TIM - ArcSight Add IP Indicators

This playbook receives indicators from its parent playbook and provides the indicators as inputs for the sub-playbooks that push the indicators to SIEM.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

This playbook does not use any sub-playbooks.

Integrations

  • ArcSight ESM v2

Scripts

This playbook does not use any scripts.

Commands

  • appendIndicatorField
  • as-add-entries

Playbook Inputs


NameDescriptionDefault ValueRequired
ArcSightBlackListIPActiveListIDID of the black list IP Active List resource as appears in ArcSight.Optional
ArcsightBlackListIPValueFieldNameThe name of the black list Active List field to insert the IP value to.Optional
ArcSightWhiteListIPActiveListIDID of the white list IP Active List resource as appears in ArcSight.Optional
ArcsightWhiteListIPValueFieldNameThe name of the white list Active List field to insert the IP value to.Optional
ArcSightWatchListIPActiveListIDID of the watch list IP Active List resource as appears in ArcSight.Optional
ArcsightWatchListIPValueFieldNameThe name of the watch list Active List field to insert the IP value to.Optional
Indicator QueryIndicators matching the indicator query will be used as playbook inputOptional

Playbook Outputs


There are no outputs for this playbook.

Playbook Image


Playbook Image