cache
#
Context Example#
Human Readable Output#
archer-get-valuelistReturns a list of values for a specified field, e.g., fieldID=16114. This command only works for value list fields (type 4).
#
Base Commandarcher-get-valuelist
#
InputArgument Name | Description | Required |
---|---|---|
fieldID | The field Id | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Archer.ApplicationField.ValuesList.Id | Number | The field value Id |
Archer.ApplicationField.ValuesList.IsSelectable | Boolean | Specifies whether the field value is selectable |
Archer.ApplicationField.ValuesList.Name | String | The field value name |
#
Command Example!archer-get-valuelist fieldID=302
#
Context Example#
Human Readable Output#
Value list for field 302
Id IsSelectable Name 466 true New 467 true Assigned 468 true In Progress 469 true On Hold 470 true Closed
#
archer-upload-fileUploads a file to Archer. Can associate the file to a record. To associate to a record, must provide all of the following arguments: applicationId, contentId, associatedField.
#
Base Commandarcher-upload-file
#
InputArgument Name | Description | Required |
---|---|---|
entryId | The entry id of the file in Demisto's context | Required |
contentId | The Content (record) ID to update. | Optional |
applicationId | ID of the application which we want to upload the file to. | Optional |
associatedField | Archer field name to associate the file with. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!archer-upload-file entryId=16695@b32fdf18-1c65-43af-8918-7f85a1fab951
#
Context Example#
Human Readable OutputFile uploaded succsessfully, attachment ID: 126
#
archer-get-fileDownloads file from Archer to Demisto's war room context
#
Base Commandarcher-get-file
#
InputArgument Name | Description | Required |
---|---|---|
fileId | The attachment Id | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!archer-get-file fileId=125
#
Context Example#
Human Readable Output#
archer-list-usersGets user details or list of all users.
#
Base Commandarcher-list-users
#
InputArgument Name | Description | Required |
---|---|---|
userId | Get user by ID (leave empty to get all users) | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Archer.User.AccountStatus | String | The status of the user |
Archer.User.DisplayName | String | Display name of the user |
Archer.User.FirstName | String | The first name of the user |
Archer.User.Id | Number | Unique Id of user |
Archer.User.LastLoginDate | Date | Last login date of user |
Archer.User.LastName | String | The last name of the user |
Archer.User.MiddleName | String | The middle name of the user |
Archer.User.UserName | String | The username of the account |
#
Command Example!archer-list-users
#
Context Example#
Human Readable Output#
Users list
AccountStatus DisplayName FirstName Id LastLoginDate LastName MiddleName UserName Locked cash, johnny johnny 202 2018-09-03T07:56:51.027 cash johnnyCash
#
archer-search-recordsSearch for records inside the given application
#
Base Commandarcher-search-records
#
InputArgument Name | Description | Required |
---|---|---|
applicationId | Id of the application to search records in | Required |
fieldToSearchOn | Name of field to search on (leave empty to search for all) | Optional |
searchValue | Search value (leave empty to search for all) | Optional |
maxResults | Maximum results to return from the search (default is 10) | Optional |
fieldsToDisplay | Fields to present in the search results in array format (for example: "Title,Incident Summary") | Optional |
numericOperator | Numeric search operator | Optional |
dateOperator | Date search operator | Optional |
fieldsToGet | Fields to fetch from the the application | Optional |
fullData | Get an extended responses with all of the data regarding this search. For example, "fullData=true" | Required |
isDescending | Whether to order by descending order. Possible values are: "true", "false". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Archer.Record | Unknown | The content object |
Archer.Record.Id | Number | The content Id |
#
Command Example!archer-search-records applicationId=75 fullData=False fieldsToDisplay=`Date/Time Occurred,Days Open` fieldsToGet=`Date/Time Occurred,Days Open` fieldToSearchOn=`Date/Time Occurred` dateOperator=GreaterThan searchValue=2018-06-23T07:00:00Z maxResults=100
#
Context Example#
Human Readable Output#
Search records results
Date/Time Occurred Days Open 2018-07-10T08:00:00Z 30
#
archer-search-records-by-reportSearch records by report Guid
#
Base Commandarcher-search-records-by-report
#
InputArgument Name | Description | Required |
---|---|---|
reportGuid | The report GUID | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Archer.SearchByReport.ReportGUID | String | The report GUID |
Archer.SearchByReport.RecordsAmount | Number | Amount of records found by the search |
Archer.SearchByReport.Record | Unknown | The records found by the search |
#
Command Example!archer-search-records-by-report reportGuid=bce4222c-ecfe-4cef-a556-fe746e959f12
#
Context Example#
Human Readable Output#
Search records by report results
Description Id Procedure Name Threat Category Tracking ID Â test_procedure_0
227528 test_procedure_0 Malware 227528 Â test_procedure_1
227529 test_procedure_1 Malware 227529 test_procedure_2Â
227531 test_procedure_2 Malware 227531 test_procedure_3
227532 test_procedure_3 Malware 227532
#
archer-print-cacheprints Archer's integration cache.
#
Base Commandarcher-print-cache
#
InputThere are no input arguments for this command.
#
Context OutputThere is no context output for this command.
#
Command Example!archer-print-cache
#
Context Example#
Human Readable Output{ "75": [ { "level": 67, "mapping": { "10052": { "FieldId": "10052", "IsRequired": false, "Name": "Related Incidents (2)", "RelatedValuesListId": null, "Type": 23 }, "10172": { "FieldId": "10172", "IsRequired": false, "Name": "Source", "RelatedValuesListId": 1176, "Type": 4 }, "10183": { "FieldId": "10183", "IsRequired": false, "Name": "Is BSA (Bank Secrecy Act) reporting required in the US?", "RelatedValuesListId": 152, "Type": 4 }, "10188": { "FieldId": "10188", "IsRequired": false, "Name": "Batch File Format", "RelatedValuesListId": 1183, "Type": 4 } } } ], "fieldValueList": { "7782": { "FieldId": "7782", "ValuesList": [ { "Id": 6412, "IsSelectable": true, "Name": "New" }, { "Id": 6413, "IsSelectable": true, "Name": "Assigned" }, { "Id": 6414, "IsSelectable": true, "Name": "In Progress" }, { "Id": 6415, "IsSelectable": true, "Name": "On Hold" }, { "Id": 6416, "IsSelectable": true, "Name": "Closed" } ] } } }