Skip to main content

RSA Archer v2

This Integration is part of the RSA Archer Pack.#

The RSA Archer GRC platform provides a common foundation for managing policies, controls, risks, assessments and deficiencies across lines of business.

Configure RSA Archer v2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for RSA Archer v2.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    urlServer URL (for example https://example.net, https://example.net/rsaarcher, https://example.net/archer)True
    api_endpointAPI Endpoint
    Warning: Change only if you have another API endpoint.
    True
    credentialsUsernameTrue
    isFetchFetch incidentsFalse
    incidentTypeIncident typeFalse
    insecureTrust any certificate (not secure)False
    proxyUse system proxy settingsFalse
    instanceNameInstance nameTrue
    userDomainUser domainFalse
    applicationIdApplication ID for fetchTrue
    applicationDateFieldApplication date field for fetchTrue
    fetch_limitMaximum number of incidents to pull per fetchFalse
    fetch_timeFirst fetch timestamp (<number> <time unit>, for example, 12 hours, 7 days, 3 months, 1 year)False
    fields_to_fetchList of fields from the application to get into the incidentFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI as part of an automation or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

archer-search-applications#


Gets application details or list of all applications.

Base Command#

archer-search-applications

Input#

Argument NameDescriptionRequired
applicationIdThe application ID to get details for. Leave empty to get a list of all applications.Optional

Context Output#

PathTypeDescription
Archer.Application.GuidStringThe application GUID.
Archer.Application.IdNumberThe unique ID of the application.
Archer.Application.StatusNumberThe application Status.
Archer.Application.TypeNumberThe application type.
Archer.Application.NameStringThe application name.

Command Example#

!archer-search-applications applicationId=75

Context Example#

{
"Archer": {
"Application": {
"Guid": "982fc3be-7c43-4d79-89a1-858ed262b930",
"Id": 75,
"LanguageId": 1,
"Name": "Incidents",
"Status": 1,
"Type": 2
}
}
}

Human Readable Output#

Search applications results#

GuidIdLanguageIdNameStatusType
982fc3be-7c43-4d79-89a1-858ed262b930751Incidents12

archer-get-application-fields#


Gets all application fields by application ID.

Base Command#

archer-get-application-fields

Input#

Argument NameDescriptionRequired
applicationIdThe application ID to get the application fields for.Required

Context Output#

PathTypeDescription
Archer.ApplicationField.FieldIdNumberThe unique ID of the field.
Archer.ApplicationField.FieldNameStringThe field name.
Archer.ApplicationField.FieldTypeStringThe field type.
Archer.ApplicationField.LevelIDNumberThe field level ID.

Command Example#

!archer-get-application-fields applicationId=75

Context Example#

{
"Archer": {
"ApplicationField": [
{
"FieldId": 296,
"FieldName": "Incident ID",
"FieldType": "TrackingID",
"LevelID": 67
},
{
"FieldId": 297,
"FieldName": "Date Created",
"FieldType": "First Published",
"LevelID": 67
},
{
"FieldId": 298,
"FieldName": "Last Updated",
"FieldType": "Last Updated Field",
"LevelID": 67
},
{
"FieldId": 302,
"FieldName": "Status",
"FieldType": "Values List",
"LevelID": 67
},
{
"FieldId": 303,
"FieldName": "Date/Time Occurred",
"FieldType": "Date",
"LevelID": 67
},
{
"FieldId": 304,
"FieldName": "Priority",
"FieldType": "Values List",
"LevelID": 67
}
]
}
}

Human Readable Output#

Application fields#

FieldIdFieldNameFieldTypeLevelID
296Incident IDTrackingID67
297Date CreatedFirst Published67
298Last UpdatedLast Updated Field67
302StatusValues List67
303Date/Time OccurredDate67
304PriorityValues List67

archer-get-field#


Returns a mapping from list value name to list value ID.

Base Command#

archer-get-field

Input#

Argument NameDescriptionRequired
fieldIDThe ID of the field.Required

Context Output#

PathTypeDescription
Archer.ApplicationField.FieldIdNumberThe unique ID of the field.
Archer.ApplicationField.FieldNameStringThe field name.
Archer.ApplicationField.FieldTypeStringThe field type.
Archer.ApplicationField.LevelIDNumberThe field level ID.

Command Example#

!archer-get-field fieldID=350

Context Example#

{
"Archer": {
"ApplicationField": {
"FieldId": 350,
"FieldName": "Reported to Police",
"FieldType": "Values List",
"LevelID": 67
}
}
}

Human Readable Output#

Application field#

FieldIdFieldNameFieldTypeLevelID
350Reported to PoliceValues List67

archer-get-mapping-by-level#


Returns a mapping of fields by level ID.

Base Command#

archer-get-mapping-by-level

Input#

Argument NameDescriptionRequired
levelThe ID of the level.Required

Context Output#

PathTypeDescription
Archer.LevelMapping.IdNumberThe unique ID of the field.
Archer.LevelMapping.NameStringThe field name.
Archer.LevelMapping.TypeStringThe field type.
Archer.LevelMapping.LevelIdNumberThe field level ID.

Command Example#

!archer-get-mapping-by-level level=67

Context Example#

{
"Archer": {
"LevelMapping": [
{
"Id": 296,
"LevelId": 67,
"Name": "Incident ID",
"Type": "TrackingID"
},
{
"Id": 297,
"LevelId": 67,
"Name": "Date Created",
"Type": "First Published"
},
{
"Id": 298,
"LevelId": 67,
"Name": "Last Updated",
"Type": "Last Updated Field"
},
{
"Id": 302,
"LevelId": 67,
"Name": "Status",
"Type": "Values List"
}
]
}
}

Human Readable Output#

Level mapping for level 67#

IdLevelIdNameType
29667Incident IDTrackingID
29767Date CreatedFirst Published
29867Last UpdatedLast Updated Field
30267StatusValues List

archer-get-record#


Gets information about a content record in the given application.

Base Command#

archer-get-record

Input#

Argument NameDescriptionRequired
contentIdThe content record ID.Required
applicationIdThe application ID.Required

Context Output#

PathTypeDescription
Archer.Record.IdNumberThe unique ID of the content record.

Command Example#

!archer-get-record applicationId=75 contentId=227602

Context Example#

{
"Archer": {
"Record": {
"Current Status": {
"OtherText": null,
"ValuesListIds": [
6412
]
},
"Date/Time Occurred": "2018-03-23T07:00:00",
"Date/Time Reported": "2018-03-26T10:03:32.243",
"Days Open": 805,
"Default Record Permissions": {
"GroupList": [
{
"HasDelete": true,
"HasRead": true,
"HasUpdate": true,
"Id": 50
},
{
"HasDelete": false,
"HasRead": true,
"HasUpdate": false,
"Id": 51
}
],
"UserList": []
},
"Google Map": "<a target='_new' href='http://maps.google.com/maps?f=q&ie=UTF8&om=1&hl=en&q=, , , '>Google Map</a>",
"Id": 227602,
"Incident Details": "Incident Details",
"Incident Result": {
"OtherText": null,
"ValuesListIds": [
531
]
},
"Incident Summary": "Summary...",
"Is BSA (Bank Secrecy Act) reporting required in the US?": {
"OtherText": null,
"ValuesListIds": [
835
]
},
"Notify Incident Owner": {
"OtherText": null,
"ValuesListIds": [
6422
]
},
"Override Rejected Submission": {
"OtherText": null,
"ValuesListIds": [
9565
]
},
"Status": {
"OtherText": null,
"ValuesListIds": [
466
]
},
"Status Change": {
"OtherText": null,
"ValuesListIds": [
156
]
},
"Supporting Documentation": [
125
]
}
}
}

Human Readable Output#

Record details#

Current StatusDate/Time OccurredDate/Time ReportedDays OpenDefault Record PermissionsGoogle MapIdIncident DetailsIncident ResultIncident SummaryIs BSA (Bank Secrecy Act) reporting required in the US?Notify Incident OwnerOverride Rejected SubmissionStatusStatus ChangeSupporting Documentation
ValuesListIds: 6412
OtherText: null
2018-03-23T07:00:002018-03-26T10:03:32.243805.0UserList:
GroupList: {'Id': 50, 'HasRead': True, 'HasUpdate': True, 'HasDelete': True},
{'Id': 51, 'HasRead': True, 'HasUpdate': False, 'HasDelete': False}
Google Map227602Incident DetailsValuesListIds: 531
OtherText: null
Summary...ValuesListIds: 835
OtherText: null
ValuesListIds: 6422
OtherText: null
ValuesListIds: 9565
OtherText: null
ValuesListIds: 466
OtherText: null
ValuesListIds: 156
OtherText: null
125

archer-create-record#


Creates a new content record in the given application.

Note: When creating a new record, make sure the values are sent through the fieldsToValues argument properly.

  • Example for the Values List field type: {"Type": ["Switch"], fieldname: [value1, value2]}
  • Example for the External Links field type: {"Patch URL": [{"value":"github", "link": "https://github.com"}]}
  • Example for the Users/Groups List field type: {"Policy Owner":{"users": [20],"groups": [30]}}
  • Example for the Cross- Reference field type: {"Area Reference(s)": [20]}

In other cases the value can be sent as-is.

To determine the appropriate field type value, use the archer-get-application-fields command with the applicationId to get the list of all FieldType by FieldName.

Base Command#

archer-create-record

Input#

Argument NameDescriptionRequired
applicationIdThe application ID.Required
fieldsToValuesRecord fields in JSON format: { "Name1": Value1, "Name2": Value2 }. Field names are case sensitive.Required

Context Output#

PathTypeDescription
Archer.Record.IdNumberThe unique ID of the content record.

Command Example#

!archer-create-record applicationId=75 fieldsToValues={"Incident Summary":"This is the incident summary","Priority":["High"]}

Context Example#

{
"Archer": {
"Record": {
"Id": 239643
}
}
}

Human Readable Output#

Record created successfully, record id: 239643

archer-delete-record#


Deletes an existing content record in the given application.

Base Command#

archer-delete-record

Input#

Argument NameDescriptionRequired
contentIdThe ID of the content record to delete.Required

Context Output#

There is no context output for this command.

Command Example#

!archer-delete-record contentId=239642

Context Example#

{}

Human Readable Output#

Record 239642 deleted successfully

archer-update-record#


Updates an existing content record in the given application. Note: When updating a record, make sure the values are sent through the fieldsToValues argument properly. For more details see the archer-create-record description.

Base Command#

archer-update-record

Input#

Argument NameDescriptionRequired
applicationIdThe application ID.Required
fieldsToValuesRecord fields in JSON format: { "Name1": Value1, "Name2": Value2 }. Field name is case sensitiveRequired
contentIdThe ID of the content record ID.Required
levelIdThe Level ID to use to update the record. If empty, the command by default takes the first level ID.Optional

Context Output#

There is no context output for this command.

Command Example#

!archer-update-record applicationId=75 contentId=239326 fieldsToValues={"Priority":["High"]}

Context Example#

{}

Human Readable Output#

Record 239326 updated successfully

archer-execute-statistic-search-by-report#


Performs statistic search by report GUID.

Base Command#

archer-execute-statistic-search-by-report

Input#

Argument NameDescriptionRequired
reportGuidThe report GUID.Required
maxResultsMaximum number of pages for the reports.Required

Context Output#

There is no context output for this command.

Command Example#

!archer-execute-statistic-search-by-report maxResults=100 reportGuid=e4b18575-52c0-4f70-b41b-3ff8b6f13b1c

Context Example#

{}

Human Readable Output#

{ "Groups": { "@count": "3", "Metadata": { "FieldDefinitions": { "FieldDefinition": [ { "@alias": "Classification", "@guid": "769b2548-6a98-49b6-95c5-03e391f0a40e", "@id": "76", "@name": "Classification" }, { "@alias": "Standard_Name", "@guid": "a569fd34-16f9-4965-93b0-889fcb91ba7a", "@id": "1566", "@name": "Standard Name" } ] } }, "Total": { "Aggregate": { "@Count": "1497", "@FieldId": "1566" } } } }

archer-get-reports#


Gets all reports from Archer.

Base Command#

archer-get-reports

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

archer-get-reports

Context Example#

{
"Archer": {
"Report": [
{
"ApplicationGUID": "982fc3be-7c43-4d79-89a1-858ed262b930",
"ApplicationName": "Policies",
"ApplicationDescription": "This report displays a listing of all security Policies.",
"ReportGUID": "22961b81-4866-40ea-a298-99afb348598d",
"ReportName": "Policies - Summary view"
}
]
}
}

Human Readable Output#

archer-get-search-options-by-guid#


Returns search criteria by report GUID.

Base Command#

archer-get-search-options-by-guid

Input#

Argument NameDescriptionRequired
reportGuidThe report GUID.Required

Context Output#

There is no context output for this command.

Command Example#

!archer-get-search-options-by-guid reportGuid=bce4222c-ecfe-4cef-a556-fe746e959f12

Context Example#

{}

Human Readable Output#

{ "SearchReport": { "Criteria": { "ModuleCriteria": { "BuildoutRelationship": "Union", "IsKeywordModule": "True", "Module": "421", "SortFields": { "SortField": [ { "Field": "15711", "SortType": "Ascending" }, { "Field": "15683", "SortType": "Ascending" } ] } } }, "DisplayFields": { "DisplayField": [ "15683", "15686", "15687", "15690", "15706", "15711", "15710", "15712", "15713", "15714", "15715", "15716", "15725", "15717", "15718" ] }, "PageSize": "50" } }

archer-reset-cache#


Resets Archer's integration cache. Run this command if you change the fields of your Archer application.

Base Command#

archer-reset-cache

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

!archer-reset-cache

Context Example#

{}

Human Readable Output#

archer-get-valuelist#


Returns a list of values for a specified field, for example, fieldID=16114. This command only works for value list fields (type 4).

Base Command#

archer-get-valuelist

Input#

Argument NameDescriptionRequired
fieldIDThe field ID.Required

Context Output#

PathTypeDescription
Archer.ApplicationField.ValuesList.IdNumberThe field value ID.
Archer.ApplicationField.ValuesList.IsSelectableBooleanSpecifies whether you can select the field value.
Archer.ApplicationField.ValuesList.NameStringThe field value name.

Command Example#

!archer-get-valuelist fieldID=302

Context Example#

{
"Archer": {
"ApplicationField": {
"FieldId": "302",
"ValuesList": [
{
"Id": 466,
"IsSelectable": true,
"Name": "New"
},
{
"Id": 467,
"IsSelectable": true,
"Name": "Assigned"
},
{
"Id": 468,
"IsSelectable": true,
"Name": "In Progress"
},
{
"Id": 469,
"IsSelectable": true,
"Name": "On Hold"
},
{
"Id": 470,
"IsSelectable": true,
"Name": "Closed"
}
]
}
}
}

Human Readable Output#

Value list for field 302#

IdIsSelectableName
466trueNew
467trueAssigned
468trueIn Progress
469trueOn Hold
470trueClosed

archer-upload-file#


Uploads a file to Archer. You can associate the file to a record by providing all of the following arguments:

  • applicationId
  • contentId
  • associatedField

Base Command#

archer-upload-file

Input#

Argument NameDescriptionRequired
entryIdThe entry ID of the file in Cortex XSOAR context.Required
contentIdThe content record ID to update.Optional
applicationIdID of the application which we want to upload the file to.Optional
associatedFieldArcher field name to associate the file with.Optional

Context Output#

There is no context output for this command.

Command Example#

!archer-upload-file entryId=16695@b32fdf18-1c65-43af-8918-7f85a1fab951

Context Example#

{}

Human Readable Output#

File uploaded successfully, attachment ID: 126

archer-get-file#


Downloads a file from Archer to Cortex XSOAR War Room context.

Base Command#

archer-get-file

Input#

Argument NameDescriptionRequired
fileIdThe file ID.Required

Context Output#

There is no context output for this command.

Command Example#

!archer-get-file fileId=125

Context Example#

{
"File": {
"EntryID": "16680@b32fdf18-1c65-43af-8918-7f85a1fab951",
"Extension": "jpg",
"Info": "image/jpeg",
"MD5": "fb80f3fc41f2524",
"Name": "11.jpg",
"SHA1": "6898512eaa3",
"SHA256": "f4bed94abd752",
"SHA512": "ecce92345fb8b6aa",
"SSDeep": "768:XYDWR",
"Size": 52409,
"Type": "JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 750x561, frames 3"
}
}

Human Readable Output#

archer-list-users#


Gets details for a user or a list of all users.

Base Command#

archer-list-users

Input#

Argument NameDescriptionRequired
userIdThe ID of the user to get details for. Leave empty to get a list of all users.Optional

Context Output#

PathTypeDescription
Archer.User.AccountStatusStringThe account status of the user.
Archer.User.DisplayNameStringThe display name of the user.
Archer.User.FirstNameStringThe first name of the user.
Archer.User.IdNumberThe unique ID of the user.
Archer.User.LastLoginDateDateThe last login date of user.
Archer.User.LastNameStringThe last name of the user.
Archer.User.MiddleNameStringThe middle name of the user.
Archer.User.UserNameStringThe username associated with the account.

Command Example#

!archer-list-users

Context Example#

{
"Archer": {
"User": {
"AccountStatus": "Locked",
"DisplayName": "cash, johnny",
"FirstName": "johnny",
"Id": 202,
"LastLoginDate": "2018-09-03T07:56:51.027",
"LastName": "cash",
"MiddleName": null,
"UserName": "johnnyCash"
}
}
}

Human Readable Output#

Users list#

AccountStatusDisplayNameFirstNameIdLastLoginDateLastNameMiddleNameUserName
Lockedcash, johnnyjohnny2022018-09-03T07:56:51.027cashjohnnyCash

archer-search-records#


Search for records inside the given application

Base Command#

archer-search-records

Input#

Argument NameDescriptionRequired
applicationIdThe ID of the application in which to search for records.Required
fieldToSearchOnThe name of the field on which to search. Leave empty to search on all fields.Optional
fieldToSearchByIdThe name of the primary Id field on which to search. Used instead of the fieldToSearchOn argument for searching by the application primary field.Optional
searchValueSearch value. Leave empty to search for all.Optional
maxResultsMaximum number of results to return from the search (default is 10).Optional
fieldsToDisplayFields to present in the search results in array format. For example, "Title,Incident Summary".Optional
numericOperatorNumeric search operator. Can be "Equals", "NotEqual", "GreaterThan", or "LessThan".Optional
dateOperatorDate search operator. Can be "Equals", "DoesNotEqual", "GreaterThan", or "LessThan".Optional
fieldsToGetFields to fetch from the the application.Optional
fullDataWhether to get extended responses with all of the data regarding this search. For example, "fullData=true"Required
isDescendingWhether to order by descending order. Possible values are: "true", "false".Optional
levelIdThe Level ID to use for searching. This argument is relevant when fullData is True. If empty, the command by default takes the first level ID.Optional

Context Output#

PathTypeDescription
Archer.RecordUnknownThe content object.
Archer.Record.IdNumberThe content record ID.

Command Example#

!archer-search-records applicationId=75 fullData=False fieldsToDisplay=`Date/Time Occurred,Days Open` fieldsToGet=`Date/Time Occurred,Days Open` fieldToSearchOn=`Date/Time Occurred` dateOperator=GreaterThan searchValue=2018-06-23T07:00:00Z maxResults=100

Context Example#

{
"Archer": {
"Record": {
"Date/Time Occurred": "2018-07-10T08:00:00Z",
"Days Open": "30",
"Id": "227664"
}
}
}

Human Readable Output#

Search records results#

Date/Time OccurredDays Open
2018-07-10T08:00:00Z30

archer-search-records-by-report#


Searches records by report GUID.

Base Command#

archer-search-records-by-report

Input#

Argument NameDescriptionRequired
reportGuidThe report GUID.Required

Context Output#

PathTypeDescription
Archer.SearchByReport.ReportGUIDStringThe report GUID.
Archer.SearchByReport.RecordsAmountNumberThe number of records found by the search.
Archer.SearchByReport.RecordUnknownThe records found by the search.

Command Example#

!archer-search-records-by-report reportGuid=bce4222c-ecfe-4cef-a556-fe746e959f12

Context Example#

{
"Archer": {
"SearchByReport": {
"Record": [
{
"Description": "<p>\u00a0test_procedure_0</p>",
"Id": "227528",
"Procedure Name": "test_procedure_0",
"Threat Category": "Malware",
"Tracking ID": "227528"
},
{
"Description": "<p>\u00a0test_procedure_1</p>",
"Id": "227529",
"Procedure Name": "test_procedure_1",
"Threat Category": "Malware",
"Tracking ID": "227529"
},
{
"Description": "<p>test_procedure_2\u00a0</p>",
"Id": "227531",
"Procedure Name": "test_procedure_2",
"Threat Category": "Malware",
"Tracking ID": "227531"
},
{
"Description": "<p>test_procedure_3</p>",
"Id": "227532",
"Procedure Name": "test_procedure_3",
"Threat Category": "Malware",
"Tracking ID": "227532"
}
],
"RecordsAmount": 4,
"ReportGUID": "bce4222c-ecfe-4cef-a556-fe746e959f12"
}
}
}

Human Readable Output#

Search records by report results#

DescriptionIdProcedure NameThreat CategoryTracking ID

 test_procedure_0

227528test_procedure_0Malware227528

 test_procedure_1

227529test_procedure_1Malware227529

test_procedure_2 

227531test_procedure_2Malware227531

test_procedure_3

227532test_procedure_3Malware227532

archer-print-cache#


Prints the Archer's integration cache.

Base Command#

archer-print-cache

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

!archer-print-cache

Context Example#

{}

Human Readable Output#

{ "75": [ { "level": 67, "mapping": { "10052": { "FieldId": "10052", "IsRequired": false, "Name": "Related Incidents (2)", "RelatedValuesListId": null, "Type": 23 }, "10172": { "FieldId": "10172", "IsRequired": false, "Name": "Source", "RelatedValuesListId": 1176, "Type": 4 }, "10183": { "FieldId": "10183", "IsRequired": false, "Name": "Is BSA (Bank Secrecy Act) reporting required in the US?", "RelatedValuesListId": 152, "Type": 4 }, "10188": { "FieldId": "10188", "IsRequired": false, "Name": "Batch File Format", "RelatedValuesListId": 1183, "Type": 4 } } } ], "fieldValueList": { "7782": { "FieldId": "7782", "ValuesList": [ { "Id": 6412, "IsSelectable": true, "Name": "New" }, { "Id": 6413, "IsSelectable": true, "Name": "Assigned" }, { "Id": 6414, "IsSelectable": true, "Name": "In Progress" }, { "Id": 6415, "IsSelectable": true, "Name": "On Hold" }, { "Id": 6416, "IsSelectable": true, "Name": "Closed" } ] } } }