Micro Focus ArcSight Enterprise Security Manager (ESM)
App Vendor: Micro Focus ArcSight Enterprise Security Manager (ESM)
App Category: Analytics & SIEM
Connector Version: 1.1.2
API Version: 1.0.0
About App
This app integrates with ArcSight, a suite of tools for SIEM—security information and event management. Micro Focus ArcSight Enterprise Security Manager (ESM) is described as the "brain" of the SIEM platform. It is a log analyzer and correlation engine designed to sift out important network events.
The Micro Focus ArcSight of Enterprise Security Manager (ESM) application is configured with Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Add Active List Service Entries | This action adds entries to the active list service. |
Get Active List IDs | This action retrieves a list of all active list IDs. |
Fetch Active List Service Details by ID | This action retrieves the details of an active list service by ID. |
Fetch Active List Service Entries | This action retrieves all the entries of an active list service. |
Fetch All Case IDs | This action retrieves details of all case IDs. |
Fetch Major Security Events Version | This action retrieves major version details of security events. |
Fetch Minor Security Events Version | This action retrieves minor version details of security events. |
Fetch Query Viewer ID | This action retrieves a list of query viewer IDs. |
Fetch Query Viewer Result | This action retrieves the result of a query by ID. |
Fetch Version Details | This action retrieves the ArcSight system version details. |
Get Case Details by Ticket ID | This action retrieves the details of a case by the ticket ID. |
Get Security Event Details | This action retrieves the details of a security event. |
Get Security Events as an Attachment | This action retrieves the security events as an attachment. |
Delete All Events Associated with a Case | This action deletes all events associated with a case. |
Get Case Details by Case ID | This action retrieves details of a case by the case ID. |
Update a Case | This action updates a case. |
Delete Entries | This action deletes entries in an active list. |
HTTP Configuration Parameters
The following configuration parameters are required to communicate with the Micro Focus ArcSight Enterprise Security Manager (ESM) enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
ArcSight IP Address | Enter the ArcSight IP address. | Text | Required | |
Port | Enter the port value. | Text | Required | |
Username | Enter the username. | Text | Required | |
Password | Enter the password. | Password | Required | |
SSL Verify | Choose your preference to verify SSL while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection. | Boolean | Optional | Allowed values:
Default value: False |
Protocol | Enter the internet protocol. Example: HTTP | Text | Required | Allowed values:
|
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with Micro Focus ArcSight Enterprise Security Manager. | Integer | Optional | Allowed range: 15-120 Default value: 15 |
Action: Add Active List Service Entries
This action adds entries to the active list service.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Active List ID | Enter the active list ID. Example: 5MMZP8+8AABCASu1RhdKCOQ== | Text | Required | You can retrieve this using the action Get Active List IDs. |
Field Names of Active List | Enter the field names for the active list in a list. Example: IP | Any | Required | |
Entries | Enter the entries in a list. Example: 10.9.0.0 | Any | Required |
Action: Delete Entries
This action deletes entries in an active list.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Resource ID | Enter the resource ID. | Text | Required | |
Column Names | Enter the column names. | Any | Required | |
Entries | Enter the entries as a list. Each entry must contain the same columns as the active list. | List | Required |
Action: Get Active List IDs
This action retrieves a list of all active list IDs.
Action Input Parameters
This action does not require any input parameter.
Action: Fetch Active List Service Details by ID
This action retrieves the details of an active list service by ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Active List Service ID | Enter the active list service ID. | Text | Required |
Action: Fetch Active List Service Entries
This action retrieves all entries of an active list service.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Active List ID | Enter the active list ID. Example: 5MMZP8+8AABCASu1RhdKCOQ== | Text | Required | You can retrieve this using the action Get Active List IDs. |
Action: Fetch All Case IDs
This action retrieves details of all case IDs.
Action Input Parameters
This action does not require any input parameter.
Action: Fetch Major Security Events Version
This action retrieves major version details of security events.
Action Input Parameters
This action does not require any input parameter.
Action: Fetch Minor Security Events Version
This action retrieves minor version details of security events.
Action Input Parameters
This action does not require any input parameter.
Action: Fetch Query Viewer ID
This action retrieves a list of query viewer IDs.
Action Input Parameters
This action does not require any input parameter.
Action: Fetch Query Viewer Result
This action retrieves the result of a query by ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query Viewer ID | Enter the query viewer ID. Example: 5MMZP8+8AABCASu1RhdKCOQ== | Text | Required | You can retrieve this using the action Fetch Query Viewer ID. |
Keys | Enter the keys to retrieve values from the results in a list. Example: ['name', 'id'] | Any | Required |
Action: Fetch Version Details
This action retrieves the ArcSight system version details.
Action Input Parameters
This action does not require any input parameter.
Action: Get Case Details by Ticket ID
This action retrieves details of a case by the ticket ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Ticket ID | Enter the ticket ID. Example: 5MMZP8+8AABCASu1RhdKCOQ== | Text | Required |
Action: Get Security Event Details
This action retrieves the details of a security event.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Event ID | Enter the event ID. Example: 5MMZP8+8AABCASu1RhdKCOQ== | Any | Required | |
Start Time | Enter the start time in epoch format. Example: 1567002694847 | Text | Optional | |
End Time | Enter the end time in epoch format. Example: 1567002694847 | Text | Optional | Default value: -1 |
Action: Get Security Events as an Attachment
This action retrieves security events as an attachment.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Security Event IDs | Enter the list of security event IDs. | Any | Required | |
Start Time | Enter the start time in epoch format. Example: 1567002694847 | text | Optional | Default value: -1 |
End Time | Enter the end time in epoch format Example: 1567002694847 | text | Optional | Default value: -1 |
Action: Delete All Events Associated with a Case
This action deletes all events associated with a case.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Ticket ID | Enter the ticket ID. | Text | Required |
Action: Get Case Details by Case ID
This action retrieves details of a case by the case ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Case ID | Enter the case ID. | Text | Required | You can retrieve this using the action Fetch All Case IDs. |
Action: Update a Case
This action updates a case.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Case Name | Enter the case name that needs to be updated. This accepts an exact dictionary of the case. | Any | Required |