RSA Archer v2
The RSA Archer GRC Platform provides a common foundation for managing policies, controls, risks, assessments and deficiencies across lines of business.
Configure RSA Archer v2 on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services.
- Search for RSA Archer v2.
- Click Add instance to create and configure a new integration instance.
Parameter | Description | Required |
---|---|---|
url | Server URL (e.g. https://example.net\) | True |
credentials | Username | True |
isFetch | Fetch incidents | False |
incidentType | Incident type | False |
insecure | Trust any certificate (not secure) | False |
proxy | Use system proxy settings | False |
instanceName | Instance name | True |
userDomain | User domain | False |
applicationId | Application ID for fetch | True |
applicationDateField | Application date field for fetch | True |
fetch_limit | How many incidents to fetch each time | False |
fetch_time | First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year) | False |
fields_to_fetch | List of fields from the application to gets into the incident | False |
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
archer-search-applications
Gets application details or list of all applications.
Base Command
archer-search-applications
Input
Argument Name | Description | Required |
---|---|---|
applicationId | Get application by ID (leave empty to get all applications) | Optional |
Context Output
Path | Type | Description |
---|---|---|
Archer.Application.Guid | String | The application Guid |
Archer.Application.Id | Number | Unique Id of application |
Archer.Application.Status | Number | The application Status |
Archer.Application.Type | Number | The application Type |
Archer.Application.Name | String | The application name |
Command Example
!archer-search-applications applicationId=75
Context Example
Human Readable Output
Search applications results
Guid Id LanguageId Name Status Type 982fc3be-7c43-4d79-89a1-858ed262b930 75 1 Incidents 1 2
archer-get-application-fields
Gets all application fields by application ID
Base Command
archer-get-application-fields
Input
Argument Name | Description | Required |
---|---|---|
applicationId | ID of the application to search fields in | Required |
Context Output
Path | Type | Description |
---|---|---|
Archer.ApplicationField.FieldId | Number | Unique Id of field |
Archer.ApplicationField.FieldName | String | The field name |
Archer.ApplicationField.FieldType | String | The field type |
Archer.ApplicationField.LevelID | Number | The field level Id |
Command Example
!archer-get-application-fields applicationId=75
Context Example
Human Readable Output
Application fields
FieldId FieldName FieldType LevelID 296 Incident ID TrackingID 67 297 Date Created First Published 67 298 Last Updated Last Updated Field 67 302 Status Values List 67 303 Date/Time Occurred Date 67 304 Priority Values List 67
archer-get-field
Returns mapping from list value name to list value id
Base Command
archer-get-field
Input
Argument Name | Description | Required |
---|---|---|
fieldID | Id of the field | Required |
Context Output
Path | Type | Description |
---|---|---|
Archer.ApplicationField.FieldId | Number | Unique Id of field |
Archer.ApplicationField.FieldName | String | The field name |
Archer.ApplicationField.FieldType | String | The field type |
Archer.ApplicationField.LevelID | Number | The field level Id |
Command Example
!archer-get-field fieldID=350
Context Example
Human Readable Output
Application field
FieldId FieldName FieldType LevelID 350 Reported to Police Values List 67
archer-get-mapping-by-level
Return mapping of fields by level id
Base Command
archer-get-mapping-by-level
Input
Argument Name | Description | Required |
---|---|---|
level | Id of the level | Required |
Context Output
Path | Type | Description |
---|---|---|
Archer.LevelMapping.Id | Number | Unique Id of field |
Archer.LevelMapping.Name | String | The field name |
Archer.LevelMapping.Type | String | The field type |
Archer.LevelMapping.LevelId | Number | The field level Id |
Command Example
!archer-get-mapping-by-level level=67
Context Example
Human Readable Output
Level mapping for level 67
Id LevelId Name Type 296 67 Incident ID TrackingID 297 67 Date Created First Published 298 67 Last Updated Last Updated Field 302 67 Status Values List
archer-get-record
Gets information about a content record in the given application
Base Command
archer-get-record
Input
Argument Name | Description | Required |
---|---|---|
contentId | The record id | Required |
applicationId | The application Id | Required |
Context Output
Path | Type | Description |
---|---|---|
Archer.Record.Id | Number | Unique Id of record |
Command Example
!archer-get-record applicationId=75 contentId=227602
Context Example
Human Readable Output
Record details
Current Status Date/Time Occurred Date/Time Reported Days Open Default Record Permissions Google Map Id Incident Details Incident Result Incident Summary Is BSA (Bank Secrecy Act) reporting required in the US? Notify Incident Owner Override Rejected Submission Status Status Change Supporting Documentation ValuesListIds: 6412
OtherText: null2018-03-23T07:00:00 2018-03-26T10:03:32.243 805.0 UserList:
GroupList: {'Id': 50, 'HasRead': True, 'HasUpdate': True, 'HasDelete': True},
{'Id': 51, 'HasRead': True, 'HasUpdate': False, 'HasDelete': False}Google Map 227602 Incident Details ValuesListIds: 531
OtherText: nullSummary... ValuesListIds: 835
OtherText: nullValuesListIds: 6422
OtherText: nullValuesListIds: 9565
OtherText: nullValuesListIds: 466
OtherText: nullValuesListIds: 156
OtherText: null125
archer-create-record
Creates a new content record in the given application.
In this command when creating a new record, it is important to pay attention to the way the values are sent through the argument - fieldsToValues.
when field type is Values List - example: {"Type": ["Switch"], fieldname: [value1, value2]}
when field type is External Links - example: {"Patch URL": [{"value":"github", "link": "https://github.com"}]}
when field type is Users/Groups List - example: {"Policy Owner":{"users":ֿ [20],"groups": [30]}}
when field type is Cross- Reference - for example: {"Area Reference(s)": [20]}
In other cases the value can be sent as is.
To know what the type of the value you are using, you can use archer-get-application-fields
command with the applicationId
to get the list of all FieldType by FieldName.
Base Command
archer-create-record
Input
Argument Name | Description | Required |
---|---|---|
applicationId | The application Id | Required |
fieldsToValues | Record fields in JSON format: { "Name1": Value1, "Name2": Value2 }. Field name is case sensitive | Required |
Context Output
Path | Type | Description |
---|---|---|
Archer.Record.Id | Number | Unique Id of record |
Command Example
!archer-create-record applicationId=75 fieldsToValues={"Incident Summary":"This is the incident summary","Priority":["High"]}
Context Example
Human Readable Output
Record created successfully, record id: 239643
archer-delete-record
Delete existing content record in the given application
Base Command
archer-delete-record
Input
Argument Name | Description | Required |
---|---|---|
contentId | The record Id to delete | Required |
Context Output
There is no context output for this command.
Command Example
!archer-delete-record contentId=239642
Context Example
Human Readable Output
Record 239642 deleted successfully
archer-update-record
Updates existing content record in the given application
Base Command
archer-update-record
Input
Argument Name | Description | Required |
---|---|---|
applicationId | The application Id | Required |
fieldsToValues | Record fields in JSON format: { "Name1": Value1, "Name2": Value2 }. Field name is case sensitive | Required |
contentId | The record Id to update | Required |
Context Output
There is no context output for this command.
Command Example
!archer-update-record applicationId=75 contentId=239326 fieldsToValues={"Priority":["High"]}
Context Example
Human Readable Output
Record 239326 updated successfully
archer-execute-statistic-search-by-report
Performs statistic search by report Guid
Base Command
archer-execute-statistic-search-by-report
Input
Argument Name | Description | Required |
---|---|---|
reportGuid | The report GUID | Required |
maxResults | Maximum pages of the reports | Required |
Context Output
There is no context output for this command.
Command Example
!archer-execute-statistic-search-by-report maxResults=100 reportGuid=e4b18575-52c0-4f70-b41b-3ff8b6f13b1c
Context Example
Human Readable Output
{ "Groups": { "@count": "3", "Metadata": { "FieldDefinitions": { "FieldDefinition": [ { "@alias": "Classification", "@guid": "769b2548-6a98-49b6-95c5-03e391f0a40e", "@id": "76", "@name": "Classification" }, { "@alias": "Standard_Name", "@guid": "a569fd34-16f9-4965-93b0-889fcb91ba7a", "@id": "1566", "@name": "Standard Name" } ] } }, "Total": { "Aggregate": { "@Count": "1497", "@FieldId": "1566" } } } }
archer-get-reports
Gets all the reports from Archer
Base Command
archer-get-reports
Input
There are no input arguments for this command.
Context Output
There is no context output for this command.
Command Example
archer-get-reports
Context Example
Human Readable Output
archer-get-search-options-by-guid
Returns search criteria by report GUID
Base Command
archer-get-search-options-by-guid
Input
Argument Name | Description | Required |
---|---|---|
reportGuid | The report GUID | Required |
Context Output
There is no context output for this command.
Command Example
!archer-get-search-options-by-guid reportGuid=bce4222c-ecfe-4cef-a556-fe746e959f12
Context Example
Human Readable Output
{ "SearchReport": { "Criteria": { "ModuleCriteria": { "BuildoutRelationship": "Union", "IsKeywordModule": "True", "Module": "421", "SortFields": { "SortField": [ { "Field": "15711", "SortType": "Ascending" }, { "Field": "15683", "SortType": "Ascending" } ] } } }, "DisplayFields": { "DisplayField": [ "15683", "15686", "15687", "15690", "15706", "15711", "15710", "15712", "15713", "15714", "15715", "15716", "15725", "15717", "15718" ] }, "PageSize": "50" } }
archer-reset-cache
Reset Archer's integration cache. Run this command if you change the fields of your Archer application
Base Command
archer-reset-cache
Input
There are no input arguments for this command.
Context Output
There is no context output for this command.
Command Example
!archer-reset-cache
Context Example
Human Readable Output
archer-get-valuelist
Returns a list of values for a specified field, e.g., fieldID=16114. This command only works for value list fields (type 4).
Base Command
archer-get-valuelist
Input
Argument Name | Description | Required |
---|---|---|
fieldID | The field Id | Required |
Context Output
Path | Type | Description |
---|---|---|
Archer.ApplicationField.ValuesList.Id | Number | The field value Id |
Archer.ApplicationField.ValuesList.IsSelectable | Boolean | Specifies whether the field value is selectable |
Archer.ApplicationField.ValuesList.Name | String | The field value name |
Command Example
!archer-get-valuelist fieldID=302
Context Example
Human Readable Output
Value list for field 302
Id IsSelectable Name 466 true New 467 true Assigned 468 true In Progress 469 true On Hold 470 true Closed
archer-upload-file
Uploads a file to Archer. Can associate the file to a record. To associate to a record, must provide all of the following arguments: applicationId, contentId, associatedField.
Base Command
archer-upload-file
Input
Argument Name | Description | Required |
---|---|---|
entryId | The entry id of the file in Demisto's context | Required |
contentId | The Content (record) ID to update. | Optional |
applicationId | ID of the application which we want to upload the file to. | Optional |
associatedField | Archer field name to associate the file with. | Optional |
Context Output
There is no context output for this command.
Command Example
!archer-upload-file entryId=16695@b32fdf18-1c65-43af-8918-7f85a1fab951
Context Example
Human Readable Output
File uploaded succsessfully, attachment ID: 126
archer-get-file
Downloads file from Archer to Demisto's war room context
Base Command
archer-get-file
Input
Argument Name | Description | Required |
---|---|---|
fileId | The attachment Id | Required |
Context Output
There is no context output for this command.
Command Example
!archer-get-file fileId=125
Context Example
Human Readable Output
archer-list-users
Gets user details or list of all users.
Base Command
archer-list-users
Input
Argument Name | Description | Required |
---|---|---|
userId | Get user by ID (leave empty to get all users) | Optional |
Context Output
Path | Type | Description |
---|---|---|
Archer.User.AccountStatus | String | The status of the user |
Archer.User.DisplayName | String | Display name of the user |
Archer.User.FirstName | String | The first name of the user |
Archer.User.Id | Number | Unique Id of user |
Archer.User.LastLoginDate | Date | Last login date of user |
Archer.User.LastName | String | The last name of the user |
Archer.User.MiddleName | String | The middle name of the user |
Archer.User.UserName | String | The username of the account |
Command Example
!archer-list-users
Context Example
Human Readable Output
Users list
AccountStatus DisplayName FirstName Id LastLoginDate LastName MiddleName UserName Locked cash, johnny johnny 202 2018-09-03T07:56:51.027 cash johnnyCash
archer-search-records
Search for records inside the given application
Base Command
archer-search-records
Input
Argument Name | Description | Required |
---|---|---|
applicationId | Id of the application to search records in | Required |
fieldToSearchOn | Name of field to search on (leave empty to search for all) | Optional |
searchValue | Search value (leave empty to search for all) | Optional |
maxResults | Maximum results to return from the search (default is 10) | Optional |
fieldsToDisplay | Fields to present in the search results in array format (for example: "Title,Incident Summary") | Optional |
numericOperator | Numeric search operator | Optional |
dateOperator | Date search operator | Optional |
fieldsToGet | Fields to fetch from the the application | Optional |
fullData | Get an extended responses with all of the data regarding this search. For example, "fullData=true" | Required |
Context Output
Path | Type | Description |
---|---|---|
Archer.Record | Unknown | The content object |
Archer.Record.Id | Number | The content Id |
Command Example
!archer-search-records applicationId=75 fullData=False fieldsToDisplay=`Date/Time Occurred,Days Open` fieldsToGet=`Date/Time Occurred,Days Open` fieldToSearchOn=`Date/Time Occurred` dateOperator=GreaterThan searchValue=2018-06-23T07:00:00Z maxResults=100
Context Example
Human Readable Output
Search records results
Date/Time Occurred Days Open 2018-07-10T08:00:00Z 30
archer-search-records-by-report
Search records by report Guid
Base Command
archer-search-records-by-report
Input
Argument Name | Description | Required |
---|---|---|
reportGuid | The report GUID | Required |
Context Output
Path | Type | Description |
---|---|---|
Archer.SearchByReport.ReportGUID | String | The report GUID |
Archer.SearchByReport.RecordsAmount | Number | Amount of records found by the search |
Archer.SearchByReport.Record | Unknown | The records found by the search |
Command Example
!archer-search-records-by-report reportGuid=bce4222c-ecfe-4cef-a556-fe746e959f12
Context Example
Human Readable Output
Search records by report results
Description Id Procedure Name Threat Category Tracking ID test_procedure_0
227528 test_procedure_0 Malware 227528 test_procedure_1
227529 test_procedure_1 Malware 227529 test_procedure_2
227531 test_procedure_2 Malware 227531 test_procedure_3
227532 test_procedure_3 Malware 227532
archer-print-cache
prints Archer's integration cache.
Base Command
archer-print-cache
Input
There are no input arguments for this command.
Context Output
There is no context output for this command.
Command Example
!archer-print-cache
Context Example
Human Readable Output
{ "75": [ { "level": 67, "mapping": { "10052": { "FieldId": "10052", "IsRequired": false, "Name": "Related Incidents (2)", "RelatedValuesListId": null, "Type": 23 }, "10172": { "FieldId": "10172", "IsRequired": false, "Name": "Source", "RelatedValuesListId": 1176, "Type": 4 }, "10183": { "FieldId": "10183", "IsRequired": false, "Name": "Is BSA (Bank Secrecy Act) reporting required in the US?", "RelatedValuesListId": 152, "Type": 4 }, "10188": { "FieldId": "10188", "IsRequired": false, "Name": "Batch File Format", "RelatedValuesListId": 1183, "Type": 4 } } } ], "fieldValueList": { "7782": { "FieldId": "7782", "ValuesList": [ { "Id": 6412, "IsSelectable": true, "Name": "New" }, { "Id": 6413, "IsSelectable": true, "Name": "Assigned" }, { "Id": 6414, "IsSelectable": true, "Name": "In Progress" }, { "Id": 6415, "IsSelectable": true, "Name": "On Hold" }, { "Id": 6416, "IsSelectable": true, "Name": "Closed" } ] } } }