ArcSight ESM v2
ArcSight ESM
ArcSight ESM is a security information and event management (SIEM) product. It collects security log data from an enterprise’s security technologies, operating systems, applications and other log sources, and analyzes that data for signs of compromise, attacks or other malicious activity. The product generates cases to security administrators and analysts.
NOTE:
ArcSight XML is no longer supported. Use the ArcSight ESM integration instead.
Use Cases
- Fetching events and cases based on a query viewer.
- Getting additional information by event or case ID.
- Searching for events.
- Updating a case or deleting it.
- Getting all entries from an active list, updating an entry and clearing the list.
Set up ArcSight ESM to work with Demisto
The set up for using ArcSight ESM to work with Demisto depends on whether you will be using the integration to fetch events or cases.
For fetching Events/Cases:
Create an Event/Case query.
Add a row limit (1000).
Add a start time limit (e.g. $Now-10m).
Go to the following fields and add conditions if needed:
- Select the Event ID and Start Time fields for Events (mandatory).
- Select the ID and Create Time fields for Cases (mandatory).
- Select additional fields of your choice.
- Add conditions if needed (malicious/suspicious behavior such as malware found, failed login, access to a known malicious site and/or conditions like severity, criticality, assets etc).
Note:
Demisto is designed for an automatic response, so make sure to define conditions for actionable/sever/critical events only.
5.Create a query viewer based on the query.
6.Save the Query Viewer resource ID integration configuration in Demisto.
Configure ArcSight ESM on Demisto
- Navigate to Settings>Integrations>Servers & Services.
- Search for ArcSight ESM.
- Click Add instance to create and configure a new integration instance.
- Name: a textual name for the integration instance.
- Server URL (e.g. https://192.168.0.1:8443): The hostname or IP address of the appliance being used, for example,
https://your_arcsight_esm:port
. - Credentials and Password: Use the username and password used to access the ArcSight ESM account. By default, a user with the admin role will have all the necessary permissions to run all integration commands. For more granular authorization, refer to the ESM documentation on how to create custom roles.
- Fetch Events as incidents via Query Viewer ID: Must have Start Time and Event ID fields.
- Fetch Cases as incidents via Query Viewer ID: Must have Create Time and ID fields.
- The maximum number of unique IDs expected to be fetched: If unique IDs exceeds the maximum, duplicates will be fetched.
- Do not validate server certificate (unsecured): Select to avoid server certification validation. You may want to do this in case Demisto cannot validate the integration server certificate (due to missing CA certificate).
- Use system proxy settings: Select whether to communicate via the system proxy server or not.
- Fetch incidents: Mark the Fetch incidents checkbox to automatically create Demisto incidents from this integration instance.
- Incident type: Select the incident type to trigger.
- Use REST Endpoints: Mark this checkbox to use REST endpoints for the commands related to 'entries' instead of the default legacy SOAP endpoints.
- Click Test to validate the URLs, token, and connection. If you are experiencing issues with the service configuration, please contact Demisto support at support@paloaltonetworks.com.
- After completing the test successfully, press the ‘Done’ button.
Use-Cases
- Fetch events - New events that match the predefined condition will be fetched to Demisto as an incident and will trigger playbooks for automation and response. Such events could be any kind of security events.
- Fetch cases - New cases that match the predefined condition will be fetched to Demisto as an incident and will trigger playbooks for automation and response. Such cases could include any kind of security events. The final step of the playbook could be updating, closing or deleting the case.
- Search events - Query specific events based on an existing query viewer.
- Getting active list entries - Returning active list entries (such as “Blacklist IPS”, “Malicious MD5s”, etc) by using as-get-entries and providing the resource ID of the active list. The entries can be added as a list in Demisto for cross-platform usage, additional automation, and data enrichment.
Fetched Incidents Data
The integration can fetch events and cases.
- When first turned on, the integration fetches all events/cases from the query viewer.
- The fetched incidents are later filtered by timestamp (start time/create time).
- In case of slowness, timeouts or crashes try reducing the max fetch parameter.
Commands
You can execute these commands from the Demisto CLI, as part of automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- (Deprecated) Get all case resource IDs: as-get-all-cases
- Get information for a single case: as-get-case
- Get query viewer results: as-get-matrix-data
- Add entries to the Active List: as-add-entries
- Delete all entries from the Active List: as-clear-entries
- Get all entries on the Active List: as-get-entries
- Get details for security event: as-get-security-events
- Get all case event IDs: as-get-case-event-ids
- Update a single case: as-update-case
- Get all query viewer IDs: as-get-all-query-viewers
- Delete a single case: as-case-delete
- Get all query viewer results: as-get-query-viewer-results
- Fetches incidents: as-fetch-incidents
- Delete entries from the Active List: as-delete-entries
as-get-all-cases
(Deprecated) Retrieves all case resource IDs.
Base Command
as-get-all-cases
Input
There are no input arguments for this command.
Context Output
Path | Type | Description |
---|---|---|
ArcSightESM.AllCaseIDs | Unknown | All case resource IDs |
Command Example
!as-get-all-cases
Context Example
Human Readable Output
All cases
caseID 1234DfGkBABCenF0601F2Ww== 456mUEWcBABD6cSFwTn5Fog== 789pEo2gBABCBcJbK9kU04Q==
as-get-case
Gets information about a single case.
Base Command
as-get-case
Input
Argument Name | Description | Required |
---|---|---|
resourceId | Resource ID of the case to get information for | Required |
withBaseEvents | If "true", then will return case and base events of that case | Optional |
Context Output
Path | Type | Description |
---|---|---|
ArcSightESM.Cases.resourceid | string | Case ID |
ArcSightESM.Cases.name | string | Case name |
ArcSightESM.Cases.eventIDs | Unknown | Related base event IDs |
ArcSightESM.Cases.createdTimestamp | number | Time the case was created (in milliseconds) |
ArcSightESM.Cases.createdTime | string | Created time (dd-mm-yyyyTHH:MM:SS.SSS timezone) |
ArcSightESM.Cases.modifiedTimestamp | number | Modified timestamp (in milliseconds) |
ArcSightESM.Cases.modifiedTime | date | Modified time (dd-mm-yyyyTHH:MM:SS.SSS timezone) |
ArcSightESM.Cases.action | string | Action (e.g., BLOCK_OR_SHUTDOWN) |
ArcSightESM.Cases.associatedImpact | string | Associated impact (e.g., AVAILABILITY) |
ArcSightESM.Cases.attackAgent | string | Attack agent (e.g., INSIDER) |
ArcSightESM.Cases.attackMechanism | string | Attack mechanism (e.g., PHYSICAL) |
ArcSightESM.Cases.consequenceSeverity | string | Consequence severity (e.g., NONE) |
ArcSightESM.Cases.detectionTime | date | Detection time (dd-mm-yyyyTHH:MM:SS.SSS timezone) |
ArcSightESM.Cases.displayID | number | Display ID |
ArcSightESM.Cases.estimatedStartTime | date | Estimated start time (dd-mm-yyyyTHH:MM:SS.SSS timezone) |
ArcSightESM.Cases.eventIDs | unknown | Base event IDs |
ArcSightESM.Cases.frequency | string | Frequency (e.g., NEVER_OR_ONCE) |
ArcSightESM.Cases.history | Unknown | History (e.g., KNOWN_OCCURENCE) |
ArcSightESM.Cases.numberOfOccurences | number | Number Of Occurences |
ArcSightESM.Cases.resistance | string | Resistance (e.g., HIGH) |
ArcSightESM.Cases.securityClassification | string | Security Classification (e.g., UNCLASSIFIED) |
ArcSightESM.Cases.sensitivity | string | Sensitivity (e.g., UNCLASSIFIED) |
ArcSightESM.Cases.stage | string | Stage (e.g., QUEUED,INITIAL,FOLLOW_UP,FINAL,CLOSED) |
ArcSightESM.Cases.ticketType | string | Ticket type (e.g., INTERNAL,CLIENT,INCIDENT) |
ArcSightESM.Cases.vulnerability | string | Vulnerability (e.g., DESIGN) |
Command Example
!as-get-case resourceId="12ax-uGgBABCWb2puJdY8ZA=="
Context Example
Human Readable Output
Case 12ax-uGgBABCWb2puJdY8ZA==
Action CaseID CreatedTime EventIDs Name Severity Stage BLOCK_OR_SHUTDOWN 12ax-uGgBABCWb2puJdY8ZA== 2019-02-04 12:33:21 12395741, 45696713, 7896719 test INSIGNIFICANT QUEUED
as-get-matrix-data
Retrieves query viewer results (query viewer must be configured to be refreshed every minute, see documentation)
Base Command
as-get-matrix-data
Input
Argument Name | Description | Required |
---|---|---|
id | Resource ID of a query viewer | Required |
onlyColumns | If "true", will return only the columns of the query. If "false", will return the column headers and all query results. | Optional |
Context Output
There is no context output for this command.
Command Example
!as-get-matrix-data id=aBBnu5XEBABCJHuGRQA-nwg==
Context Example
Human Readable Output
Column Headers |
---|
Name |
ID |
Create Time |
Event-Name |
Originator |
Alias |
Display ID |
Query Viewer Results: aBBnu5XEBABCJHuGRQA-nwg==
Create Time | Display ID | Event-Name | ID | Name |
---|---|---|---|---|
1582763229550 | 30001 | 123nu5XEBABCJHuGRQA-nwg== | test1 | |
1589103446811 | 30003 | 123gfy-XEBABCAD7Y9AVwrTA== | test2 | |
1588004035004 | 30002 | Login succeeded for user name 'admin' | 123lqvHEBABDmMHb-MM+jnA== | test3 |
1588004035004 | 30002 | ArcSight User Login | 123lqvHEBABDmMHb-MM+jnA== | test4 |
as-add-entries
Adds new entries to the Active List.
Base Command
as-add-entries
Input
Argument Name | Description | Required |
---|---|---|
resourceId | Resource ID of the Active List | Required |
entries | Entries are in JSON format. JSON must be an array of entries. Each entry must contain the same columns as they appear in the Active List, e.g., [{ "UserName": "john", "IP":"19.12.13.11"},{ "UserName": "bob", "IP":"22.22.22.22"}] | Required |
Context Output
There is no context output for this command.
Command Example
!as-add-entries resourceId="A1LvlmWgBABCA5+HbRyHZoQ==" entries="[{\"name\": \"t3\", \"EventID\": \"9\"},{\"name\": \"t4\", \"EventID\": \"9\"}]"
Context Example
Human Readable Output
Success
as-clear-entries
Deletes all entries in the Active List.
Base Command
as-clear-entries
Input
Argument Name | Description | Required |
---|---|---|
resourceId | Resource ID of a specific Active List | Required |
Context Output
There is no context output for this command.
Command Example
!as-clear-entries resourceId="A1LvlmWgBABCA5+HbRyHZoQ=="
Context Example
Human Readable Output
Success
as-get-entries
Returns all entries in the Active List
Limitations
Returns up to 2000 entries.
Base Command
as-get-entries
Input
Argument Name | Description | Required |
---|---|---|
resourceId | Resource ID of a specific Active List | Required |
entryFilter | Filters the entries, e.g., entryFilter="moo:moo1" | Optional |
Context Output
Path | Type | Description |
---|---|---|
ArcSightESM.ActiveList | Unknown | Active List is a map of active list resource id => active list entries |
ArcSightESM.ActiveList.ListID | list | The ActiveList ID |
ArcSightESM.ActiveList.Entry | Unknown | Active List is a map of active list resource id => active list |
Command Example
!as-get-entries resourceId=A1LvlmWgBABCA5+HbRyHZoQ==
Context Example
Human Readable Output
Columns eventId name startTime Active List has no entries
as-get-security-events
Returns the security event details
Base Command
as-get-security-events
Input
Argument Name | Description | Required |
---|---|---|
ids | ID or multiple ids separated by comma of security events. Event ID is ArcSight is always a number. Example: 13906590 | Required |
lastDateRange | Query last events. Format follows 'number date_range_unit', e.g., 2 hours, 4 minutes, 6 month, 1 day | Optional |
Context Output
Path | Type | Description |
---|---|---|
ArcSightESM.SecurityEvents | Unknown | List of security events |
ArcSightESM.SecurityEvents.name | string | Event name |
ArcSightESM.SecurityEvents.eventId | number | Event ID |
ArcSightESM.SecurityEvents.type | string | Event type (e.g., CORRELATION) |
ArcSightESM.SecurityEvents.baseEventIds | Unknown | Base event IDs |
ArcSightESM.SecurityEvents.source.address | Unknown | Event source address |
ArcSightESM.SecurityEvents.destination.address | Unknown | Event destination address |
ArcSightESM.SecurityEvents.startTime | date | Start time in milliseconds |
Command Example
!as-get-security-events ids=12352349,45652798
Context Example
Human Readable Output
Destination Address Event ID Name Source Address Time 1.1.1.1 12352349 Monitor Event 2020-05-07, 14:43:00 1.1.1.1 45652798 Login succeeded for user name 'admin' 2.2.2.2 2020-05-07, 14:48:54
as-get-case-event-ids
Returns all case event IDs.
Base Command
as-get-case-event-ids
Input
Argument Name | Description | Required |
---|---|---|
caseId | Case ID, e.g., 7e6LEbF8BABCfA-dlp1rl1A== | Required |
withCorrelatedEvents | If "true", then will return case and correlated events | Optional |
Context Output
Path | Type | Description |
---|---|---|
ArcSightESM.CaseEvents | Unknown | Map of caseId => related event ids |
ArcSightESM.CaseEvents.LatestResult | Unknown | Event IDs of the last execution of this command |
Command Example
!as-get-case-event-ids caseId="12ax-uGgBABCWb2puJdY8ZA==" withCorrelatedEvents="true"
Context Example
Human Readable Output
Case 12ax-uGgBABCWb2puJdY8ZA== Event IDs 12396713 45695741 78996719
as-update-case
Updates a specific case.
Base Command
as-update-case
Input
Argument Name | Description | Required |
---|---|---|
caseId | Case resource ID to update. The case must be unlocked, and the user should have edit permissions. | Required |
stage | Stage the case is in | Optional |
severity | Ticket consequence Severity | Optional |
Context Output
Path | Type | Description |
---|---|---|
ArcSightESM.Cases | unknown | List of cases |
ArcSightESM.Cases.resourceid | string | Case resource ID |
ArcSightESM.Cases.stage | string | Case stage |
ArcSightESM.Cases.consequenceSeverity | string | Case severity |
Command Example
!as-update-case caseId="12ax-uGgBABCWb2puJdY8ZA==" stage="QUEUED" severity="INSIGNIFICANT"
Context Example
Human Readable Output
Case 12ax-uGgBABCWb2puJdY8ZA==
Action CaseID CreatedTime EventIDs Name Severity Stage BLOCK_OR_SHUTDOWN 12ax-uGgBABCWb2puJdY8ZA== 2019-02-04 12:33:21 12395741, 45696713, 78996719 test INSIGNIFICANT QUEUED
as-get-all-query-viewers
Returns all the query viewer IDs.
Base Command
as-get-all-query-viewers
Input
There are no input arguments for this command.
Context Output
Path | Type | Description |
---|---|---|
ArcSightESM.AllQueryViewers | Unknown | List of all query viewer IDs |
Command Example
!as-get-all-query-viewers
Context Example
Human Readable Output
Query Viewers 123457WYBABCw9lZRkCjVIQ== 54321rlkBABCJREkQ7PrIRg== 56789py4BABCN9NYml6MSoA==
as-case-delete
Deletes a case
Base Command
as-case-delete
Input
Argument Name | Description | Required |
---|---|---|
caseId | Resource ID of the case | Required |
Context Output
Path | Type | Description |
---|---|---|
ArcSightESM.Cases.resourceid | string | Resource ID of case |
ArcSightESM.Cases.Deleted | boolean | Boolean flag. "True" if deleted. |
Command Example
!as-case-delete caseId=123WHEWcBABD6VdKLNcKE2Q==
Context Example
Human Readable Output
Case 123WHEWcBABD6VdKLNcKE2Q== successfully deleted
as-get-query-viewer-results
Retrieves query viewer results (query viewer must be configured to be refreshed every minute, see documentation)
Base Command
as-get-query-viewer-results
Input
Argument Name | Description | Required |
---|---|---|
id | Resource ID of the query viewer | Required |
onlyColumns | If "true", will return only the columns of the query. If "false", will return the column headers and all query results. | Optional |
Context Output
Path | Type | Description |
---|---|---|
ArcSight.QueryViewerResults | Unknown | Query viewer results |
Command Example
!as-get-query-viewer-results id="123457WYBABCw9lZRkCjVIQ=="
Context Example
Human Readable Output
Column Headers Name End Time Attacker Zone URI Attacker Address Event ID Start Time Query Viewer Results: 123457WYBABCw9lZRkCjVIQ==
Attacker Address Attacker Zone URI End Time Event ID Name Start Time 1.1.1.1 /All Zones/ArcSight System/Public Address Space Zones/E.I. duPont de Nemours and Co. Inc. 1589028174502 12345678 Login succeeded for user name 'admin' 1589028174502 2.2.2.2 /All Zones/ArcSight System/Public Address Space Zones/E.I. duPont de Nemours and Co. Inc. 1589028234536 87654321 Login succeeded for user name 'admin' 1589028234536 3.3.3.3 /All Zones/ArcSight System/Public Address Space Zones/E.I. duPont de Nemours and Co. Inc. 1589028294471 14725836 Login succeeded for user name 'admin' 1589028294471
as-fetch-incidents
Fetches incidents
Base Command
as-fetch-incidents
Input
Argument Name | Description | Required |
---|---|---|
last_run | Last run to start fetching incidents from | Optional |
Context Output
There is no context output for this command.
Command Example
!as-fetch-incidents
Context Example
as-delete-entries
Delete entries from the Active List.
Base Command
as-delete-entries
Input
Argument Name | Description | Required |
---|---|---|
resourceId | Resource ID of the Active List | Required |
entries | Entries are in JSON format. JSON must be an array of entries. Each entry must contain the same columns as they appear in the Active List, e.g., [{ "UserName": "john", "IP":"19.12.13.11"},{ "UserName": "bob", "IP":"22.22.22.22"}] | Required |
Context Output
There is no context output for this command.
Command Example
!as-delete-entries resourceId="A1LvlmWgBABCA5+HbRyHZoQ==" entries="[{\"name\": \"t3\", \"EventID\": \"9\"},{\"name\": \"t4\", \"EventID\": \"9\"}]"
Context Example
Human Readable Output
Success