Skip to main content

TIM - ArcSight Add Bad Hash Indicators

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to an ArcSight Active List. The Active List ID should be defined in the playbook inputs, as well as the field name in the Active list to which to add the indicators.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

This playbook does not use any sub-playbooks.

Integrations#

  • ArcSight ESM v2

Scripts#

This playbook does not use any scripts.

Commands#

  • as-add-entries
  • appendIndicatorField

Playbook Inputs#


NameDescriptionDefault ValueRequired
ArcSightMd5ActiveListIDID of the Md5 hash ActiveList resource as it appears in ArcSight.Optional
ArcsightMd5ValueFieldNameThe name of the Active List field to insert the Md5 hash value to.Optional
ArcSightSha1ActiveListIDID of the Sha1 hash ActiveList resource as it appears in ArcSight.Optional
ArcsightSha1ValueFieldNameThe name of the Active List field to insert the Sha1 hash value to.Optional
ArcSightSha256ActiveListIDID of the Sha256 hash Active List resource as appears in ArcSight.Optional
Indicator QueryIndicators matching the indicator query will be used as playbook inputOptional
ArcsightSha256ValueFieldNameThe name of the Active List field to insert the Sha256 hash value to.Optional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


Playbook Image