Integrate ArcSight Logger with Google SecOps
This document explains how to integrate ArcSight Logger with Google Security Operations (Google SecOps).
Integration version: 9.0
Integration parameters
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Use the following parameters to configure the integration:
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Instance Name | String | N/A | No | Name of the Instance you intend to configure integration for. |
| Description | String | N/A | No | Description of the Instance. |
| Server Address | String | https://<host>:<port> | Yes | The server address of the ArcSight Logger instance. |
| Username | String | N/A | Yes | Username of the ArcSight Logger account. |
| Password | Password | N/A | Yes | The password of the ArcSight Logger account. |
| Verify SSL | Checkbox | Unchecked | No | If enabled, verify the SSL certificate for the connection to the ArcSight Logger server is valid. |
| Run Remotely | Checkbox | Unchecked | No | Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent). |
Actions
Ping
Test connectivity to ArcSight Logger with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Run on
The action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail or stop a playbook execution: If no errors and returned data: "Successfully connected to the ArcSight Logger with the provided connection parameters!" The action should fail and stop a playbook execution: If an error is reported: "Error executing action "Ping". Reason: {0}''.format(error.Stacktrace) |
General |
Send Query
Send a query to get information about related events from ArcSight Logger event log manager.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Query | String | "" | Yes | Specify the query to send to ArcSight Logger event search. |
| Max Events to Return | Integer | 100 | No | Specify the amount of events to return. Limit is 10000. This is ArcSight Logger limitation. |
| Time Frame | String | 1h | No | Specify the timeframe which will be used to fetch events. Possible values: 1h - 1 hour ago 1d - 1 day ago Note: You can't combine different values, like 1d2h30m. |
| Fields to Fetch | Comma Separated Values | None | No | Specify what fields to fetch from ArcSight Logger. If nothing is specified, then all of the available fields will be returned. |
| Include Raw Event Data | Checkbox | Checked | No | If enabled, raw event data is included in the response. |
| Local Search Only | Checkbox | Unchecked | No | Indicates that ArcSight Logger event search is local only, and does not include ArcSight Logger peers. Set to false if you want to include peers in the event search. |
| Discover fields | Checkbox | Checked | No | Indicates that the ArcSight Logger search should try to discover fields in the events found. |
| Sort | String | ascending | No | Specify what sorting method to use. Possible values: ascending descending |
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"fields": [
{
"name": "_rowId",
"type": "string",
"alias": "_rowId"
},
{
"name": "_raw",
"type": "string",
"alias": "_raw"
},
{
"name": "Event Time",
"type": "date",
"alias": "Event Time"
},
{
"name": "Logger",
"type": "string",
"alias": "Logger"
},
{
"name": "Device",
"type": "string",
"alias": "Device"
},
{
"name": "Receipt Time",
"type": "date",
"alias": "Receipt Time"
},
{
"name": "deviceReceiptTime",
"type": "date",
"alias": "deviceReceiptTime"
},
{
"name": "deviceCustomString2",
"type": "string",
"alias": "deviceCustomString2"
},
{
"name": "destinationAddress",
"type": "string",
"alias": "destinationAddress"
},
{
"name": "deviceCustomNumber3Label",
"type": "string",
"alias": "deviceCustomNumber3Label"
},
{
"name": "globalEventId",
"type": "number",
"alias": "globalEventId"
},
{
"name": "deviceVersion",
"type": "string",
"alias": "deviceVersion"
},
{
"name": "name",
"type": "string",
"alias": "name"
},
{
"name": "deviceAddress",
"type": "string",
"alias": "deviceAddress"
},
{
"name": "deviceVendor",
"type": "string",
"alias": "deviceVendor"
},
{
"name": "Version",
"type": "string",
"alias": "Version"
},
{
"name": "deviceCustomNumber1Label",
"type": "string",
"alias": "deviceCustomNumber1Label"
},
{
"name": "deviceEventCategory",
"type": "string",
"alias": "deviceEventCategory"
},
{
"name": "endTime",
"type": "date",
"alias": "endTime"
},
{
"name": "fileName",
"type": "string",
"alias": "fileName"
},
{
"name": "deviceCustomNumber2",
"type": "number",
"alias": "deviceCustomNumber2"
},
{
"name": "deviceCustomNumber1",
"type": "number",
"alias": "deviceCustomNumber1"
},
{
"name": "baseEventCount",
"type": "number",
"alias": "baseEventCount"
},
{
"name": "startTime",
"type": "date",
"alias": "startTime"
},
{
"name": "deviceCustomNumber3",
"type": "number",
"alias": "deviceCustomNumber3"
},
{
"name": "agentSeverity",
"type": "string",
"alias": "agentSeverity"
},
{
"name": "fsize",
"type": "string",
"alias": "fsize"
},
{
"name": "deviceProduct",
"type": "string",
"alias": "deviceProduct"
},
{
"name": "deviceEventClassId",
"type": "string",
"alias": "deviceEventClassId"
},
{
"name": "deviceCustomNumber2Label",
"type": "string",
"alias": "deviceCustomNumber2Label"
},
{
"name": "deviceCustomString2Label",
"type": "string",
"alias": "deviceCustomString2Label"
},
{
"name": "fileType",
"type": "string",
"alias": "fileType"
}
],
"results": [
[
"4BFEFD-86@Local",
"CEF:0|ArcSight|Logger|7.0.0.8280.0|storagegroup:100|Storage Group Space Used|1| cat=/Monitor/StorageGroup/Space/Used cn1=15 cn1Label=Percent Used cn2=180 cn2Label=retention period (days) cn3=2048 cn3Label=used (MB) cs2=CurrentValue cs2Label=timeframe dst=10.0.2.185 dvc=10.0.2.185 end=1585661238546 fileType=storageGroup fname=Default Storage Group fsize=13 geid=0 rt=1585661238546",
1585661238546,
"Local",
"Logger",
1585661364960,
1585661238546,
"CurrentValue",
"10.0.2.185",
"used (MB)",
0,
"7.0.0.8280.0",
"Storage Group Space Used",
"10.0.2.185",
"ArcSight",
"0",
"Percent Used",
"/Monitor/StorageGroup/Space/Used",
1585661238546,
"Default Storage Group",
180,
15,
1,
1585661238546,
2048,
"1",
"13",
"Logger",
"storagegroup:100",
"retention period (days)",
"timeframe",
"storageGroup"
],
[
"4BFEFD-87@Local",
"CEF:0|ArcSight|Logger|7.0.0.8280.0|storagegroup:100|Storage Group Space Used|1| cat=/Monitor/StorageGroup/Space/Used cn1=33 cn1Label=Percent Used cn2=365 cn2Label=retention period (days) cn3=1024 cn3Label=used (MB) cs2=CurrentValue cs2Label=timeframe dst=10.0.2.185 dvc=10.0.2.185 end=1585661238546 fileType=storageGroup fname=Internal Event Storage Group fsize=3 geid=0 rt=1585661238546",
1585661238546,
"Local",
"Logger",
1585661364960,
1585661238546,
"CurrentValue",
"10.0.2.185",
"used (MB)",
0,
"7.0.0.8280.0",
"Storage Group Space Used",
"10.0.2.185",
"ArcSight",
"0",
"Percent Used",
"/Monitor/StorageGroup/Space/Used",
1585661238546,
"Internal Event Storage Group",
365,
33,
1,
1585661238546,
1024,
"1",
"3",
"Logger",
"storagegroup:100",
"retention period (days)",
"timeframe",
"storageGroup"
]
]
}
Case Wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail or stop a playbook execution: >If status is set to "completed" and hit is greater than zero: "Successfully returned events for query "{0}" from the ArcSight Logger".format(query) If status is set "completed" and hit is set to 0: (is_success == false): "Events were not found for query "{0}" in ArcSight Logger".format(query). >If status the status is set to error: "Unable to execute query "{0}" in ArcSight Logger".format(query). If status code is 409 in the first request: "Unable to execute query "{0}" in ArcSight Logger. Reason: {1}".format(query, errors/message from first response)" Async output message: "Starting processing query {0} in ArcSight Logger".format(query) The action should fail and stop a playbook execution: If a fatal error (wrong credentials, connection error, action crashes) is reported: "Error executing action "Send Query". Reason: {0}''.format(error.Stacktrace) |
General |
| Table | Table name: {Query} Columns: all of the available columns from the response. Look into the Action behavior section for more details. |
General |
Need more help? Get answers from Community members and Google SecOps professionals.