ArcSight Logger

ArcSight Logger delivers a universal log management solution that unifies searching, reporting, alerting, and analysis across any type of enterprise machine data.

The Demisto-ArcSight Logger integration allows you to run a search session, refine or limit the search and retrieve a list of events detected in the search.

To set up Arcsight Logger to work with Demisto:

  • Make sure you have the Arcsight Logger server url.
  • Make sure you have credentials for Arcsight Logger.

To set up the integration on Demisto:

  1. Go to ‘Settings > Integrations > Servers & Services’
  2. Locate ‘ArcSight Logger’ by searching for it using the search box on the top of the page.
  3. Click ‘Add instance’ to create and configure a new integration. You should configure the following settings:
    Name : A textual name for the integration instance.
    Server URL and Port : The API server URL and port number.
    Credentials and Password : User and password used to access ArcSight Logger.
    Use system proxy settings : Select whether to communicate via the system proxy server or not.
    Demisto engine : If relevant, select the engine that acts as a proxy to the server.
    Engines are used when you need to access a remote network segments and there are network devices such as proxies, firewalls, etc. that prevent the Demisto server from accessing the remote networks.
    For more information on Demisto engines see:
    https://demisto.zendesk.com/hc/en-us/articles/226274727-Settings-Integrations-Engines
    Require users to enter additional password: Select whether you’d like an additional step where users are required to authenticate themselves with a password.
  4. Press the ‘Test’ button to validate connection.
    If you are experiencing issues with the service configuration, please contact Demisto support at support@demisto.com
  5. After completing the test successfully, press the ‘Done’ button.

Fetched incidents data:

The integration imports events as incidents. All events from 24 hours prior to the instance configuration and up to the current time will be fetched.

Top Use-case:

Arcsight Logger integration can be used to run a search session, refine or limit the search, and retrieve a list of events detected in the search.

This can be achieved in two possible ways:

  • Use ‘as-search-events’ for the complete flow of the use case to be executed.
    ‘as-search-events’ starts a new search session, waits until the search status is complete or reaches the required number of hits, and then returns the list of detected events.
  • Alternatively, the explicit commands can be used to ‘breakdown’ the search-events process. A possible flow of commands can be:
    • Use ‘as-search’ to start a new search session and receive the session ID and search session ID to be used in the following commands.
    • Use ‘as-drilldown’ to narrow-down the search results to the specified time range.
    • Use ‘as-status’ to inquire if the search session is complete or still running, view the number of scanned events and hits.
    • Use ‘as-events’ to get a list of all events detected in the search.
    • Use ‘as-close’ to stop the execution of the search and clear the session data from the server.

Commands:

  • as-search-events

Input:

query, discover_fields, endTime, startTime, summary_fields, field_summary, local_search, timeout, lastDays, offset, length, dir, fields

for example:

  • !as-search-events
    query=”deviceVendor= Arcsight AND name CONTAINS \”CPU\””
    length=10
  • !as-search-events
    offset=15
    length=10
    fields=name,deviceVendor

Find more query examples at wikis/ArcsightLogger .

Context output (example):

{

"ArcSightLogger": {

"Events": [

{

"destinationAddress": ##.##.##.##,

"agentSeverity": "1",

"Version": "0",

"Logger": "Local",

"ReceiptTime": 1513249919185,

"deviceCustomNumber1Label": "Percent Usage",

"deviceCustomNumber1": 2,

"deviceAddress":  ##.##.##.##,

"deviceCustomString2Label": "timeframe",

"deviceVendor": "ArcSight",

"Device": "Logger",

"deviceProduct": "Logger",

"EventTime": 1513249440017,

"baseEventCount": 1,

"deviceReceiptTime": 1513249440017,

"startTime": 1513249440017,

"deviceEventClassId": "cpu:100",

"deviceCustomString2": "CurrentValue",

"name": "CPU Usage",

"deviceEventCategory": "/Monitor/CPU/Usage",

"rowId": "347259-26@Local",

"endTime": 1513249440017,

"deviceVersion": "6.2.0.7633.0"

},

]

}

}

Raw output (example):

[

{

Device:Logger

EventTime:1513249693332

Logger:Local

ReceiptTime:1513249693838

Version:0

agentSeverity:3

baseEventCount:1

cn1label:Session

destinationAddress: ##.##.##.##,

destinationUserId:1

destinationUserName:admin

deviceCustomNumber1: 741618068

deviceEventCategory:/Platform/Authentication/Login

deviceEventClassId:platform:230

deviceProduct:Logger

deviceVendor:ArcSight

deviceVersion:L7633

name:Successful login

rowId:347186-0@Local

sourceAddress: ##.##.##.##,

},

]

  • as-search

Input:

query, discover_fields, endTime, startTime, summary_fields, field_summary, local_search, timeout, lastDays

for example:

  • !as-search

    startTime=2017-12-21T06:30:00.000Z

    endTime=2017-12-21T07:30:00.000Z

    local_search=false

  • !as-search

    lastDays=1

Find more query examples at wikis/ArcsightLogger .

Context output (example):

{

"ArcSightLogger": {

"Search": {

"SearchSessionId": 1513260595933,

"SessionId": "3dxITLyDE9FyRiflQD7UFG_hSsUPq4uCTM4B6Y5D3p4."

}

}

}

Raw output (example):

{

searchSessionId:1513260595933

sessionId:3dxITLyDE9FyRiflQD7UFG_hSsUPq4uCTM4B6Y5D3p4.

}

  • as-drilldown

Input:

searchSessionId, sessionId, startTime, endTime, lastDays

for example:

  • !as-drilldown

    lastDays=1
    searchSessionId="1513875662638"
    sessionId="18t2-5sQ4h1LcTqFwEUJj0XIatasCpM8l0T8NZlhxEg."

  • !as-drilldown
    startTime=2017-12-21T06:30:00.000Z
    endTime=2017-12-21T07:30:00.000Z
    searchSessionId="1513875662638" sessionId="18t25sQ4h1LcTqFwEUJj0XIatasCpM8l0T8NZlhxEg."

Context output:

The command has no context.

Raw output:

The command has no raw output.

  • as-status

Input:

searchSessionId, sessionId

Context output (example):

{

"ArcSightLogger": {

"Status": {

"Status": "complete",

"Hit": 2462,

"Elapsed": "00:00:00.290",

"ResultType": "histogram",

"Scanned": 2520,

"SearchSessionId": "1513272858387",

"Message": []

}

Raw output (example):

{

elapsed: 00:00:00.290

hit:2462

message: []

result_type: histogram

scanned: 2520

status: complete

}

  • as-events

Input:

searchSessionId, sessionId, length, dir, offset, fields

Command use example

  • !as-events
    searchSessionId="1513875662638" sessionId="18t25sQ4h1LcTqFwEUJj0XIatasCpM8l0T8NZlhxEg."
    length=10
    fields=name,deviceAddress,deviceVendor,EventTime

Context output (example):

{

"ArcSightLogger": {

"Events": [

{

"destinationAddress": ##.##.##.##,

"agentSeverity": "1",

"Version": "0",

"Logger": "Local",

"ReceiptTime": 1513249919185,

"deviceCustomNumber1Label": "Percent Usage",

"deviceCustomNumber1": 2,

"deviceAddress":  ##.##.##.##,

"deviceCustomString2Label": "timeframe",

"deviceVendor": "ArcSight",

"Device": "Logger",

"deviceProduct": "Logger",

"EventTime": 1513249440017,

"baseEventCount": 1,

"deviceReceiptTime": 1513249440017,

"startTime": 1513249440017,

"deviceEventClassId": "cpu:100",

"deviceCustomString2": "CurrentValue",

"name": "CPU Usage",

"deviceEventCategory": "/Monitor/CPU/Usage",

"rowId": "347259-26@Local",

"endTime": 1513249440017,

"deviceVersion": "6.2.0.7633.0"

},

]

}

}

Raw output (example):

[

{

Device:Logger

EventTime:1513249693332

Logger:Local

ReceiptTime:1513249693838

Version:0

agentSeverity:3

baseEventCount:1

cn1label:Session

destinationAddress: ##.##.##.##,

destinationUserId:1

destinationUserName:admin

deviceCustomNumber1: 741618068

deviceEventCategory:/Platform/Authentication/Login

deviceEventClassId:platform:230

deviceProduct:Logger

deviceVendor:ArcSight

deviceVersion:L7633

name:Successful login

rowId:347186-0@Local

sourceAddress: ##.##.##.##,

},

]

{

  • as-stop

Input:

searchSessionId, sessionId

Context output (example):

The command has no context.

Raw output (example):

The command has no raw output.

  • as-close

Input:

searchSessionId, sessionId

Context output (example):

The command has no context.

Raw output (example):

The command has no raw output.

Additional info:

  • Search time range: When no time limitations are applied on a search session, Arcsight Logger will use its default time limitation and will search events in time range of the last 2 hours.
    To set the search time range:
    • When starting a new search session, using ‘as-search’ : pass both startTime and endTime parameters to set the time range for the search. Alternatively, you can use the lastDays parameter.
    • When in an active search session: use ‘as-drilldown’ to narrow-down the search results to a specified time range.
    • When starting a new search, using ‘as-search-events’: pass both startTime and endTime parameters to set the time range for the search. Alternatively, use lastDays parameter.
  • Date/time format: Use the compliant date/time format when passing startTime and endTime parameters.
  • Expected date/time format : yyyy-MM-dd’T’HH:mm:ss.SSSXXX.
    For example, May 26 2014 at 21:49:46 PM could have a format like one of the following:
    • Format in PDT: 2014-05-26T21:49:46.000-07:00
    • Format in UTC: 2014-05-26T21:49:46.000Z
  • Events list default limitation: The default events list length is 100. To set a new length specify the path length parameter in the relevant commands.
  • Local/global search: In ‘as-search’ and ‘as-search-events’ you can optionally pass the  ‘local_search’ parameter, to Indicate whether the search is local only, and does not include peers. Please note that local search is the default option for a search session.

Known Limitations

  • Session limitations: Arcsight Logger has default limitations for running maximum sessions simultaneously, and for inactive sessions.
    To change the default limitation for both, use administrator credentials to login to Archsight Logger UI, navigate to ‘System Admin’->’Users/Groups’->’Authentication’ and set new limitations for ‘Max Simultaneous Logins/User’ and ‘Logout Inactive Session After’.

Troubleshooting

  • Reoccurring ‘timeout’ error when using commands ‘as-search-events’ or ‘as-events’:

This may indicate that a large amount of data returned from Arcsight Logger. To resolve this error, try to limit the search time range or the events list length.  See additional ways to set the search time range in ‘Additional info’ above.
DBot error snap-shot

  • Reoccurring ‘Login failed’ error when using ‘as-search’ or ‘as-search-events’:

First eliminate the case of wrong credentials configured in the Arcsight Logger instance.

If this error still araises, it may indicate that Arcsight Logger is failing to generate a new search session. New sessions cannot be generated by Arcsight Logger when the maximum allowed number of simultaneous sessions was reached.

To resolve this problem, use administrator credentials to login to Archsight Logger UI and set a new limitation for maximum simultaneous sessions.
See ’Known Limitations’ above for more information.

If administrator credentials are not available for you, use ‘as-close’ to close the running sessions.

DBot error snap-shot

  • Reoccurring ‘User session id is not valid’ error:

The search session timed out.

Search session timeout can be caused by the followings:
- Low ‘timeout’ passed to ‘as-search’. This can be resolved by passing a higher ‘timeout’      value to ‘as-search’.
- Arcsight Logger limitation on inactive sessions - Inactive sessions are automatically terminated after a defined period of time determined by Arcsight Logger, even if the ‘timeout’ argument is changed to ‘as-search’.

To resolve this problem, use administrator credentials to login to Archsight Logger UI and set a new limitation for inactive sessions. See ’Known Limitations’ above for more information.

DBot error snap-shot