RSA Archer v2

The RSA Archer GRC Platform provides a common foundation for managing policies, controls, risks, assessments and deficiencies across lines of business. This integration was integrated and tested with version xx of RSA Archer v2

Configure RSA Archer v2 on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for RSA Archer v2.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlServer URL (e.g. https://example.net\)True
credentialsUsernameTrue
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
instanceNameInstance nameTrue
userDomainUser domainFalse
applicationIdApplication ID for fetchTrue
applicationDateFieldApplication date field for fetchTrue
fetch_limitHow many incidents to fetch each timeFalse
fetch_timeFirst fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)False
fields_to_fetchList of fields from the application to gets into the incidentFalse
time_zoneTimezone offset in minutes of the RSA Archer server machine (+60, -60, in minutes)False
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

archer-search-applications


Gets application details or list of all applications.

Base Command

archer-search-applications

Input

Argument NameDescriptionRequired
applicationIdGet application by ID (leave empty to get all applications)Optional

Context Output

PathTypeDescription
Archer.Application.GuidStringThe application Guid
Archer.Application.IdNumberUnique Id of application
Archer.Application.StatusNumberThe application Status
Archer.Application.TypeNumberThe application Type
Archer.Application.NameStringThe application name

Command Example

!archer-search-applications applicationId=75

Context Example

{
"Archer": {
"Application": {
"Guid": "982fc3be-7c43-4d79-89a1-858ed262b930",
"Id": 75,
"LanguageId": 1,
"Name": "Incidents",
"Status": 1,
"Type": 2
}
}
}

Human Readable Output

Search applications results

GuidIdLanguageIdNameStatusType
982fc3be-7c43-4d79-89a1-858ed262b930751Incidents12

archer-get-application-fields


Gets all application fields by application ID

Base Command

archer-get-application-fields

Input

Argument NameDescriptionRequired
applicationIdID of the application to search fields inRequired

Context Output

PathTypeDescription
Archer.ApplicationField.FieldIdNumberUnique Id of field
Archer.ApplicationField.FieldNameStringThe field name
Archer.ApplicationField.FieldTypeStringThe field type
Archer.ApplicationField.LevelIDNumberThe field level Id

Command Example

!archer-get-application-fields applicationId=75

Context Example

{
"Archer": {
"ApplicationField": [
{
"FieldId": 296,
"FieldName": "Incident ID",
"FieldType": "TrackingID",
"LevelID": 67
},
{
"FieldId": 297,
"FieldName": "Date Created",
"FieldType": "First Published",
"LevelID": 67
},
{
"FieldId": 298,
"FieldName": "Last Updated",
"FieldType": "Last Updated Field",
"LevelID": 67
},
{
"FieldId": 302,
"FieldName": "Status",
"FieldType": "Values List",
"LevelID": 67
},
{
"FieldId": 303,
"FieldName": "Date/Time Occurred",
"FieldType": "Date",
"LevelID": 67
},
{
"FieldId": 304,
"FieldName": "Priority",
"FieldType": "Values List",
"LevelID": 67
}
]
}
}

Human Readable Output

Application fields

FieldIdFieldNameFieldTypeLevelID
296Incident IDTrackingID67
297Date CreatedFirst Published67
298Last UpdatedLast Updated Field67
302StatusValues List67
303Date/Time OccurredDate67
304PriorityValues List67

archer-get-field


Returns mapping from list value name to list value id

Base Command

archer-get-field

Input

Argument NameDescriptionRequired
fieldIDId of the fieldRequired

Context Output

PathTypeDescription
Archer.ApplicationField.FieldIdNumberUnique Id of field
Archer.ApplicationField.FieldNameStringThe field name
Archer.ApplicationField.FieldTypeStringThe field type
Archer.ApplicationField.LevelIDNumberThe field level Id

Command Example

!archer-get-field fieldID=350

Context Example

{
"Archer": {
"ApplicationField": {
"FieldId": 350,
"FieldName": "Reported to Police",
"FieldType": "Values List",
"LevelID": 67
}
}
}

Human Readable Output

Application field

FieldIdFieldNameFieldTypeLevelID
350Reported to PoliceValues List67

archer-get-mapping-by-level


Return mapping of fields by level id

Base Command

archer-get-mapping-by-level

Input

Argument NameDescriptionRequired
levelId of the levelRequired

Context Output

PathTypeDescription
Archer.LevelMapping.IdNumberUnique Id of field
Archer.LevelMapping.NameStringThe field name
Archer.LevelMapping.TypeStringThe field type
Archer.LevelMapping.LevelIdNumberThe field level Id

Command Example

!archer-get-mapping-by-level level=67

Context Example

{
"Archer": {
"LevelMapping": [
{
"Id": 296,
"LevelId": 67,
"Name": "Incident ID",
"Type": "TrackingID"
},
{
"Id": 297,
"LevelId": 67,
"Name": "Date Created",
"Type": "First Published"
},
{
"Id": 298,
"LevelId": 67,
"Name": "Last Updated",
"Type": "Last Updated Field"
},
{
"Id": 302,
"LevelId": 67,
"Name": "Status",
"Type": "Values List"
}
]
}
}

Human Readable Output

Level mapping for level 67

IdLevelIdNameType
29667Incident IDTrackingID
29767Date CreatedFirst Published
29867Last UpdatedLast Updated Field
30267StatusValues List

archer-get-record


Gets information about a content record in the given application

Base Command

archer-get-record

Input

Argument NameDescriptionRequired
contentIdThe record idRequired
applicationIdThe application IdRequired

Context Output

PathTypeDescription
Archer.Record.IdNumberUnique Id of record

Command Example

!archer-get-record applicationId=75 contentId=227602

Context Example

{
"Archer": {
"Record": {
"Current Status": {
"OtherText": null,
"ValuesListIds": [
6412
]
},
"Date/Time Occurred": "2018-03-23T07:00:00",
"Date/Time Reported": "2018-03-26T10:03:32.243",
"Days Open": 805,
"Default Record Permissions": {
"GroupList": [
{
"HasDelete": true,
"HasRead": true,
"HasUpdate": true,
"Id": 50
},
{
"HasDelete": false,
"HasRead": true,
"HasUpdate": false,
"Id": 51
}
],
"UserList": []
},
"Google Map": "<a target='_new' href='http://maps.google.com/maps?f=q&ie=UTF8&om=1&hl=en&q=, , , '>Google Map</a>",
"Id": 227602,
"Incident Details": "Incident Details",
"Incident Result": {
"OtherText": null,
"ValuesListIds": [
531
]
},
"Incident Summary": "Summary...",
"Is BSA (Bank Secrecy Act) reporting required in the US?": {
"OtherText": null,
"ValuesListIds": [
835
]
},
"Notify Incident Owner": {
"OtherText": null,
"ValuesListIds": [
6422
]
},
"Override Rejected Submission": {
"OtherText": null,
"ValuesListIds": [
9565
]
},
"Status": {
"OtherText": null,
"ValuesListIds": [
466
]
},
"Status Change": {
"OtherText": null,
"ValuesListIds": [
156
]
},
"Supporting Documentation": [
125
]
}
}
}

Human Readable Output

Record details

Current StatusDate/Time OccurredDate/Time ReportedDays OpenDefault Record PermissionsGoogle MapIdIncident DetailsIncident ResultIncident SummaryIs BSA (Bank Secrecy Act) reporting required in the US?Notify Incident OwnerOverride Rejected SubmissionStatusStatus ChangeSupporting Documentation
ValuesListIds: 6412
OtherText: null
2018-03-23T07:00:002018-03-26T10:03:32.243805.0UserList:
GroupList: {'Id': 50, 'HasRead': True, 'HasUpdate': True, 'HasDelete': True},
{'Id': 51, 'HasRead': True, 'HasUpdate': False, 'HasDelete': False}
Google Map227602Incident DetailsValuesListIds: 531
OtherText: null
Summary...ValuesListIds: 835
OtherText: null
ValuesListIds: 6422
OtherText: null
ValuesListIds: 9565
OtherText: null
ValuesListIds: 466
OtherText: null
ValuesListIds: 156
OtherText: null
125

archer-create-record


Creates a new content record in the given application.

Base Command

archer-create-record

Input

Argument NameDescriptionRequired
applicationIdThe application IdRequired
fieldsToValuesRecord fields in JSON format: { "Name1": Value1, "Name2": Value2 }. Field name is case sensitiveRequired

Context Output

PathTypeDescription
Archer.Record.IdNumberUnique Id of record

Command Example

!archer-create-record applicationId=75 fieldsToValues={"Incident Summary":"This is the incident summary","Priority":["High"]}

Context Example

{
"Archer": {
"Record": {
"Id": 239643
}
}
}

Human Readable Output

Record created successfully, record id: 239643

archer-delete-record


Delete existing content record in the given application

Base Command

archer-delete-record

Input

Argument NameDescriptionRequired
contentIdThe record Id to deleteRequired

Context Output

There is no context output for this command.

Command Example

!archer-delete-record contentId=239642

Context Example

{}

Human Readable Output

Record 239642 deleted successfully

archer-update-record


Updates existing content record in the given application

Base Command

archer-update-record

Input

Argument NameDescriptionRequired
applicationIdThe application IdRequired
fieldsToValuesRecord fields in JSON format: { "Name1": Value1, "Name2": Value2 }. Field name is case sensitiveRequired
contentIdThe record Id to updateRequired

Context Output

There is no context output for this command.

Command Example

!archer-update-record applicationId=75 contentId=239326 fieldsToValues={"Priority":["High"]}

Context Example

{}

Human Readable Output

Record 239326 updated successfully

archer-execute-statistic-search-by-report


Performs statistic search by report Guid

Base Command

archer-execute-statistic-search-by-report

Input

Argument NameDescriptionRequired
reportGuidThe report GUIDRequired
maxResultsMaximum pages of the reportsRequired

Context Output

There is no context output for this command.

Command Example

!archer-execute-statistic-search-by-report maxResults=100 reportGuid=e4b18575-52c0-4f70-b41b-3ff8b6f13b1c

Context Example

{}

Human Readable Output

{ "Groups": { "@count": "3", "Metadata": { "FieldDefinitions": { "FieldDefinition": [ { "@alias": "Classification", "@guid": "769b2548-6a98-49b6-95c5-03e391f0a40e", "@id": "76", "@name": "Classification" }, { "@alias": "Standard_Name", "@guid": "a569fd34-16f9-4965-93b0-889fcb91ba7a", "@id": "1566", "@name": "Standard Name" } ] } }, "Total": { "Aggregate": { "@Count": "1497", "@FieldId": "1566" } } } }

archer-get-reports


Gets all the reports from Archer

Base Command

archer-get-reports

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

Command Example

archer-get-reports

Context Example

{
"Archer": {
"Report": [
{
"ApplicationGUID": "982fc3be-7c43-4d79-89a1-858ed262b930",
"ApplicationName": "Policies",
"ApplicationDescription": "This report displays a listing of all security Policies.",
"ReportGUID": "22961b81-4866-40ea-a298-99afb348598d",
"ReportName": "Policies - Summary view"
}
]
}
}

Human Readable Output

archer-get-search-options-by-guid


Returns search criteria by report GUID

Base Command

archer-get-search-options-by-guid

Input

Argument NameDescriptionRequired
reportGuidThe report GUIDRequired

Context Output

There is no context output for this command.

Command Example

!archer-get-search-options-by-guid reportGuid=bce4222c-ecfe-4cef-a556-fe746e959f12

Context Example

{}

Human Readable Output

{ "SearchReport": { "Criteria": { "ModuleCriteria": { "BuildoutRelationship": "Union", "IsKeywordModule": "True", "Module": "421", "SortFields": { "SortField": [ { "Field": "15711", "SortType": "Ascending" }, { "Field": "15683", "SortType": "Ascending" } ] } } }, "DisplayFields": { "DisplayField": [ "15683", "15686", "15687", "15690", "15706", "15711", "15710", "15712", "15713", "15714", "15715", "15716", "15725", "15717", "15718" ] }, "PageSize": "50" } }

archer-reset-cache


Reset Archer's integration cache. Run this command if you change the fields of your Archer application

Base Command

archer-reset-cache

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

Command Example

!archer-reset-cache

Context Example

{}

Human Readable Output

archer-get-valuelist


Returns a list of values for a specified field, e.g., fieldID=16114. This command only works for value list fields (type 4).

Base Command

archer-get-valuelist

Input

Argument NameDescriptionRequired
fieldIDThe field IdRequired

Context Output

PathTypeDescription
Archer.ApplicationField.ValuesList.IdNumberThe field value Id
Archer.ApplicationField.ValuesList.IsSelectableBooleanSpecifies whether the field value is selectable
Archer.ApplicationField.ValuesList.NameStringThe field value name

Command Example

!archer-get-valuelist fieldID=302

Context Example

{
"Archer": {
"ApplicationField": {
"FieldId": "302",
"ValuesList": [
{
"Id": 466,
"IsSelectable": true,
"Name": "New"
},
{
"Id": 467,
"IsSelectable": true,
"Name": "Assigned"
},
{
"Id": 468,
"IsSelectable": true,
"Name": "In Progress"
},
{
"Id": 469,
"IsSelectable": true,
"Name": "On Hold"
},
{
"Id": 470,
"IsSelectable": true,
"Name": "Closed"
}
]
}
}
}

Human Readable Output

Value list for field 302

IdIsSelectableName
466trueNew
467trueAssigned
468trueIn Progress
469trueOn Hold
470trueClosed

archer-upload-file


Uploads a file to Archer

Base Command

archer-upload-file

Input

Argument NameDescriptionRequired
entryIdThe entry id of the file in Demisto's contextRequired

Context Output

There is no context output for this command.

Command Example

!archer-upload-file entryId=16695@b32fdf18-1c65-43af-8918-7f85a1fab951

Context Example

{}

Human Readable Output

File uploaded succsessfully, attachment ID: 126

archer-get-file


Downloads file from Archer to Demisto's war room context

Base Command

archer-get-file

Input

Argument NameDescriptionRequired
fileIdThe attachment IdRequired

Context Output

There is no context output for this command.

Command Example

!archer-get-file fileId=125

Context Example

{
"File": {
"EntryID": "16680@b32fdf18-1c65-43af-8918-7f85a1fab951",
"Extension": "jpg",
"Info": "image/jpeg",
"MD5": "fb80f3fc41f2524",
"Name": "11.jpg",
"SHA1": "6898512eaa3",
"SHA256": "f4bed94abd752",
"SHA512": "ecce92345fb8b6aa",
"SSDeep": "768:XYDWR",
"Size": 52409,
"Type": "JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 750x561, frames 3"
}
}

Human Readable Output

archer-list-users


Gets user details or list of all users.

Base Command

archer-list-users

Input

Argument NameDescriptionRequired
userIdGet user by ID (leave empty to get all users)Optional

Context Output

PathTypeDescription
Archer.User.AccountStatusStringThe status of the user
Archer.User.DisplayNameStringDisplay name of the user
Archer.User.FirstNameStringThe first name of the user
Archer.User.IdNumberUnique Id of user
Archer.User.LastLoginDateDateLast login date of user
Archer.User.LastNameStringThe last name of the user
Archer.User.MiddleNameStringThe middle name of the user
Archer.User.UserNameStringThe username of the account

Command Example

!archer-list-users

Context Example

{
"Archer": {
"User": {
"AccountStatus": "Locked",
"DisplayName": "cash, johnny",
"FirstName": "johnny",
"Id": 202,
"LastLoginDate": "2018-09-03T07:56:51.027",
"LastName": "cash",
"MiddleName": null,
"UserName": "johnnyCash"
}
}
}

Human Readable Output

Users list

AccountStatusDisplayNameFirstNameIdLastLoginDateLastNameMiddleNameUserName
Lockedcash, johnnyjohnny2022018-09-03T07:56:51.027cashjohnnyCash

archer-search-records


Search for records inside the given application

Base Command

archer-search-records

Input

Argument NameDescriptionRequired
applicationIdId of the application to search records inRequired
fieldToSearchOnName of field to search on (leave empty to search for all)Optional
searchValueSearch value (leave empty to search for all)Optional
maxResultsMaximum results to return from the search (default is 10)Optional
fieldsToDisplayFields to present in the search results in array format (for example: "Title,Incident Summary")Optional
numericOperatorNumeric search operatorOptional
dateOperatorDate search operatorOptional
fieldsToGetFields to fetch from the the applicationOptional
fullDataGet an extended responses with all of the data regarding this search. For example, "fullData=true"Required

Context Output

PathTypeDescription
Archer.RecordUnknownThe content object
Archer.Record.IdNumberThe content Id

Command Example

!archer-search-records applicationId=75 fullData=False fieldsToDisplay=`Date/Time Occurred,Days Open` fieldsToGet=`Date/Time Occurred,Days Open` fieldToSearchOn=`Date/Time Occurred` dateOperator=GreaterThan searchValue=2018-06-23T07:00:00Z maxResults=100

Context Example

{
"Archer": {
"Record": {
"Date/Time Occurred": "2018-07-10T08:00:00Z",
"Days Open": "30",
"Id": "227664"
}
}
}

Human Readable Output

Search records results

Date/Time OccurredDays Open
2018-07-10T08:00:00Z30

archer-search-records-by-report


Search records by report Guid

Base Command

archer-search-records-by-report

Input

Argument NameDescriptionRequired
reportGuidThe report GUIDRequired

Context Output

PathTypeDescription
Archer.SearchByReport.ReportGUIDStringThe report GUID
Archer.SearchByReport.RecordsAmountNumberAmount of records found by the search
Archer.SearchByReport.RecordUnknownThe records found by the search

Command Example

!archer-search-records-by-report reportGuid=bce4222c-ecfe-4cef-a556-fe746e959f12

Context Example

{
"Archer": {
"SearchByReport": {
"Record": [
{
"Description": "<p>\u00a0test_procedure_0</p>",
"Id": "227528",
"Procedure Name": "test_procedure_0",
"Threat Category": "Malware",
"Tracking ID": "227528"
},
{
"Description": "<p>\u00a0test_procedure_1</p>",
"Id": "227529",
"Procedure Name": "test_procedure_1",
"Threat Category": "Malware",
"Tracking ID": "227529"
},
{
"Description": "<p>test_procedure_2\u00a0</p>",
"Id": "227531",
"Procedure Name": "test_procedure_2",
"Threat Category": "Malware",
"Tracking ID": "227531"
},
{
"Description": "<p>test_procedure_3</p>",
"Id": "227532",
"Procedure Name": "test_procedure_3",
"Threat Category": "Malware",
"Tracking ID": "227532"
}
],
"RecordsAmount": 4,
"ReportGUID": "bce4222c-ecfe-4cef-a556-fe746e959f12"
}
}
}

Human Readable Output

Search records by report results

DescriptionIdProcedure NameThreat CategoryTracking ID

 test_procedure_0

227528test_procedure_0Malware227528

 test_procedure_1

227529test_procedure_1Malware227529

test_procedure_2 

227531test_procedure_2Malware227531

test_procedure_3

227532test_procedure_3Malware227532

archer-print-cache


prints Archer's integration cache.

Base Command

archer-print-cache

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

Command Example

!archer-print-cache

Context Example

{}

Human Readable Output

{ "75": [ { "level": 67, "mapping": { "10052": { "FieldId": "10052", "IsRequired": false, "Name": "Related Incidents (2)", "RelatedValuesListId": null, "Type": 23 }, "10172": { "FieldId": "10172", "IsRequired": false, "Name": "Source", "RelatedValuesListId": 1176, "Type": 4 }, "10183": { "FieldId": "10183", "IsRequired": false, "Name": "Is BSA (Bank Secrecy Act) reporting required in the US?", "RelatedValuesListId": 152, "Type": 4 }, "10188": { "FieldId": "10188", "IsRequired": false, "Name": "Batch File Format", "RelatedValuesListId": 1183, "Type": 4 } } } ], "fieldValueList": { "7782": { "FieldId": "7782", "ValuesList": [ { "Id": 6412, "IsSelectable": true, "Name": "New" }, { "Id": 6413, "IsSelectable": true, "Name": "Assigned" }, { "Id": 6414, "IsSelectable": true, "Name": "In Progress" }, { "Id": 6415, "IsSelectable": true, "Name": "On Hold" }, { "Id": 6416, "IsSelectable": true, "Name": "Closed" } ] } } }