RSA Archer

Overview

Use the RSA Archer integration to manage policies, controls, risk, assessments, and deficiencies across lines of business.


Configure the RSA Archer integration on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for RSA Archer.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL
    • Instance name
    • Username
    • Password
    • Trust any certificate (not secure)
    • Use system proxy settings
    • Fetch incidents
    • Incident type
    • Timezone offset in minutes of the RSA Archer server machine (+60, -60, in minutes)
    • Application ID for fetch
    • The application's base ID. For example "Incident ID"
    • fetchFilter - Specific filters for fetching in the form of an xml string
    • Use Archer's REST API instead of its SOAP API
    • Use European Time format (dd/mm/yyyy) instead of the American one
  4. Click Test to validate the URLs and connection.

Fetched Incidents Data

Fetches incidents data from RSA Archer, by using the archer-fetch-incidents command. In the first fetch, the program fetches incidents from the previous day until the time you run the command.


Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Create a record: archer-create-record
  2. Update a record: archer-update-record
  3. Get record information: archer-get-record
  4. Get application details or list of all applications: archer-search-applications
  5. Search for records: archer-search-records
  6. Get all application fields: archer-get-application-fields
  7. Delete a record: archer-delete-record
  8. Map list value name to list value ID: archer-get-field
  9. Get all reports: archer-get-reports
  10. Perform statistic search: archer-execute-statistic-search-by-report
  11. Get search criteria: archer-get-search-options-by-guid
  12. Search records by report: archer-search-records-by-report
  13. Get field mapping by level ID: archer-get-mapping-by-level
  14. Fetch Archer incidents: archer-manually-fetch-incident
  15. Download Archer file to the War Room: archer-get-file
  16. Upload a file from Demisto to Archer: archer-upload-file
  17. Add data to the detailed analysis field: archer-add-to-detailed-analysis
  18. Get an Archer user's user ID: archer-get-user-id
  19. Get a list of values for a field: archer-get-valuelist

Create a record

Creates a new content record in a specified application.

Base Command

archer-create-record

Input
Input Parameter Description
applicationId ID of the application to create a record in
fieldsToValues

Record fields in JSON format. Field name is case sensitive.

Example: { Name1: Value1, Name2: Value2 }

Context Data
Path Description
Archer.Record.Id Record Content ID
Archer.Record.Fields Record property fields

Command Example

!archer-create-record applicationId="75" fieldsToValues="{\"Description\":\"Demisto Fraud Referrer \",\"Date/Time Occurred\":\"3/23/2018 7:00 AM\",\"Date/Time Identified\":\"3/23/2018 7:00 AM\",\"Date/Time Reported\":\"3/23/2018 7:00 AM\",\"Executive Summary\":\"test\", \"Incident Report\": \"test incident report from Demisto\"}"

Raw Output
{  
   "Record":{  
      "Fields":{  
         "Date/Time Identified":"3/23/2018 7:00 AM",
         "Date/Time Occurred":"3/23/2018 7:00 AM",
         "Date/Time Reported":"3/23/2018 7:00 AM",
         "Description":"Demisto Fraud Referrer ",
         "Executive Summary":"test",
         "Incident Report":"test incident report from Demisto"
      },
      "Id":"227645"
   }
}

Update a record

Updates an existing content record in a specified application.

Base Command

archer-update-record

Input
Parameter Description
contentId Content (record) ID to update
applicationId

ID of the application to update a record in

fieldsToValues

Record fields in JSON format. Field name is case sensitive.

Example: { Name1: Value1, Name2: Value2 }

incidentId

Incident ID of the record.

Example: id=12345 for INC-12345

Context Data

There is no context data for this command.

Command Example

!archer-update-record applicationId=433 contentId=227538 fieldsToValues={\"Title\":\"test\"}

Raw Output
content id = 227538 was updated successfully.

Get record information

Returns information for a content record in a specified application.

Base Command

archer-get-record

Input
Parameter Description
contentId Incident (record) ID to get details for
applicationId ID of the application to get the record from
incidentId

Incident ID of the record.

Example: id=12345 for INC-12345

Context Data
Path Description
Archer.Record.Id Content ID of the record
Archer.Record.Fields Content property fields
Archer.Record.Fields.Incident Status Incident status
Archer.Record.Fields.Record Status Record status
Archer.Record.Fields.Last Updated Last updated
Archer.Record.Fields.Days Open Days open
Archer.Record.Fields.Date Created Date created
Archer.Record.Fields.Title Title
Archer.Record.Fields.Incident Summary Incident summary
Archer.Record.Fields.Threat Category Threat category
Archer.Record.Fields.Threat Valid Threat valid

Command Example

!archer-get-record applicationId=433 contentId=227538

Raw Output
"Record": {
    "Fields": {
      "Actor, Tactics \u0026 Techniques": null,
      "Affected Facility": null,
      "Archive": null,
      "Attach to InfoSec Briefing": null,
      "Attack Category": null,
      "Automatic Incident Handler Access": "SOC: L2 Incident Handler,SOC: L1 Incident Handler",
      "Count of Risks": "0",
      "Count of Risks Increased": "No",
      "Date Created": "2018-02-18T10:45:47+02:00",
      "Date/Time Assigned": null,
      "Date/Time Closed": null,
      "Date/Time Modified": "2018-02-22T14:32:46+02:00",
      "Date/Time Returned": null,
      "Days Open": "0",
      "Generate Incident Response Tasks": "No",
      "Incident Details": null,
      "Incident ID": "227538",
      "Incident ID (DFM)": "227538",
      "Incident ID (KPI)": "227538",
      "Incident Journal": null,
      "Incident Owner": null,
      "Incident Queue": "L1 Incident Handlers",
      "Incident Response Procedures": null,
      "Incident Status": "New",
      "Incident Summary": "inside_record_test_1_summary"...

Get application details or list of all applications

Returns details for an application or a list of all applications.

Base Command

archer-search-applications

Input
Parameter Description
findByName Get application by the application name. To return all applications, leave this parameter empty.
findById Get application by the application ID. To return all applications, leave this parameter empty.

Context Data
Path Description
Archer.Record.Id Content ID of the record
Archer.Record.Fields Content property fields
Archer.Record.Fields.Incident Status Incident status
Archer.Record.Fields.Record Status Record status
Archer.Record.Fields.Last Updated Last updated
Archer.Record.Fields.Days Open Days open
Archer.Record.Fields.Date Created Date created
Archer.Record.Fields.Title Title
Archer.Record.Fields.Incident Summary Incident summary
Archer.Record.Fields.Threat Category Threat category
Archer.Record.Fields.Threat Valid Threat valid

Command Example

!archer-search-applications findById=433

Raw Output
[  
   {  
      "Guid":"fa254559-4922-4aea-8d53-66b4e3442585",
      "Id":433,
      "LanguageId":1,
      "Name":"Security Incidents",
      "Status":1,
      "Type":2
   },
   {  
      "Guid":"6fda8f2c-d74d-4bf1-aada-def95cba4aaf",
      "Id":17,
      "LanguageId":1,
      "Name":"Vulnerabilities",
      "Status":1,
      "Type":2
   }   ...
]

Search for records

Search for records within a specified application.

Base Command

archer-search-records

Input
Parameter Description
applicationId ID of the application to search records in
fieldsToDisplay

Fields to display in the search results, in array format.

Example: "Title,Incident Summary"

maxResults

Maximum search results to return. Default is 100.

searchValue

Search value. To search for all, leave this parameter empty.

fieldToSearchOn

Name of field to search on. To search for all, leave this parameter empty.

numericOperator

Numeric search operator

dateOperator

Date search operator

Context Data
Path Description
Archer.Record.Id Content of the record
Archer.Record.ApplicationId Application ID of the record
Archer.Record.Fields Property fields of the record

Command Example

!archer-search-records applicationId=433 maxResults=1

Raw Output
{
  "Fields": 
  {
    "Incident ID": "225828",
    "Record": 
    {
      "Actor, Tactics \u0026 Techniques": null,
      "Affected Facility": null,
      "Archive": null,
      "Attach to InfoSec Briefing": null,
      "Attack Category": null,
      "Automatic Incident Handler Access": "SOC: L2 Incident Handler,SOC: L1 Incident Handler",...
      "Date Created": "2017-10-14T09:55:25+03:00",
      "Date/Time Assigned": null,
      "Date/Time Closed": null,
      "Date/Time Escalated": null,
      "Date/Time Modified": "2017-10-14T09:55:25+03:00",
      "Date/Time Returned": null,
      "Days Open": "0",
      "Incident ID": "225828",...
      "Record Status": "New",...
    }
  },
  "Id": "225828",
  "ModuleId": "433"
}

Get all application fields

Returns all application fields by application ID.

Base Command

archer-get-application-fields

Input
Parameter Description
applicationId ID of the application to search fields in

Context Data
Path Description
Archer.ApplicationFields Application property fields

Command Example

!archer-get-application-fields applicationId=433

Raw Output
{
  "ApplicationFields": [
    {
      "FieldId": "15698",
      "FieldName": "Incident Response Procedures",
      "FieldType": 9,
      "LevelId": 232
    },
    {
      "FieldId": "15700",
      "FieldName": "Not Applicable Incident Response Procedures",
      "FieldType": 9,
      "LevelId": 232
    },
    {
      "FieldId": "15742",
      "FieldName": "CAST - SOC Incident Procs - DO NOT DELETE",
      "FieldType": 1001,
      "LevelId": 232
    }...
}

Delete a record

Deletes an existing record from a specified application.

Base Command

archer-delete-record

Input
Parameter Description
applicationId ID of the application to delete a record from
contentId Content (record) ID to delete
incidentId

Incident ID of the record.

Example: id=12345 for INC-12345

Context Data

There is no context data for this command.

Command Example

!archer-delete-record applicationId=423 contentId=227542

Raw Output
content id = 227542 was deleted successfully

Map list value name to list value ID

Returns mapping from list value name to list value ID.

Base Command

archer-get-field

Input
Parameter Description
fieldId ID of the field
applicationId ID of the application to get the field value from

Context Data

There is no context data for this command.

Command Example

!archer-get-field applicationId=433 fieldID=16107

Raw Output
{
    "FieldId": "16107",
    "Name": "Last Updated",
    "Type": 22,
    "levelId": 232
}

Get all reports

Returns all reports from Archer.

Base Command

archer-get-reports

Input

There is no input for this command.

Context Data

There is no context data for this command.

Command Example

!archer-get-reports

Raw Output
{
    "ReportValues":
    {
        "ReportValue":[
            {
                "ApplicationGUID":"4cf0d0c6-4b51-404c-91c2-40ade972e95b",
                "ApplicationName":"Policies",
                "ReportDescription":"This report displays a listing of all security Policies.",
                "ReportGUID":"22961b81-4866-40ea-a298-99afb348598d",
                "ReportName":"Policies - Summary view"
            },
            {
                "ApplicationGUID":"138d3151-c1f5-4e7d-b6c9-4399e1d922ae",...

Perform statistic search

Performs a statistic search by report GUID.

Base Command

archer-execute-statistic-search-by-report

Input
Parameter Description
reportGuid GUID of the report
maxResults Maximum number of pages of the reports

Context Data
Path Description
Archer.StatisticSearch Search results

Command Example

!archer-get-application-fields applicationId=433

Raw Output
{
    "Groups": {
        "-count": "3",
        "Metadata": {
            "FieldDefinitions": {
                "FieldDefinition": [
                    {
                        "-alias": "Classification",
                        "-guid": "769b2548-6a98-49b6-95c5-03e391f0a40e",
                        "-id": "76",
                        "-name": "Classification"
                    },
                    {
                        "-alias": "Standard_Name",
                        "-guid": "a569fd34-16f9-4965-93b0-889fcb91ba7a",
                        "-id": "1566",
                        "-name": "Standard Name"
                    }
                ]
            }
        },
        "Total": {
            "Aggregate": {
                "-Count": "1497",
                "-FieldId": "1566"
            }
        }
    }
}

Get search criteria

Returns search criteria by report GUID.

Base Command

archer-get-search-options-by-guid

Input
Parameter Description
reportGuid GUID of the report

Context Data

There is no context data for this command.

Command Example

!archer-get-search-options-by-guid reportGuid=246b1d4b294e46c4a4713853456234f7

Raw Output
{
    "SearchReport": {
        "Criteria": {
            "Filter": {
                "Conditions": {
                    "ValueListFilterCondition": [
                        {
                            "Field": "302",
                            "IncludeChildren": "False",
                            "IsNoSelectionIncluded": "False",
                            "Operator": "DoesNotContain",
                            "Values": {
                                "Value": "470"
                            }
                        },
                        {
                            "Field": "304",
                            "IncludeChildren": "False",
                            "IsNoSelectionIncluded": "False",
                            "Operator": "Contains",
                            "Values": {
                                "Value": "473"
                            }
                        }
                    ]
                },
                "OperatorLogic": ""
            },
            "ModuleCriteria": {
                "BuildoutRelationship": "Union",
                "IsKeywordModule": "False",
                "Module": "75",
                "SortFields": {
                    "SortField": {
                        "Field": "296",
                        "SortType": "Descending"
                    }
                }
            }
        },
        "DisplayFields": {
            "DisplayField": [
                "296",
                "302",
                "304",
                "7850",
                "342"
            ]
        },
        "PageSize": "20"
    }
}

Search records by report

Searches records by report GUID.

Base Command

archer-search-records-by-report

Input
Parameter Description
reportGuid GUID of the report
maxResults Maximum number of pages of the reports

Context Data
Path Description
Archer.StatisticSearch.Records.Record Search results (records)

Command Example

!archer-search-records-by-report reportGuid=365121a3-6145-48ea-8a01-5d000c5c65cf

Raw Output
{
    "Records": {
        "-count": "20",
        "LevelCounts": {
            "LevelCount": {
                "-count": "20",
                "-guid": "4d664bbf-4f15-4f5c-a81f-888f5901ba26",
                "-id": "3"
            }
        },
        "Metadata": {
            "FieldDefinitions": {
                "FieldDefinition": [
                    {
                        "-alias": "Policy_ID",
                        "-guid": "4b765f84-d381-4543-9d7c-1f9e716d4c4d",
                        "-id": "1578",
                        "-name": "Policy ID"
                    }...

Get field mapping by level ID

Returns mapping of fields by level ID.

Base Command

archer-get-mapping-by-level

Input
Parameter Description
level Level ID

Context Data

There is no context data for this command.

Command Example

!archer-get-mapping-by-level level=232

Raw Output
{
    "15698": {
        "Name": "Incident Response Procedures",
        "Type": 9,
        "levelId": "232"
    },
    "15700": {
        "Name": "Not Applicable Incident Response Procedures",
        "Type": 9,
        "levelId": "232"
    }...

Fetch Archer incidents

Fetches specific incidents from Archer to the Demisto War Room. You can also manually fetch automations.

Base Command

archer-manually-fetch-incident

Input
Parameter Description
applicationId

ID of the application to get the incident from.

incidentIds IDs of incidents to get details for, comma separated

Context Data

There is no context data for this command.

Command Example

!archer-manually-fetch-incident applicationId=433 incidentIds=227536

Raw Output
{
    "details": "Incident Summary: inside_record_test_0_summary",
    "labels": [
        {
            "Related Security Incidents (Direct Link)-Incident Summary": "inside_record_test_1_summary"
        }...

Download Archer file to the War Room

Downloads a file from Archer to the Demisto War Room context.

Base Command

archer-get-file

Input
Parameter Description
fieldId

Archer file ID

Context Data

There is no context data for this command.

Command Example

!archer-get-file fileId=3

Raw Output
Uploaded file: Screen Shot 2018-02-22 at 11.09.33.png'

Upload a file from Demisto to Archer

Uploads a file from Demisto to Archer.

Base Command

archer-upload-file

Input
Parameter Description
contentId

Content (record) ID to add the file to

applicationId

ID of the application to upload the file to

incidentId

Incident ID to add the file to

entryId

Entry ID of the file in the Demisto context

Context Data

There is no context data for this command.

Command Example

!archer-upload-file applicationId=433 contentId=227610 entryId=61@95

Raw Output
File uploaded successfully.

Add data to the detailed analysis field

Adds data to the detailed analysis field.

Base Command

archer-add-to-detailed-analysis

Input
Parameter Description
contentId

Incident (record) ID to set the field's data

applicationId

ID of the application to set the record's field

incidentId

Incident ID to add the file to

value

Value to add to the Detailed Analysis

Context Data

There is no context data for this command.

Command Example

!archer-set-detailed-analysis applicationId=433 contentId=227610 value="test string"

Raw Output
Detailed Analysis updated successfully.

Get an Archer user's user ID

Returns the user ID of an Archer user.

Base Command

archer-get-user-id

Input
Argument Name Description Required
userInfo Username in the form of "Domain\username". For example, userInfo="mydomain\myusername" Required

Context Output
Path Description
Archer.User.UserId User ID of the Archer user

Get a list of values for a field

Returns list of values for a specified field, e.g., fieldID=16114. This command only works for value list fields (type 4).

Base Command

archer-get-valuelist

Input
Argument Name Description Required
fieldID Field ID Required

Context Output

There is no context output for this command.