RSA Archer
Integration version: 9.0
Configure RSA Archer integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory |
|---|---|---|---|
| API Root | String | http://x.x.x.x/rsaarcher | Yes |
| Instance Name | String | N/A | Yes |
| Username | String | N/A | Yes |
| Password | Password | N/A | Yes |
| Verify SSL | Checkbox | Checked | Yes |
Actions
Create Incident
Description
Create a new incident. In the Create an Incident dialog, analysts can create an incident from selected events in the events view. The incident is then available to incident responders working in respond.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Application Name | String | Incidents | No | Specify an application name for the incident. Default: Incidents. |
| Custom Mapping File | String | N/A | No | Specify an absolute path to the file that contains all of the required mapping. If "Remote File" is enabled, then provide a URL that contains the mapping file. Please refer to action documentation for the additional information. |
| Custom Fields | String | N/A | No | Specify a JSON object of fields that need to be used, when creating an incident . Example: {"Category": "Malware"} |
| Remote File | Checkbox | N/A | If enabled, action will treat value provided in "Custom Mapping File" as a URL and try to fetch a file from it. |
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| content_id | N/A | N/A |
Structure of the Mapping File
In order to work with a mapping file you need to use the proper format. Currently, mapping allows you to define cross-reference field entries.
The structure of the file is the following:
{
"type_9": {
"{Cross-reference field name}": {
"{Cross-reference field value}": "{content id of the cross-reference field value}",
"{Cross-reference field value 2}": "{content id of the cross-reference field value 2}"
}
}
}
Example. You have an incident application that you want to link to a certain facility application. In that case the mapping file will look like this:
{
"type_9": {
"Facility": {
"Business Department": "20202021",
"Developers": "20011101"
}
}
}
```
You need to use a mapping file, when actions are not able to automatically
retrieve content id. In all of the other cases, this step is not needed.
##### JSON Result
```json
{
"@odata.context": "http://172.30.202.238/RSAarcher/contentapi/Incidents(249459)/$metadata#Incidents/$entity",
"Incidents_Id": 249459,
"Additional_Access": [],
"Additional_Notification_Recipients": [],
"Address": "<p>Fifth street </p>",
"Affected_Business_Unit": [],
"Batch_File_Format": [],
"Business_Continuity_Plans": [],
"Business_Impact_Analysis_Archive": [],
"Category": [
"Harassment"
],
"Cause": null,
"City": "Vienna",
"Corrective_Actions": null,
"Country": [],
"Current_Status": [],
"Customer_Data": [],
"Customer_Data_Details": null,
"Data_Encrypted": [],
"Date_Created": "2020-05-08T12:17:37.187+02:00",
"DateTime_Closed": null,
"DateTime_Occurred": "2020-05-06T05:00:00+02:00",
"DateTime_Reported": "2020-05-08T12:15:00+02:00",
"Days_Open": 6,
"Default_Record_Permissions": [
"IM: Admin",
"IM: Read Only",
"BCM: Admin"
],
"Desktop_Policy_Enabled": [],
"Discovery_Policy_Enabled": [],
"DLP_Policy": [],
"DLP_Source_Product": [],
"Emergency_Notifications": [],
"Encryption_Details": null,
"Escalated_Incident_Status": [],
"Estimated_Hours": 0,
"Facility": [],
"Filing_Name": null,
"From_Date__Time": null,
"Google_Map": "<a target='_new' href='http://maps.google.com/maps?f=q&ie=UTF8&om=1<p>Fifth street </p>, Vienna, , 5000'>Google Map",
"Impacted_Information_Assess": [],
"Incident_Analysis_Q1": [],
"Incident_Analysis_Q2": [],
"Incident_Analysis_Q3": [],
"Incident_Analysis_Q4": [],
"Incident_Analysis_Q5": [],
"Incident_Analysis_Q6": [],
"Incident_Analysis_Q7": [],
"Incident_Analysis_Q8": [],
"Incident_Analysis_Score": 0,
"Incident_Analysis_Severity": [
"Low"
],
"Incident_Details": "Closed!",
"Incident_ID": 2,
"Incident_Manager": [],
"Incident_Owner": [],
"Incident_Resolution_Detail": null,
"Incident_Result": [
"To Be Determined"
],
"Incident_Status": [
"Closed"
],
"Incident_Summary": "TEST!!!!",
"Incident_Trend": [],
"Individuals_Involved": [],
"Inherited_From_Third_Party_Profile": [],
"Inherited_Permissions_Engagement_Stakeho": [],
"Inherited_Permissions_Supplier_Request_F": [],
"Inherited_RP": [],
"Investigations": [],
"Involved_Third_Parties": [],
"Is_BSA_Bank_Secrecy_Act_reporting_requir": [
"No"
],
"Last_Updated": "2020-05-15T12:40:18.987+02:00",
"Law_Enforcement_Agency": null,
"Law_Enforcement_Agent": null,
"Law_Enforcement_Case_No": null,
"Legal_Involvement": [],
"Legal_Involvement_Details": null,
"Loss": 0,
"Loss_Description": null,
"Loss_Events": [],
"Network_Policy_Enabled": [],
"Notification_Execution": [],
"Notify_Crisis_Team": [
" No, do not send an email notification"
],
"Notify_Incident_Owner": [
"No, do not send an email notification to the incident owner"
],
"Open_TasksActivities": [],
"Organization_Affected_By_Incident": [],
"Override_Rejected_Submission": [
"No"
],
"Policy_Enabled": [],
"Priority": [
"High"
],
"Range_Type": [],
"Recovery_": 0,
"Recovery_Description": null,
"Region": [],
"Related_Incidents": [],
"Related_Incidents1": [],
"Reported_to_Police": [],
"Responder_Hours_Entry": [],
"Risks": [],
"Source": [],
"State": [],
"Status_Change": [
"No"
],
"Status_Prior_Value": [],
"Top_Offending_Users": [],
"Total_Hours": 0,
"Workflow_Assignees": [],
"Workflow_Stage": [],
"Zip_Code": "5000"
}
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | Error Messages: If invalid key - "Action wasn't able to create a new incident. Reason: {0} field was not found."format(invalid key)
|
General |
Ping
Description
Test Connectivity.
Parameters
N/A
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| success | True/False | success:False |
Update Incident
Description
Update an incident.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Application Name | String | Incidents | No | Specify an application name for the incident. Default: Incidents. |
| Custom Mapping File | String | N/A | No | Specify an absolute path to the file that contains all of the required mapping. If "Remote File" is enabled, then provide a URL that contains the mapping file. Please refer to action documentation for the additional information. |
| Content ID | String | N/A | Content ID of the incident to update. | |
| Incident Summary | String | N/A | The new summary of the incident. | |
| Incident Details | String | N/A | The new details (description) of the incident. | |
| Incident Owner | String | N/A | The new owner of the incident. | |
| Incident Status | String | N/A | The new status of the incident. | |
| Priority | String | N/A | The new priority of the incident. | |
| Category | String | N/A | The new category of the incident. | |
| Custom Fields | String | N/A | No | Specify a JSON object of fields that need to be updated. Example: {"Category": "Malware"}. |
| Remote File | Checkbox | N/A | If enabled, action will treat value provided in "Custom Mapping File" as a URL and try to fetch a file from it. |
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| content_id | N/A | N/A |
Structure of the Mapping File
In order to work with a mapping file you need to use the proper format. Currently, mapping allows you to define cross-reference field entries.
The structure of the file is the following:
{
"type_9": {
"{Cross-reference field name}": {
"{Cross-reference field value}": "{content id of the cross-reference field value}",
"{Cross-reference field value 2}": "{content id of the cross-reference field value 2}"
}
}
}
Example. You have an incident application that you want to link to a certain facility application. In that case the mapping file will look like this:
{
"type_9": {
"Facility": {
"Business Department": "20202021",
"Developers": "20011101"
}
}
}
You need to use a mapping file, when actions are not able to automatically retrieve content id. In all of the other cases, this step is not needed.
JSON Result
{
"@odata.context": "http://172.30.202.238/RSAarcher/contentapi/Incidents(249459)/$metadata#Incidents/$entity",
"Incidents_Id": 249459,
"Additional_Access": [],
"Additional_Notification_Recipients": [],
"Address": "<p>Fifth street </p>",
"Affected_Business_Unit": [],
"Batch_File_Format": [],
"Business_Continuity_Plans": [],
"Business_Impact_Analysis_Archive": [],
"Category": [
"Harassment"
],
"Cause": null,
"City": "Vienna",
"Corrective_Actions": null,
"Country": [],
"Current_Status": [],
"Customer_Data": [],
"Customer_Data_Details": null,
"Data_Encrypted": [],
"Date_Created": "2020-05-08T12:17:37.187+02:00",
"DateTime_Closed": null,
"DateTime_Occurred": "2020-05-06T05:00:00+02:00",
"DateTime_Reported": "2020-05-08T12:15:00+02:00",
"Days_Open": 6,
"Default_Record_Permissions": [
"IM: Admin",
"IM: Read Only",
"BCM: Admin"
],
"Desktop_Policy_Enabled": [],
"Discovery_Policy_Enabled": [],
"DLP_Policy": [],
"DLP_Source_Product": [],
"Emergency_Notifications": [],
"Encryption_Details": null,
"Escalated_Incident_Status": [],
"Estimated_Hours": 0,
"Facility": [],
"Filing_Name": null,
"From_Date__Time": null,
"Google_Map": "<a target='_new' href='http://maps.google.com/maps?f=q&ie=UTF8&om=1<p>Fifth street </p>, Vienna, , 5000'>Google Map",
"Impacted_Information_Assess": [],
"Incident_Analysis_Q1": [],
"Incident_Analysis_Q2": [],
"Incident_Analysis_Q3": [],
"Incident_Analysis_Q4": [],
"Incident_Analysis_Q5": [],
"Incident_Analysis_Q6": [],
"Incident_Analysis_Q7": [],
"Incident_Analysis_Q8": [],
"Incident_Analysis_Score": 0,
"Incident_Analysis_Severity": [
"Low"
],
"Incident_Details": "Closed!",
"Incident_ID": 2,
"Incident_Manager": [],
"Incident_Owner": [],
"Incident_Resolution_Detail": null,
"Incident_Result": [
"To Be Determined"
],
"Incident_Status": [
"Closed"
],
"Incident_Summary": "TEST!!!!",
"Incident_Trend": [],
"Individuals_Involved": [],
"Inherited_From_Third_Party_Profile": [],
"Inherited_Permissions_Engagement_Stakeho": [],
"Inherited_Permissions_Supplier_Request_F": [],
"Inherited_RP": [],
"Investigations": [],
"Involved_Third_Parties": [],
"Is_BSA_Bank_Secrecy_Act_reporting_requir": [
"No"
],
"Last_Updated": "2020-05-15T12:40:18.987+02:00",
"Law_Enforcement_Agency": null,
"Law_Enforcement_Agent": null,
"Law_Enforcement_Case_No": null,
"Legal_Involvement": [],
"Legal_Involvement_Details": null,
"Loss": 0,
"Loss_Description": null,
"Loss_Events": [],
"Network_Policy_Enabled": [],
"Notification_Execution": [],
"Notify_Crisis_Team": [
" No, do not send an email notification"
],
"Notify_Incident_Owner": [
"No, do not send an email notification to the incident owner"
],
"Open_TasksActivities": [],
"Organization_Affected_By_Incident": [],
"Override_Rejected_Submission": [
"No"
],
"Policy_Enabled": [],
"Priority": [
"High"
],
"Range_Type": [],
"Recovery_": 0,
"Recovery_Description": null,
"Region": [],
"Related_Incidents": [],
"Related_Incidents1": [],
"Reported_to_Police": [],
"Responder_Hours_Entry": [],
"Risks": [],
"Source": [],
"State": [],
"Status_Change": [
"No"
],
"Status_Prior_Value": [],
"Top_Offending_Users": [],
"Total_Hours": 0,
"Workflow_Assignees": [],
"Workflow_Stage": [],
"Zip_Code": "5000"
}
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | Error Messages: If invalid key - "Action wasn't able to update the incident. Reason: {0} field was not found."format(invalid key)
|
General |
Get Incident Details
Description
Retrieve information about the incident from RSA Archer.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Application Name | String | Incidents | No | Specify an application name for the incident. Default: Incidents. |
| Content ID | Integer | N/A | Yes | Specify ID of the content for which you want to retrieve details. |
Use cases
N/A
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
JSON Result
{
"@odata.context": "http://172.30.202.238/RSAarcher/contentapi/Incidents(249459)/$metadata#Incidents/$entity",
"Incidents_Id": 249459,
"Additional_Access": [],
"Additional_Notification_Recipients": [],
"Address": "<p>Fifth street </p>",
"Affected_Business_Unit": [],
"Batch_File_Format": [],
"Business_Continuity_Plans": [],
"Business_Impact_Analysis_Archive": [],
"Category": [
"Harassment"
],
"Cause": null,
"City": "Vienna",
"Corrective_Actions": null,
"Country": [],
"Current_Status": [],
"Customer_Data": [],
"Customer_Data_Details": null,
"Data_Encrypted": [],
"Date_Created": "2020-05-08T12:17:37.187+02:00",
"DateTime_Closed": null,
"DateTime_Occurred": "2020-05-06T05:00:00+02:00",
"DateTime_Reported": "2020-05-08T12:15:00+02:00",
"Days_Open": 6,
"Default_Record_Permissions": [
"IM: Admin",
"IM: Read Only",
"BCM: Admin"
],
"Desktop_Policy_Enabled": [],
"Discovery_Policy_Enabled": [],
"DLP_Policy": [],
"DLP_Source_Product": [],
"Emergency_Notifications": [],
"Encryption_Details": null,
"Escalated_Incident_Status": [],
"Estimated_Hours": 0,
"Facility": [],
"Filing_Name": null,
"From_Date__Time": null,
"Google_Map": "<a target='_new' href='http://maps.google.com/maps?f=q&ie=UTF8&om<p>Fifth street </p>, Vienna, , 5000'>Google Map",
"Impacted_Information_Assess": [],
"Incident_Analysis_Q1": [],
"Incident_Analysis_Q2": [],
"Incident_Analysis_Q3": [],
"Incident_Analysis_Q4": [],
"Incident_Analysis_Q5": [],
"Incident_Analysis_Q6": [],
"Incident_Analysis_Q7": [],
"Incident_Analysis_Q8": [],
"Incident_Analysis_Score": 0,
"Incident_Analysis_Severity": [
"Low"
],
"Incident_Details": "Closed!",
"Incident_ID": 2,
"Incident_Manager": [],
"Incident_Owner": [],
"Incident_Resolution_Detail": null,
"Incident_Result": [
"To Be Determined"
],
"Incident_Status": [
"Closed"
],
"Incident_Summary": "TEST!!!!",
"Incident_Trend": [],
"Individuals_Involved": [],
"Inherited_From_Third_Party_Profile": [],
"Inherited_Permissions_Engagement_Stakeho": [],
"Inherited_Permissions_Supplier_Request_F": [],
"Inherited_RP": [],
"Investigations": [],
"Involved_Third_Parties": [],
"Is_BSA_Bank_Secrecy_Act_reporting_requir": [
"No"
],
"Last_Updated": "2020-05-15T12:40:18.987+02:00",
"Law_Enforcement_Agency": null,
"Law_Enforcement_Agent": null,
"Law_Enforcement_Case_No": null,
"Legal_Involvement": [],
"Legal_Involvement_Details": null,
"Loss": 0,
"Loss_Description": null,
"Loss_Events": [],
"Network_Policy_Enabled": [],
"Notification_Execution": [],
"Notify_Crisis_Team": [
" No, do not send an email notification"
],
"Notify_Incident_Owner": [
"No, do not send an email notification to the incident owner"
],
"Open_TasksActivities": [],
"Organization_Affected_By_Incident": [],
"Override_Rejected_Submission": [
"No"
],
"Policy_Enabled": [],
"Priority": [
"High"
],
"Range_Type": [],
"Recovery_": 0,
"Recovery_Description": null,
"Region": [],
"Related_Incidents": [],
"Related_Incidents1": [],
"Reported_to_Police": [],
"Responder_Hours_Entry": [],
"Risks": [],
"Source": [],
"State": [],
"Status_Change": [
"No"
],
"Status_Prior_Value": [],
"Top_Offending_Users": [],
"Total_Hours": 0,
"Workflow_Assignees": [],
"Workflow_Stage": [],
"Zip_Code": "5000"
}
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if successful(is_success = true): print "Successfully returned information about the incident with ID {0} in RSA Archer.".format(content ID) if status code 404 (is_success = false): print "Action wasn't able to return information about the incident with ID {0} in RSA Archer. Reason: Incident with ID {0} was not found.".format(content id)
if fatal error, like wrong credentials, no connection to server, other: print "Error executing action "Get Incident Details". Reason: {0}''.format(error.Stacktrace) |
General |
Add Incident Journal Entry
Description
Add a journal entry to the Security Incident in RSA Archer.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Destination Content ID | String | N/A | True | Specify a content id of the security incident to which you want to add journal entry. |
| Text | String | N/A | True | Specify the text for the journal entry. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
JSON Result
{
"Links": [],
"RequestedObject": {
"Id": 267754
},
"IsSuccessful": true,
"ValidationMessages": []
}
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if Successful == false(is_success = false): "Action wasn't able to add new journal entry to the Security Incident {0} in RSA Archer..format(content_id) The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Add Incident Journal Entry". Reason: {0}''.format(error.Stacktrace) If incident doesn't exist (404 status code): "Error executing action "Add Incident Journal Entry". Reason: Security Incident {0} was not found''.format(content_id). |
General |
Connector
RSA Archer - Security Incidents Connector
Description
Pull Security Incidents from RSA Archer.
Configure RSA Archer - Security Incidents Connector in Google Security Operations SOAR
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
Connector parameters
Use the following parameters to configure the connector:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | Product Name | Yes | Enter the source field name in order to retrieve the Product Field name. |
| Event Field Name | String | event_type | Yes | Enter the source field name in order to retrieve the Event Field name. |
| Environment Field Name | String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
| Environment Regex Pattern | String | .* | No | A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
| Script Timeout (Seconds) | Integer | 180 | Yes | Timeout limit for the python process running the current script. |
| API Root | String | http://x.x.x.x/RSAarcher | Yes | API Root of the RSA Archer instance. |
| Instance Name | String | N/A | Yes | Name of the RSA Archer instance. |
| Username | String | N/A | Yes | Username of the RSA Archer account. |
| Password | Password | N/A | Yes | Password of the RSA Archer account. |
| Fetch Max Hours Backwards | Integer | 1 | No | Amount of hours from where to fetch security incidents. |
| Max Security Incidents To Fetch | Integer | 50 | No | How many security incidents to process per one connector iteration. |
| Process Security Alerts | Checkbox | Checked | No | If enabled, action will process Security Alerts related to the Security Incident. |
| Process Incident Journal | Checkbox | Checked | No | If enabled, action will process Incident Journal related to the Security Incident. |
| Time Format | String | %Y-%m-%d %H:%M:%S | Yes | Specify, what should be the time format for the searching of Security Incidents. |
| Use whitelist as a blacklist | Checkbox | Unchecked | Yes | If enabled, whitelist will be used as a blacklist. |
| Verify SSL | Checkbox | Unchecked | Yes | If enabled, verify the SSL certificate for the connection to the RSA Archer server is valid. |
| Proxy Server Address | String | N/A | No | The address of the proxy server to use. |
| Proxy Username | String | N/A | No | The proxy username to authenticate with. |
| Proxy Password | Password | N/A | No | The proxy password to authenticate with. |
Connector rules
Proxy support
The connector supports proxy.
Job
Sync Security Incidents
Description
This job will synchronize security incidents in RSA Archer and Google Security Operations SOAR.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| API Root | String | http://x.x.x.x/RSAarcher | Yes | API Root of the RSA Archer instance. |
| Instance Name | String | N/A | Yes | Name of the RSA Archer instance. |
| Username | String | N/A | Yes | Username of the RSA Archer account. |
| Password | Password | N/A | Yes | Password of the RSA Archer account. |
| Sync Fields | CSV | N/A | Yes | Specify a comma-separated list of fields that need to be synced |
| Verify SSL | Checkbox | Checked | Yes | If enabled, verify the SSL certificate for the connection to the RSA Archer server is valid. |