ArcSight Logger
Integration version: 4.0
Use Cases
This product is very handy for analysts because it allows them to collect data from all of the possible sources. With the search feature, analysts can query information related to incidents, which will be useful in the triage process.
Configure ArcSight Logger integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Instance Name | String | N/A | No | Name of the Instance you intend to configure integration for. |
| Description | String | N/A | No | Description of the Instance. |
| Server Address | String | https://<host>:<port> | Yes | The server address of the ArcSight Logger instance. |
| Username | String | N/A | Yes | Username of the ArcSight Logger account. |
| Password | Password | N/A | Yes | The password of the ArcSight Logger account. |
| Verify SSL | Checkbox | Unchecked | No | If enabled, verify the SSL certificate for the connection to the ArcSight Logger server is valid. |
| Run Remotely | Checkbox | Unchecked | No | Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent). |
Actions
Ping
Description
Test connectivity to ArcSight Logger with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Run on
The action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail or stop a playbook execution: If no errors and returned data: "Successfully connected to the ArcSight Logger with the provided connection parameters!" The action should fail and stop a playbook execution: If an error is reported: "Error executing action "Ping". Reason: {0}''.format(error.Stacktrace) |
General |
Send Query
Description
Send a query to get information about related events from ArcSight Logger event log manager.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Query | String | "" | Yes | Specify the query to send to ArcSight Logger event search. |
| Max Events to Return | Integer | 100 | No | Specify the amount of events to return. Limit is 10000. This is ArcSight Logger limitation. |
| Time Frame | String | 1h | No | Specify the time frame which will be used to fetch events. Possible values: 1h - 1 hour ago 1d - 1 day ago Note: You can't combine different values, like 1d2h30m. |
| Fields to Fetch | Comma Separated Values | None | No | Specify what fields to fetch from ArcSight Logger. If nothing is specified, then all of the available fields will be returned. |
| Include Raw Event Data | Checkbox | Checked | No | If enabled, raw event data is included in the response. |
| Local Search Only | Checkbox | Unchecked | No | Indicates that ArcSight Logger event search is local only, and does not include ArcSight Logger peers. Set to false if you want to include peers in the event search. |
| Discover fields | Checkbox | Checked | No | Indicates that the ArcSight Logger search should try to discover fields in the events found. |
| Sort | String | ascending | No | Specify what sorting method to use. Possible values: ascending descending |
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"fields": [
{
"name": "_rowId",
"type": "string",
"alias": "_rowId"
},
{
"name": "_raw",
"type": "string",
"alias": "_raw"
},
{
"name": "Event Time",
"type": "date",
"alias": "Event Time"
},
{
"name": "Logger",
"type": "string",
"alias": "Logger"
},
{
"name": "Device",
"type": "string",
"alias": "Device"
},
{
"name": "Receipt Time",
"type": "date",
"alias": "Receipt Time"
},
{
"name": "deviceReceiptTime",
"type": "date",
"alias": "deviceReceiptTime"
},
{
"name": "deviceCustomString2",
"type": "string",
"alias": "deviceCustomString2"
},
{
"name": "destinationAddress",
"type": "string",
"alias": "destinationAddress"
},
{
"name": "deviceCustomNumber3Label",
"type": "string",
"alias": "deviceCustomNumber3Label"
},
{
"name": "globalEventId",
"type": "number",
"alias": "globalEventId"
},
{
"name": "deviceVersion",
"type": "string",
"alias": "deviceVersion"
},
{
"name": "name",
"type": "string",
"alias": "name"
},
{
"name": "deviceAddress",
"type": "string",
"alias": "deviceAddress"
},
{
"name": "deviceVendor",
"type": "string",
"alias": "deviceVendor"
},
{
"name": "Version",
"type": "string",
"alias": "Version"
},
{
"name": "deviceCustomNumber1Label",
"type": "string",
"alias": "deviceCustomNumber1Label"
},
{
"name": "deviceEventCategory",
"type": "string",
"alias": "deviceEventCategory"
},
{
"name": "endTime",
"type": "date",
"alias": "endTime"
},
{
"name": "fileName",
"type": "string",
"alias": "fileName"
},
{
"name": "deviceCustomNumber2",
"type": "number",
"alias": "deviceCustomNumber2"
},
{
"name": "deviceCustomNumber1",
"type": "number",
"alias": "deviceCustomNumber1"
},
{
"name": "baseEventCount",
"type": "number",
"alias": "baseEventCount"
},
{
"name": "startTime",
"type": "date",
"alias": "startTime"
},
{
"name": "deviceCustomNumber3",
"type": "number",
"alias": "deviceCustomNumber3"
},
{
"name": "agentSeverity",
"type": "string",
"alias": "agentSeverity"
},
{
"name": "fsize",
"type": "string",
"alias": "fsize"
},
{
"name": "deviceProduct",
"type": "string",
"alias": "deviceProduct"
},
{
"name": "deviceEventClassId",
"type": "string",
"alias": "deviceEventClassId"
},
{
"name": "deviceCustomNumber2Label",
"type": "string",
"alias": "deviceCustomNumber2Label"
},
{
"name": "deviceCustomString2Label",
"type": "string",
"alias": "deviceCustomString2Label"
},
{
"name": "fileType",
"type": "string",
"alias": "fileType"
}
],
"results": [
[
"4BFEFD-86@Local",
"CEF:0|ArcSight|Logger|7.0.0.8280.0|storagegroup:100|Storage Group Space Used|1| cat=/Monitor/StorageGroup/Space/Used cn1=15 cn1Label=Percent Used cn2=180 cn2Label=retention period (days) cn3=2048 cn3Label=used (MB) cs2=CurrentValue cs2Label=timeframe dst=10.0.2.185 dvc=10.0.2.185 end=1585661238546 fileType=storageGroup fname=Default Storage Group fsize=13 geid=0 rt=1585661238546",
1585661238546,
"Local",
"Logger",
1585661364960,
1585661238546,
"CurrentValue",
"10.0.2.185",
"used (MB)",
0,
"7.0.0.8280.0",
"Storage Group Space Used",
"10.0.2.185",
"ArcSight",
"0",
"Percent Used",
"/Monitor/StorageGroup/Space/Used",
1585661238546,
"Default Storage Group",
180,
15,
1,
1585661238546,
2048,
"1",
"13",
"Logger",
"storagegroup:100",
"retention period (days)",
"timeframe",
"storageGroup"
],
[
"4BFEFD-87@Local",
"CEF:0|ArcSight|Logger|7.0.0.8280.0|storagegroup:100|Storage Group Space Used|1| cat=/Monitor/StorageGroup/Space/Used cn1=33 cn1Label=Percent Used cn2=365 cn2Label=retention period (days) cn3=1024 cn3Label=used (MB) cs2=CurrentValue cs2Label=timeframe dst=10.0.2.185 dvc=10.0.2.185 end=1585661238546 fileType=storageGroup fname=Internal Event Storage Group fsize=3 geid=0 rt=1585661238546",
1585661238546,
"Local",
"Logger",
1585661364960,
1585661238546,
"CurrentValue",
"10.0.2.185",
"used (MB)",
0,
"7.0.0.8280.0",
"Storage Group Space Used",
"10.0.2.185",
"ArcSight",
"0",
"Percent Used",
"/Monitor/StorageGroup/Space/Used",
1585661238546,
"Internal Event Storage Group",
365,
33,
1,
1585661238546,
1024,
"1",
"3",
"Logger",
"storagegroup:100",
"retention period (days)",
"timeframe",
"storageGroup"
]
]
}
Case Wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail or stop a playbook execution: >If status is set to "completed" and hit is greater than zero: "Successfully returned events for query "{0}" from the ArcSight Logger".format(query) If status is set "completed" and hit is set to 0: (is_success == false): "Events were not found for query "{0}" in ArcSight Logger".format(query). >If status the status is set to error: "Unable to execute query "{0}" in ArcSight Logger".format(query). If status code is 409 in the first request: "Unable to execute query "{0}" in ArcSight Logger. Reason: {1}".format(query, errors/message from first response)" Async output message: "Starting processing query {0} in ArcSight Logger".format(query) The action should fail and stop a playbook execution: If a fatal error (wrong credentials, connection error, action crashes) is reported: "Error executing action "Send Query". Reason: {0}''.format(error.Stacktrace) |
General |
| Table | Table name: {Query} Columns: all of the available columns from the response. Look into the Action behavior section for more details. |
General |