ArcSight Enterprise Security Manager
LAST UPDATED: SEPTEMBER 18, 2025
Overview
ArcSight Enterprise Security Manager (ESM) provides a big data analytics approach to enterprise security by transforming big data into actionable intelligence.
D3's integration with ArcSight ESM provides the ability to ingest security events based on a query viewer and manage active lists and entries.
D3 SOAR is providing REST operations to function with ArcSight Enterprise Security Manager.
ArcSight Enterprise Security Manager is available for use in:
Connection
To connect to ArcSight Enterprise Security Manager from D3 SOAR, follow this part to collect the required information below:
Parameter | Description | Example |
Server URL | The server URL of the ArcSight ESM instance. | https://***.***.***.***:1234 |
User Name | The Arcsight ESM account username for authentication. | admin |
Password | The Arcsight ESM account password for authentication. | ***** |
Permission Requirements
All endpoints in the ArcSight Enterprise Security Manager API require the Normal User permission scope.
READER NOTE
ArcSight Enterprise Security Manager’s default user profiles with description are as follows:
Normal User: Has full privileges to use the Command Center and ArcSight Console, and all tools. Only apply this user type to accounts that actually need access to the ArcSight Manager.
Management Tool: Has only the privileges needed to run certain management tools used in conjunction with network management products.
Forwarding Connector: Has only the privileges needed by the Forwarding Connector.
Archive Utility: Has only the privileges needed to run the archive utility. Access to specific resources is controlled through ACLs.
Connector Installer: A specialized identity used only to add SmartConnectors to the system.
Web User: Has privileges to use the Command Center only, not the ArcSight Console.
Please note that only the Normal User User Type can be used in order to use D3 connection and commands.
Configuring ArcSight Enterprise Security Manager to Work with D3 SOAR
ArcSight Command Center VS ArcSight Management Console
ArcSight is using both a client service (ArcSight Command Center) and a browser server (ArcSight Management Console).
ArcSight Command Center is a web interface for ArcSight ESM. The ESM server can be accessed via the ArcSight Console or a web browser (ArcSight Command Center). There are features users can view and perform in the Console but not in the Command Center, and vice versa.
ArcMC (ArcSight Management Console) is a single management interface for administering and monitoring.
If sufficient licensing is available on the ArcSight Management Console, it is recommended to use the ArcSight Management Console. To create additional users, create an analyst profile from the ArcSight Command Center. For more about the differences between ArcSight Command Center and ArcSight Management Console, see the linked user manuals above. D3 SOAR will require the ArcSight Management Console for configuration. Configured users can access the ArcSight Command Center.
Adding a New User with Permissions from the ArcSight Management Console
Connect to the ArcSight Management Console.
On the left sidebar, select the Resources tab. Select Users from the dropdown list. Alternatively, use the shortcut (Ctrl+Alt+U). Under Shortcuts, find the default admin at Users > Shared > Administrator. Optionally, use the default admin user or create a new user for the integration connection. To add a new user, right click the Administrator folder and select New User.
(Optional) Complete the configuration of the new user. Fill in the required fields (i.e., User ID, Password and Confirm) for the user. Select Normal User for User Type. It is highly recommended to input an E-mail for password recovery purposes. Click OK to confirm the configurations and create the user.
READER NOTE
The created user account can be used to access the ArcSight Command Center.
Configuring D3 SOAR to Work with ArcSight Enterprise Security Manager
Log in to D3 SOAR.
Find the ArcSight Enterprise Security Manager integration.
.png?inst-v=18d3a7e1-e76a-4a76-8c99-1863ec3d3efa)
Navigate to Configuration on the top header menu.
Click on the Integration icon on the left sidebar.
Type ArcSight Enterprise Security Manager in the search box to find the integration, then click it to select it.
Click New Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to ArcSight Enterprise Security Manager.
.png?inst-v=18d3a7e1-e76a-4a76-8c99-1863ec3d3efa)
Connection Name: The desired name for the connection.
Site: The site on which to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
Recipient site for events from connections Shared to Internal Sites: This field is displayed when Share to Internal Sites is selected for the Site field, allowing selection of the internal site for deploying the integration connection.
Agent Name (Optional): The proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
Description (Optional): The description for the connection.
Tenant (Optional): When configuring the connection from a master tenant site, users can choose the specific tenant sites with which to share the connection. Once this setting is enabled, users can filter and select the desired tenant sites from the dropdowns to share the connection.
Configure User Permissions: Defines which users have access to the connection.
Active: The checkbox that enables the connection to be used when selected.
System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
1. Input the domain level Server URL.
2. Input the User Name.
3. Input the Password.Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Refer to the password vault connection guide if needed.
Connection Health Check: Periodically checks the connection status by scheduling the Test Connection command at the specified interval (in minutes). Available only for active connections, this feature also allows configuring email notifications for failed attempts.
Test the connection.
.png?inst-v=18d3a7e1-e76a-4a76-8c99-1863ec3d3efa)
Click on the Test Connection button to verify credentials and connectivity. A success alert displays Passed with a green checkmark. If the connection fails, review the parameters and retry.
Click OK to close the alert window.
Click Add to create and add the configured connection.
Commands
ArcSight Enterprise Security Manager includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, users can execute these commands independently for playbook troubleshooting.
Integration API Note
For more information about the ArcSight Enterprise Security Manager API, refer to the ArcSight Enterprise Security Manager API reference at https://<server address>/detect-api/#/.
READER NOTE
Certain permissions are required for each command. Refer to the Permission Requirements and Configuring ArcSight Enterprise Security Manager to Work with D3 SOAR for details.
Note for Time-related parameters
The input format of time-related parameters may vary based on user account settings, which may cause the sample data in commands to differ from what is displayed. To adjust the time format, follow these steps:
Navigate to Configuration > Application Settings. Select Date/Time Format.
-20241017-192013.png?inst-v=18d3a7e1-e76a-4a76-8c99-1863ec3d3efa)
Choose the desired date and time format, then click on the Save button.
-20241017-192025.png?inst-v=18d3a7e1-e76a-4a76-8c99-1863ec3d3efa)
The selected time format will now be visible when configuring Date/Time command input parameters.
Add Active List Entries
Adds new entries to the specified active list.
READER NOTE
Active List ID and Entries are required parameters to run this command.
Run the List Active Lists command to obtain Active List IDs. Active List IDs can be found in the returned raw data at the path $[*].resourceId.
Run the List Active List Entries command to view a list of all available entry fields. Entries can be found in the returned raw data at the path $.fields.
If the input entry fields and their order are different from the active list’s existing columns, the error message “Entries have different columns” will be returned.
Input
Input Parameter | Required/Optional | Description | Example |
Active List ID | Required | The ID of the active list to add the new entries. Active List IDs can be obtained using the List Active Lists command. | ***** |
Entries | Required | The entry object(s) to add to the specified active list. You may run the List Active List Entries command to view a list of all available fields in an active list. Note: The input entry fields and their order must match the existing columns and their order in the specified active list. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Add Active List Entries failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Resource Not Found. |
Error Sample Data Add Active List Entries failed. Status Code: 404. Message: Resource Not Found. |
Clear Active List Entries
Clears all entries from the specified active list.
READER NOTE
Active List ID is a required parameter to run this command.
Run the List Active Lists command to obtain Active List IDs. Active List IDs can be found in the returned raw data at the path $[*].resourceId.
Input
Input Parameter | Required/Optional | Description | Example |
Active List ID | Required | The ID of the active list to clear all entries. Active List IDs can be obtained using the List Active Lists command. | ***** |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Clear Active List Entries failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Resource Not Found. |
Error Sample Data Clear Active List Entries failed. Status Code: 404. Message: Resource Not Found. |
Create Active List
Creates an active list.
READER NOTE
Parent Group ID is an optional parameter to run this command.
Run the Get Active List Path command to obtain Parent Group IDs. Parent Group IDs can be found in the path $.[*]pathToRoot.
Multiple active lists can be created with the same name.
Input
Input Parameter | Required/Optional | Description | Example |
Active List Name | Required | The name of the active list. | testAL |
Active List Display Name | Optional | The display name of the active list. If this parameter is not defined, the active list name will be the display name. | TESTAL |
Description | Optional | The description for the active list. | desc |
Multi-mapped | Optional | The option to enable the active list to have multiple instances of field pairings mapped to multiple values. If this parameter is not defined, the default value is False. | True |
Cache Model | Optional | The cache model used for the active list. The available options are Read Optimized, Write Synchronized and Unchanged. If this parameter is not defined, the default value is Read Optimized. | Read Optimized |
Active List Type | Required | The active list type (Event Based or Field Based). Event Based active lists are “fixed” while Field Based active lists are more flexible. Note: The Fields parameter is only available if Field Based is selected. The Active List Type cannot be modified after the active list has been created. Ensure you have selected the correct active list type. | Field Based |
Case Sensitive Type | Required | The case-sensitive setting to apply to the active list. The available case-sensitive types are Case Sensitive, Key Case Insensitive and Key and Value Insensitive. | Case Sensitive |
Parent Group ID | Optional | The ID of the group to assign the active list to. If this parameter is not defined, the active list will be created as Unassigned. Group IDs can be obtained using the Get Active List Path command. Note: The assigned group cannot be modified after the active list has been created. | ***** |
Fields | Optional | The JSON-formatted list of fields of the active list. Note: This parameter is only available when the selected Active List Type is Field Based. Fields cannot be modified after the active list has been created. Ensure you have input the correct fields. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Create Active List failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Resource Not Found. |
Error Sample Data Create Active List failed. Status Code: 404. Message: Resource Not Found. |
Delete Active List Entries
Deletes select entries from the specified active list.
READER NOTE
Active List ID and Entries are required parameters to run this command.
Run the List Active Lists command to obtain Active List IDs. Active List IDs can be found in the returned raw data at the path $[*].resourceId.
Run the List Active List Entries command to view a list of all available entry fields. Entries can be found in the returned raw data at the path $.fields.
If the input entry fields and their order are different from the active list’s existing columns, the error message “Entries have different columns” will be returned.
Input
Input Parameter | Required/Optional | Description | Example |
Active List ID | Required | The ID of the active list to delete entries. Active List IDs can be obtained using the List Active Lists command. | ***** |
Entries | Required | The entry object(s) to delete from the specified active list. You may run the List Active List Entries command to view a list of all available fields in an active list. Note: The input entry fields and their order must match the existing columns and their order in the specified active list. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Delete Active List Entries failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Resource Not Found. |
Error Sample Data Delete Active List Entries failed. Status Code: 404. Message: Resource Not Found. |
Delete Active Lists
Deletes the specified active list(s).
READER NOTE
The parameter Active List IDs is required to run this command.
Run the List Active Lists command to obtain Active List IDs. Active List IDs can be found in the returned raw data at the path $[*].resourceId.
Input
Input Parameter | Required/Optional | Description | Example |
Active List IDs | Required | The ID(s) of the active list(s) to delete. Active List IDs can be obtained using the List Active Lists command. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Delete Active Lists failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Resource Not Found. |
Error Sample Data Delete Active Lists failed. Status Code: 404. Message: Resource Not Found. |
Fetch Event
Returns event(s) from the ArcSight ESM platform based on specified query view. Query views must be created from the ArcSight console first, after which the corresponding query viewer ID can be obtained using the Get Query Viewer command. "Event ID" and at least one other time field must be included in the data fields. Run the Get Query Viewer command and check the values under the “columnHeaders” key.
READER NOTE
Before inputting a Query Viewer ID for the Fetch Event command, use the Get Query Viewer command to check if it has an “Event ID” and at least one of the associated time-related fields. The fields will be returned under the “columnHeaders” key. See the list below for the time-related fields.
Query Time Type is an optional parameter to run this command. Some possible query time types (only the query time types listed in the returned result of running the Get Query Viewer command are applicable) are as follows:
Start Time
End Time
Agent Receipt Time
Manager Receipt Time
Device Time
Event Time
Input
Input Parameter | Required/Optional | Description | Example |
Start Time | Required | The start time of the time range to fetch events in UTC time. | 2022-11-01 00:00 |
End Time | Required | The end time of the time range to fetch events in UTC time. | 2022-11-02 00:00 |
Query Time Type | Optional | The time field to fetch events by. Run the Get Query Viewer command and refer to the returned raw data at the path $.data.columnHeaders for a list of available time fields (e.g. Manager Receipt Time). In most cases, Manager Receipt Time is treated as Event Time. Note: If this parameter is not defined, the default query time field is Manager Receipt Time. | Manager Receipt Time |
Number of Event(s) Fetched | Optional | The maximum number of the most recent results from the specified query viewer to return. If this parameter is not defined, 50 is the default value. | 10 |
Query Viewer IDs | Required | The IDs of the created query views to filter results. Query views must first be created on the ArcSight ESM user interface. Existing Query Viewer IDs can be obtained using the Get Query Viewer command. Note: It is recommended to limit the query time range (e.g. less than 30 days) when creating a query viewer from the ArcSight ESM user interface to reduce impact on performance. | ***** |
Tolerance Scope | Optional | The tolerance scope in minutes of the query to fetch events between start and end time to avoid the loss of events. Events will be fetched between {Start Time - Tolerance Scope, End Time}. | 10 |
Output
To view the sample output data for all commands, refer to this article.
Fetch Event Field Mapping
See Field Mappings.
The ArcSight Enterprise Security Manager system integration includes pre-configured field mappings for the default event source.
The Default Event Source is the default system-provided set of field mappings applied when the fetch event command is executed. It includes a Main Event JSON Path, which is the JSONPath expression that points to the base array of event objects. The source field path continues from this array to locate the required data.
The Main Event JSON Path can be viewed by clicking on the Edit Main JSON Path button.
Main Event JSON Path: $
The root array contains the event objects. Within each object, the key eventId denotes the Unique Event Key field. As such, the full JSONPath expression to extract the Unique Event Key is $.eventId.
The pre-configured field mappings are detailed below:
Field Name | Source Field |
Model Confidence | .modelConfidence |
Relevance | .relevance |
Destination Device | .destination.hostname |
Destination IP address | .destination.address |
Destination port | .destination.port |
Destination MAC | .destination.macAddress |
Destination zone | .destination.zone.uri |
End Time | .endTime |
Unique Event Key | .eventId |
Event Type | .type |
Start Time | .startTime |
Description | .sessionId |
Receipt time | .managerReceiptTime |
Severity | .severity |
Source Device | .source.hostname |
Source IP address | .source.address |
Source port | .source.port |
Source MAC address | .source.macAddress |
Source Priority | .priority |
Source zone | .source.zone.uri |
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Fetch Event failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Resource Not Found. |
Error Sample Data Fetch Event failed. Status Code: 404. Message: Resource Not Found. |
Get Active List Path
Retrieves the full path of the specified active list(s). This command can be used to obtain the Group ID required for creating an active list. After running the command, refer to the returned key fields and compare the two path values of the ActiveListPaths and ActiveListURI key fields. These two path values correspond with each other.
For example,
“ActiveListURIs”: “/All Active Lists/ArcSight Administration/Devices/TESTAL1101g” “ActiveListPaths”: “01000124/0AhIKR==/0JDItt==/HxMdFN==” |
The group ID is displayed under “ActiveListPaths”. “01000124” is the group ID for “All Active Lists”, “0AhIKR==” is the group ID for “ArcSight Administration”, “0JDItt==” is the group ID for “Devices”. Please note the last path “TESTAL1101g” is the active list name and “HxMdFN==” is the corresponding active list ID.
READER NOTE
Active List IDs is a required parameter to run this command.
Run the List Active Lists command to obtain Active List IDs. Active List IDs can be found in the returned raw data at the path $[*].resourceId.
Input
Input Parameter | Required/Optional | Description | Example |
Active List IDs | Required | The ID(s) of the active list(s) to retrieve the full path to root. Active List IDs can be obtained using the List Active Lists command. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Active List Path failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Resource Not Found. |
Error Sample Data Get Active List Path failed. Status Code: 404. Message: Resource Not Found. |
Get Active Lists
Retrieves information of the specified active list(s) by Active List name or ID.
READER NOTE
The input parameter Active List Names Or IDs is required to run this command.
Run the List Active Lists command to obtain Active List Names Or IDs. Active List IDs can be found in the returned raw data at the path $[*].resourceId. Active List Names can be found in the returned raw data at the path $[*].name.
Input
Input Parameter | Required/Optional | Description | Example |
Active List Names Or IDs | Required | The name(s) or ID(s) of the active list to retrieve. Active List Names and IDs can be obtained using the List Active Lists command. If there are duplicate names or IDs, only the first active list with the same name or ID will be listed in the returned results. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Active Lists failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Resource Not Found. |
Error Sample Data Get Active Lists failed. Status Code: 404. Message: Resource Not Found. |
Get Events By IDs
Retrieves information of the specified event(s) by event ID.
READER NOTE
The parameter Event IDs is required to run this command.
You should already have the Event IDs before running the command. If you need to know the Event IDs for specific events, run the Fetch Event command to obtain Event IDs. Event IDs can be found in the returned raw data at the path $[*].eventId. Only events from the past 36 months are retrievable.
Input
Input Parameter | Required /Optional | Description | Example |
Event IDs | Required | The ID(s) of the event(s) to retrieve. Event IDs can be obtained using the Fetch Event command. Note: Only events from the past 36 months are retrievable. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Events By IDs failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Resource Not Found. |
Error Sample Data Get Events By IDs failed. Status Code: 404. Message: Resource Not Found. |
Get Query Viewer
Retrieves information of the specified query viewer(s).
READER NOTE
Query Viewer Name Or ID is a required parameter to run this command.
Run the List Query Viewer IDs command to obtain Query Viewer Names/IDs. Query Viewer Names can be found in the returned raw data at the path $[*].name. Query Viewer IDs can be found in the returned raw data at the path $[*].resourceId. Alternatively, you can obtain the values from the ArcSight ESM user interface.
Input
Input Parameter | Required/Optional | Description | Example |
Query Viewer Name Or ID | Required | The name or ID of the query viewer to retrieve. Query Viewer Names and IDs can be obtained using the List Query Viewer command. If there are duplicate names or IDs, only the first query viewer with the same name or ID will be listed in the returned results. Note: Input query viewer names are case-sensitive. | ***** |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Query Viewer failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Resource Not Found. |
Error Sample Data Get Query Viewer failed. Status Code: 404. Message: Resource Not Found. |
List Active List Entries
Retrieves entries from the specified active list.
READER NOTE
Active List ID is a required parameter to run this command.
Run the List Active Lists command to obtain Active List ID. Active List IDs can be found in the returned raw data at the path $[*].resourceId.
Input
Input Parameter | Required /Optional | Description | Example |
Active List ID | Required | The ID of the active list to retrieve entries. Active List ID can be obtained using the List Active Lists command. | ***** |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Active List Entries failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Resource Not Found. |
Error Sample Data List Active List Entries failed. Status Code: 404. Message: Resource Not Found. |
List Active Lists
Retrieves information on active lists. If Active List Name is not entered, all active lists will be returned.
Input
Input Parameter | Required/Optional | Description | Example |
Active List Name | Optional | The name of the active list to retrieve. This parameter can be used to search for all existing active lists with the same name. Note: This parameter is case-sensitive. | ipwatchlist |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Active Lists failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Resource Not Found. |
Error Sample Data List Active Lists failed. Status Code: 404. Message: Resource Not Found. |
List Customers
Retrieves information of all customers.
Input
N/A
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Customers failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details. | Status Code: 500. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Get token failed. |
Error Sample Data List Customers failed. Status Code: 500. Message: Get token failed. |
List Query Viewers
Retrieves information on query viewers. If the Query Viewer Name parameter is not defined, all query viewers will be returned.
READER NOTE
Query Viewer Name is an optional parameter to run this command.
You should already have the query viewer name before running the command. If you need to know the query viewer name of a specific query viewer, run this command without any parameters defined to return a list of all query viewers. In the returned raw data, refer to the “displayName” key to view the corresponding query viewer names.
Input
Input Parameter | Required/Optional | Description | Example |
Query Viewer Name | Optional | The name of the query viewer to retrieve. This parameter can be used to search for all existing query viewers with the same name. Note: This parameter is case-sensitive. | Top Confidence in Suspicious Address |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Query Viewers failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Resource Not Found. |
Error Sample Data List Query Viewers failed. Status Code: 404. Message: Resource Not Found. |
Update Active List
Updates the specified active list. Note: You cannot modify the schema (i.e., fields and types) of a created list. A new active list must be created to do so.
READER NOTE
Active List ID is a required parameter to run this command.
Run the List Active Lists command to obtain List Active ID. Active List IDs can be found in the returned raw data at the path $[*].resourceId.
Input
Input Parameter | Required/Optional | Description | Example |
Active List ID | Required | The ID of the active list to update. Active List IDs can be obtained using the List Active Lists command. | ***** |
Active List Name | Optional | The updated name of the active list. | 1101h NEW NAME |
Active List Display Name | Optional | The updated display name of the active list. | 1101H_New |
Description | Optional | The updated description for the active list. | Update active list 1101h |
Capacity | Optional | The updated maximum capacity of the number of entries in the active list. The default value is 1,000,000. Note: The number of entries in an active list will affect memory usage. Ensure you have allocated sufficient memory to the JVM. | 1000 |
Entry Time To Live | Optional | The updated time to live (in seconds) of the active list’s entries. | 36000 |
Count Limit | Optional | The updated count limit for the active list. | 5000 |
Cache Model | Optional | The updated cache model used for the active list. The available options are Read Optimized, Write Synchronized and Unchanged. | Write Synchronized |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Update Active List failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Resource Not Found. |
Error Sample Data Update Active List failed. Status Code: 404. Message: Resource Not Found. |
Test Connection
Allows users to perform a health check on an integration connection. Users can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.
Input
N/A
Output
Output Type | Description | Return Data Type |
Return Data | Indicates one of the possible command execution states: Successful or Failed. The Failed state can be triggered by any of the following errors:
More details about an error can be viewed in the Error tab. | String |
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the responses from the third-party API calls including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Test Connection failed. Failed to check the connector. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details. | Status Code: 500. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Get token failed. |
Error Sample Data Test Connection failed. Failed to check the connector. Status Code: 500. Message: Get token failed. |
Use Case
Create Active Lists, Add and Delete Active List Entries
Use the Create Active List command to create an active list with defined fields. The Add Active List Entries command can then be used to to assign values to those fields. The values can be removed using the Delete Active List Entries command.
Note:
Fields cannot be modified after an active list has been created.
When updating the field values with the Add Active List Entries command, the input entry fields and their order must match the existing fields and order on the specified active list.