ArcSight Enterprise Security Manager (ESM) provides a big data analytics approach to enterprise security by transforming big data into actionable intelligence.
D3's integration with ArcSight ESM provides the ability to ingest security events based on a query viewer and manage active lists and entries.
D3 SOAR is providing REST operations to function with ArcSight Enterprise Security Manager.
ArcSight Enterprise Security Manager is available for use in:
To connect to ArcSight Enterprise Security Manager from D3 SOAR, please follow this part to collect the required information below:
Parameter
Description
Example
Server URL
The server URL of the ArcSight ESM instance.
https://***.***.***.***:1234
User Name
The Arcsight ESM account username for authentication.
admin
Password
The Arcsight ESM account password for authentication.
*****
Permission Requirements
All endpoints in the ArcSight Enterprise Security Manager API require the Normal User permission scope.
READER NOTE
ArcSight Enterprise Security Manager’s default user profiles with description are as follows:
Normal User: Has full privileges to use the Command Center and ArcSight Console, and all tools. Only apply this user type to accounts that actually need access to the ArcSight Manager.
Management Tool: Has only the privileges needed to run certain management tools used in conjunction with network management products.
Forwarding Connector: Has only the privileges needed by the Forwarding Connector.
Archive Utility: Has only the privileges needed to run the archive utility. Access to specific resources is controlled through ACLs.
Connector Installer: A specialized identity used only to add SmartConnectors to the system.
Web User: Has privileges to use the Command Center only, not the ArcSight Console.
Please note that only the Normal User User Type can be used in order to use D3 connection and commands.
Configuring ArcSight Enterprise Security Manager to Work with D3 SOAR
ArcSight Command Center VS ArcSight Management Console
ArcSight is using both a client service (ArcSight Command Center) and a browser server (ArcSight Management Console).
ArcSight Command Center is a web interface for ArcSight ESM. You can access the ESM server via the ArcSight Console or a web browser (ArcSight Command Center). There are features you can view and perform in the Console but not in the Command Center, and vice versa.
ArcMC (ArcSight Management Console) is a single management interface for administering and monitoring.
If you have sufficient licensing on the ArcSight Management Console, it is recommended to use the ArcSight Management Console. If you need to create more users on the console, create an analyst profile from the ArcSight Command Center. For more about the differences between ArcSight Command Center and ArcSight Management Console, see the linked user manuals above. D3 SOAR will require the ArcSight Management Console for configuration. Configured users can access the ArcSight Command Center.
Adding a New User with Permissions from the ArcSight Management Console
Connect to the ArcSight Management Console.
On the left sidebar, select the Resources tab. Select Users from the dropdown list. Alternatively, you can use the shortcut (Ctrl+Alt+U). Under Shortcuts, find the default admin at Users > Shared > Administrator. You may use the default admin user or create a new user for the integration connection. To add a new user, right click the Administrator folder and select New User.
(Optional) Complete the configuration of the new user. Fill in the required fields (i.e., User ID, Password and Confirm) for the user. Select Normal User for User Type. It is highly recommended to input an E-mail for password recovery purposes. Click OK to confirm your configurations and create the user.
READER NOTE
The created user account can be used to access the ArcSight Command Center.
Configuring D3 SOAR to Work with ArcSight Enterprise Security Manager
Log in to D3 SOAR.
Find the ArcSight Enterprise Security Manager integration.
Navigate to Configuration on the top header menu.
Click on the Integration icon on the left sidebar.
Type ArcSight Enterprise Security Manager in the search box to find the integration, then click it to select it.
Click New Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to ArcSight Enterprise Security Manager.
Connection Name: The desired name for the connection.
Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
Description (Optional): Add your desired description for the connection.
Tenant (Optional): When configuring the connection from a master tenant site, you have the option to choose the specific tenant sites you want to share the connection with. Once you enable this setting, you can filter and select the desired tenant sites from the dropdowns to share the connection.
Configure User Permissions: Defines which users have access to the connection.
Active: Check the tick box to ensure the connection is available for use.
System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection. 1. Input your domain level Server URL. 2. Input your User Name. 3. Input your Password.
Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.
Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active. To set up a connection health check, check the Connection Health Check tickbox. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.
Test the connection.
Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmarkappear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.
Click OK to close the alert window.
Click Add to create and add the configured connection.
Commands
ArcSight Enterprise Security Manager includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.
Integration API Note
For more information about the ArcSight Enterprise Security Manager API, please refer to the ArcSight Enterprise Security Manager API reference at https://<server address>/detect-api/#/.
The input format of time-related parameters may vary based on your account settings. As a result, the sample data provided in our commands is different from what you see. To set your preferred time format, follow these steps:
Navigate to Configuration > Application Settings. Select Date/Time Format.
Choose your desired date and time format.
After that, you will be able to view your preferred time format when configuring the DateTime input parameters for commands.
Add Active List Entries
Adds new entries to the specified active list.
READER NOTE
Active List ID and Entries are required parametersto run this command.
Run the List Active Lists command to obtain Active List IDs. Active List IDs can be found in the returned raw data at the path $[*].resourceId.
Run the List Active List Entries command to view a list of all available entry fields. Entries can be found in the returned raw data at the path $.fields.
If the input entry fields and their order are different from the active list’s existing columns, the error message “Entries have different columns” will be returned.
Input
Input Parameter
Required/Optional
Description
Example
Active List ID
Required
The ID of the active list to add the new entries. Active List IDs can be obtained using the List Active Lists command.
*****
Entries
Required
The entry object(s) to add to the specified active list. You may run the List Active List Entries command to view a list of all available fields in an active list. Note: The input entry fields and their order must match the existing columns and their order in the specified active list.
JSON
[ { "hostName": "*****", "EventID": "*****" } ]
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
fields
hostName
StartTime
LastEventReceived
EventID
entries
{'fields': ['*****', '', '', '*****']}
Error Handling
If the Return Data or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Add Active List Entries failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Resource Not Found.
Error Sample Data
Add Active List Entries failed.
Status Code: 404.
Message: Resource Not Found.
Clear Active List Entries
Clears all entries from the specified active list.
READER NOTE
Active List ID is a required parameterto run this command.
Run the List Active Lists command to obtain Active List IDs. Active List IDs can be found in the returned raw data at the path $[*].resourceId.
Input
Input Parameter
Required/Optional
Description
Example
Active List ID
Required
The ID of the active list to clear all entries. Active List IDs can be obtained using the List Active Lists command.
*****
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
fields
hostName
StartTime
LastEventReceived
EventID
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Clear Active List Entries failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Resource Not Found.
Error Sample Data
Clear Active List Entries failed.
Status Code: 404.
Message: Resource Not Found.
Create Active List
Creates an active list.
READER NOTE
Parent Group ID is an optional parameter to run this command.
Run the Get Active List Path command to obtain Parent Group IDs. Parent Group IDs can be found in the path $.[*]pathToRoot.
You can create multiple active lists with the same name.
Input
Input Parameter
Required/Optional
Description
Example
Active List Name
Required
The name of the active list.
testAL
Active List Display Name
Optional
The display name of the active list. If this parameter is not defined, the active list name will be the display name.
TESTAL
Description
Optional
The description for the active list.
desc
Multi-mapped
Optional
The option to enable the active list to have multiple instances of field pairings mapped to multiple values. If this parameter is not defined, the default value is False.
True
Cache Model
Optional
The cache model used for the active list. The available options are Read Optimized, Write Synchronized and Unchanged. If this parameter is not defined, the default value is Read Optimized.
Read Optimized
Active List Type
Required
The active list type (Event Based or Field Based). Event Based active lists are “fixed” while Field Based active lists are more flexible.
Note:
The Fields parameter is only available if Field Based is selected.
The Active List Type cannot be modified after the active list has been created. Ensure you have selected the correct active list type.
Field Based
Case Sensitive Type
Required
The case-sensitive setting to apply to the active list. The available case-sensitive types are Case Sensitive, Key Case Insensitive and Key and Value Insensitive.
Case Sensitive
Parent Group ID
Optional
The ID of the group to assign the active list to. If this parameter is not defined, the active list will be created as Unassigned. Group IDs can be obtained using the Get Active List Path command.
Note: The assigned group cannot be modified after the active list has been created.
*****
Fields
Optional
The JSON-formatted list of fields of the active list.
Note:
This parameter is only available when the selected Active List Type is Field Based.
Fields cannot be modified after the active list has been created. Ensure you have input the correct fields.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Create Active List failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Resource Not Found.
Error Sample Data
Create Active List failed.
Status Code: 404.
Message: Resource Not Found.
Delete Active List Entries
Deletes select entries from the specified active list.
READER NOTE
Active List ID and Entries are required parametersto run this command.
Run the List Active Lists command to obtain Active List IDs. Active List IDs can be found in the returned raw data at the path $[*].resourceId.
Run the List Active List Entries command to view a list of all available entry fields. Entries can be found in the returned raw data at the path $.fields.
If the input entry fields and their order are different from the active list’s existing columns, the error message “Entries have different columns” will be returned.
Input
Input Parameter
Required/Optional
Description
Example
Active List ID
Required
The ID of the active list to delete entries. Active List IDs can be obtained using the List Active Lists command.
*****
Entries
Required
The entry object(s) to delete from the specified active list. You may run the List Active List Entries command to view a list of all available fields in an active list. Note: The input entry fields and their order must match the existing columns and their order in the specified active list.
JSON
[ { "hostName": "*****", "EventID": "*****" } ]
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
fields
hostName
StartTime
LastEventReceived
EventID
entries
{'fields': [*****', '', '', '*****']}
{'fields': ['*****', '', '', '*****']}
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Delete Active List Entries failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Resource Not Found.
Error Sample Data
Delete Active List Entries failed.
Status Code: 404.
Message: Resource Not Found.
Delete Active Lists
Deletes the specified active list(s).
READER NOTE
The parameter Active List IDs is required to run this command.
Run the List Active Lists command to obtain Active List IDs. Active List IDs can be found in the returned raw data at the path $[*].resourceId.
Input
Input Parameter
Required/Optional
Description
Example
Active List IDs
Required
The ID(s) of the active list(s) to delete. Active List IDs can be obtained using the List Active Lists command.
JSON
[ "*****" ]
Output
Return Data
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Raw Data
The primary response data from the API request.
SAMPLE DATA
JSON
[
{
"resourceId": "*****",
"Status": "204 No Content",
"Message": "Resource Is deleted successfully."
}
]
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
RESOURCEID
STATUS
MESSAGE
*****
204 No Content
Resource Is deleted successfully.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Delete Active Lists failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Resource Not Found.
Error Sample Data
Delete Active Lists failed.
Status Code: 404.
Message: Resource Not Found.
Fetch Event
Returns event(s) from the ArcSight ESM platform based on specified query view. Query views must be created from the ArcSight console first, after which the corresponding query viewer ID can be obtained using the Get Query Viewer command. "Event ID" and at least one other time field must be included in the data fields. Run the Get Query Viewer command and check the values under the “columnHeaders” key.
READER NOTE
Before inputting a Query Viewer ID for the Fetch Event command, use the Get Query Viewer command to check if it has an “Event ID” and at least one of the associated time-related fields. The fields will be returned under the “columnHeaders” key. See the list below for the time-related fields.
Query Time Type is an optional parameter to run this command. Some possible query time types (only the query time types listed in the returned result of running the Get Query Viewer command are applicable) are as follows:
Start Time
End Time
Agent Receipt Time
Manager Receipt Time
Device Time
Event Time
Input
Input Parameter
Required/Optional
Description
Example
Start Time
Required
The start time of the time range to fetch events in UTC time.
2022-11-01 00:00
End Time
Required
The end time of the time range to fetch events in UTC time.
2022-11-02 00:00
Query Time Type
Optional
The time field to fetch events by. Run the Get Query Viewer command and refer to the returned raw data at the path $.data.columnHeadersfor a list of available time fields (e.g. Manager Receipt Time). In most cases, Manager Receipt Time is treated as Event Time.
Note: If this parameter is not defined, the default query time field is Manager Receipt Time.
Manager Receipt Time
Number of Event(s) Fetched
Optional
The maximum number of the most recent results from the specified query viewer to return. If this parameter is not defined, 50 is the default value.
10
Query Viewer IDs
Required
The IDs of the created query views to filter results. Query views must first be created on the ArcSight ESM user interface. Existing Query Viewer IDs can be obtained using the Get Query Viewer command.
Note: It is recommended to limit the query time range (e.g. less than 30 days) when creating a query viewer from the ArcSight ESM user interface to reduce impact on performance.
*****
Tolerance Scope
Optional
The tolerance scope in minutes of the query to fetch events between start and end time to avoid the loss of events. Events will be fetched between {Start Time - Tolerance Scope, End Time}.
10
Output
Return Data
Indicates one of the possible command execution states: Successful, Successful with No Event Data, or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Please note that Fetch Event commands require event field mapping. Field mapping plays a key role in the data normalization process part of the event pipeline. Field mapping converts the original data fields from the different providers to the D3 fields which are standardized by the D3 Model. Please refer to Event and Incident Intake Field Mapping for details.
If you require a custom field mapping, click +Add Field to add a custom field mapping. You may also remove built-in field mappings by clicking x. Please note that two underscore characters will automatically prefix the defined Field Name as the System Name for a custom field mapping. Additionally, if an input Field Name contains any spaces, they will automatically be replaced with underscores for the corresponding System Name.
As a system integration, the ArcSight Enterprise Security Manager integration has some pre-configured field mappings for default field mapping.
Default Event Source The Default Event Source is the default set of field mappings that are applied when this fetch event command is executed. For out-of-the-box integrations, you will find a set of field mapping provided by the system. Default event source provides field mappings for common fields from fetched events . The default event source has a “Main Event JSON Path” (i.e., $) that is used to extract a batch of events from the response raw data. Click Edit Main JSON Path to view the “Main Event JSON Path”.
Main Event JSON Path: $
The Main Event JSON Path determines the root path where the system starts parsing raw response data into D3 event data. The JSON path begins with $, representing the root element. The path is formed by appending a sequence of child elements to $, each separated by a dot (.). Square brackets with nested quotation marks ([‘...’]) should be used to separate child elements in JSON arrays.
For example, the root node of a JSON Path is $. The child node denoting the Unique Event Key field would be eventId. Putting it together, the JSON Path expression to extract the Unique Event Key is $.eventId.
The pre-configured field mappings are detailed below:
Field Name
Source Field
Model Confidence
.modelConfidence
Relevance
.relevance
Destination Device
.destination.hostname
Destination IP address
.destination.address
Destination port
.destination.port
Destination MAC
.destination.macAddress
Destination zone
.destination.zone.uri
End Time
.endTime
Unique Event Key
.eventId
Event Type
.type
Start Time
.startTime
Description
.sessionId
Receipt time
.managerReceiptTime
Severity
.severity
Source Device
.source.hostname
Source IP address
.source.address
Source port
.source.port
Source MAC address
.source.macAddress
Source Priority
.priority
Source zone
.source.zone.uri
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Fetch Event failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Resource Not Found.
Error Sample Data
Fetch Event failed.
Status Code: 404.
Message: Resource Not Found.
Get Active List Path
Retrieves the full path of the specified active list(s). This command can be used to obtain the Group ID required for creating an active list. After running the command, refer to the returned key fields and compare the two path values of the ActiveListPaths and ActiveListURI key fields. These two path values correspond with each other.
For example,
“ActiveListURIs”: “/All Active Lists/ArcSight Administration/Devices/TESTAL1101g”
The group ID is displayed under “ActiveListPaths”. “01000124” is the group ID for “All Active Lists”, “0AhIKR==” is the group ID for “ArcSight Administration”, “0JDItt==”is the group ID for“Devices”. Please note the last path “TESTAL1101g” is the active list name and “HxMdFN==” is the corresponding active list ID.
READER NOTE
Active List IDs is a required parameterto run this command.
Run the List Active Lists command to obtain Active List IDs. Active List IDs can be found in the returned raw data at the path $[*].resourceId.
Input
Input Parameter
Required/Optional
Description
Example
Active List IDs
Required
The ID(s) of the active list(s) to retrieve the full path to root. Active List IDs can be obtained using the List Active Lists command.
JSON
[ "*****" ]
Output
Return Data
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Active List Path failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Resource Not Found.
Error Sample Data
Get Active List Path failed.
Status Code: 404.
Message: Resource Not Found.
Get Active Lists
Retrieves information of the specified active list(s) by Active List name or ID.
READER NOTE
The input parameter Active List Names Or IDs is required to run this command.
Run the List Active Lists command to obtain Active List Names Or IDs. Active List IDs can be found in the returned raw data at the path $[*].resourceId. Active List Names can be found in the returned raw data at the path $[*].name.
Input
Input Parameter
Required/Optional
Description
Example
Active List Names Or IDs
Required
The name(s) or ID(s) of the active list to retrieve. Active List Names and IDs can be obtained using the List Active Lists command. If there are duplicate names or IDs, only the first active list with the same name or ID will be listed in the returned results.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
JSON
{
"ActiveListNames": [
"All Monitored Devices"
],
"ActiveListIDs": [
"*****"
],
"ActiveListURIs": [
"/*****"
],
"Descriptions": [
"This active list is populated by the All Monitored Devices rule. The active list stores entries for 365 days and is used by queries to retrieve device activity information by dashboards and reports."
]
}
Return Data
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed. The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
RESOURCEID
*****
NAME
All Monitored Devices
DESCRIPTION
This active list is populated by the All Monitored Devices rule. The active list stores entries for 365 days and is used by queries to retrieve device activity information by dashboards and reports.
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Active Lists failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Resource Not Found.
Error Sample Data
Get Active Lists failed.
Status Code: 404.
Message: Resource Not Found.
Get Events By IDs
Retrieves information of the specified event(s) by event ID.
READER NOTE
The parameter Event IDs is required to run this command.
You should already have the Event IDs before running the command. If you need to know the Event IDs for specific events, run the Fetch Event command to obtain Event IDs. Event IDs can be found in the returned raw data at the path $[*].eventId. Only events from the past 36 months are retrievable.
Input
Input Parameter
Required /Optional
Description
Example
Event IDs
Required
The ID(s) of the event(s) to retrieve. Event IDs can be obtained using the Fetch Event command. Note: Only events from the past 36 months are retrievable.
JSON
[ "*****" ]
Output
Return Data
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Events By IDs failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Resource Not Found.
Error Sample Data
Get Events By IDs failed.
Status Code: 404.
Message: Resource Not Found.
Get Query Viewer
Retrieves information of the specified query viewer(s).
READER NOTE
Query Viewer Name Or ID is a required parameterto run this command.
Run the List Query Viewer IDs command to obtain Query Viewer Names/IDs. Query Viewer Names can be found in the returned raw data at the path $[*].name. Query Viewer IDs can be found in the returned raw data at the path $[*].resourceId. Alternatively, you can obtain the values from the ArcSight ESM user interface.
Input
Input Parameter
Required/Optional
Description
Example
Query Viewer Name Or ID
Required
The name or ID of the query viewer to retrieve. Query Viewer Names and IDs can be obtained using the List Query Viewer command. If there are duplicate names or IDs, only the first query viewer with the same name or ID will be listed in the returned results.
Note: Input query viewer names are case-sensitive.
*****
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Query Viewer failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Resource Not Found.
Error Sample Data
Get Query Viewer failed.
Status Code: 404.
Message: Resource Not Found.
List Active List Entries
Retrieves entries from the specified active list.
READER NOTE
Active List ID is a required parameterto run this command.
Run the List Active Lists command to obtain Active List ID. Active List IDs can be found in the returned raw data at the path $[*].resourceId.
Input
Input Parameter
Required /Optional
Description
Example
Active List ID
Required
The ID of the active list to retrieve entries. Active List ID can be obtained using the List Active Lists command.
*****
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
fields
hostName
StartTime
LastEventReceived
EventID
entries
{'fields': ['*****', '', '', '*****']}
{'fields': ['*****', '', '', '*****']}
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
List Active List Entries failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Resource Not Found.
Error Sample Data
List Active List Entries failed.
Status Code: 404.
Message: Resource Not Found.
List Active Lists
Retrieves information on active lists. If Active List Name is not entered, all active lists will be returned.
Input
Input Parameter
Required/Optional
Description
Example
Active List Name
Optional
The name of the active list to retrieve. This parameter can be used to search for all existing active lists with the same name. Note: This parameter is case-sensitive.
ipwatchlist
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
JSON
{
"ActiveListNames": [
"All Monitored Devices"
],
"ActiveListIDs": [
"*****"
],
"ActiveListURIs": [
"/*****"
],
"Descriptions": [
"This active list is populated by the All Monitored Devices rule. The active list stores entries for 365 days and is used by queries to retrieve device activity information by dashboards and reports."
]
}
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
RESOURCEID
*****
NAME
All Monitored Devices
DESCRIPTION
This active list is populated by the All Monitored Devices rule. The active list stores entries for 365 days and is used by queries to retrieve device activity information by dashboards and reports.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
List Active Lists failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Resource Not Found.
Error Sample Data
List Active Lists failed.
Status Code: 404.
Message: Resource Not Found.
List Customers
Retrieves information of all customers.
Input
N/A
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks. can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
List Customers failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details.
Status Code: 500.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Get token failed.
Error Sample Data
List Customers failed.
Status Code: 500.
Message: Get token failed.
List Query Viewers
Retrieves information on query viewers. If the Query Viewer Name parameter is not defined, all query viewers will be returned.
READER NOTE
Query Viewer Name is an optional parameter to run this command.
You should already have the query viewer name before running the command. If you need to know the query viewer name of a specific query viewer, run this command without any parameters defined to return a list of all query viewers. In the returned raw data, refer to the “displayName” key to view the corresponding query viewer names.
Input
Input Parameter
Required/Optional
Description
Example
Query Viewer Name
Optional
The name of the query viewer to retrieve. This parameter can be used to search for all existing query viewers with the same name. Note: This parameter is case-sensitive.
Top Confidence in Suspicious Address
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Raw Data
The primary response data from the API request.
SAMPLE DATA
JSON
[
"*****",
"*****",
"*****",
"*****",
"*****"
]
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
JSON
{
"QueryViewerIDs": [
"*****"
]
}
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
resourceId
*****
name
Top Confidence in Suspicious Address
description
This query viewer displays top confidence entries in the suspicious address list.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
List Query Viewers failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Resource Not Found.
Error Sample Data
List Query Viewers failed.
Status Code: 404.
Message: Resource Not Found.
Update Active List
Updates the specified active list. Note: You cannot modify the schema (i.e., fields and types) of a created list. A new active list must be created to do so.
READER NOTE
Active List ID is a required parameter to run this command.
Run the List Active Lists command to obtain List Active ID. Active List IDs can be found in the returned raw data at the path $[*].resourceId.
Input
Input Parameter
Required/Optional
Description
Example
Active List ID
Required
The ID of the active list to update. Active List IDs can be obtained using the List Active Lists command.
*****
Active List Name
Optional
The updated name of the active list.
1101h NEW NAME
Active List Display Name
Optional
The updated display name of the active list.
1101H_New
Description
Optional
The updated description for the active list.
Update active list 1101h
Capacity
Optional
The updated maximum capacity of the number of entries in the active list. The default value is 1,000,000. Note: The number of entries in an active list will affect memory usage. Ensure you have allocated sufficient memory to the JVM.
1000
Entry Time To Live
Optional
The updated time to live (in seconds) of the active list’s entries.
36000
Count Limit
Optional
The updated count limit for the active list.
5000
Cache Model
Optional
The updated cache model used for the active list. The available options are Read Optimized, Write Synchronized and Unchanged.
Write Synchronized
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
JSON
{
"ActiveListName": "1101h NEW NAME",
"ActiveListID": "*****",
"ActiveListURI": "/*****",
"Description": "Update active list 1101h"
}
Result
Provides a brief summary of outputs in an HTML formatted table.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Update Active List failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Resource Not Found.
Error Sample Data
Update Active List failed.
Status Code: 404.
Message: Resource Not Found.
Test Connection
Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.
Input
N/A
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
SAMPLE DATA
CODE
Successful
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the responses from the third-party API calls including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Test Connection failed. Failed to check the connector.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ArcSight Enterprise Security Manager portal. Refer to the HTTP Status Code Registry for details.
Status Code: 500.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Get token failed.
Error Sample Data
Test Connection failed. Failed to check the connector.
Status Code: 500.
Message: Get token failed.
Use Case
Create Active Lists, Add and Delete Active List Entries
You can use the Create Active List command to create an active list with defined fields. The Add Active List Entries command can then be used to to assign values to those fields. The values can be removed using the Delete Active List Entries command.
Note:
Fields cannot be modified after an active list has been created.
When updating the field values with the Add Active List Entries command, the input entry fields and their order must match the existing fields and order on the specified active list.
JavaScript errors detected
Please note, these errors can depend on your browser setup.
If this problem persists, please contact our support.
.png?inst-v=14315ac1-e236-4137-b3db-d5c917e51e5f)
.png?inst-v=14315ac1-e236-4137-b3db-d5c917e51e5f)
.png?inst-v=14315ac1-e236-4137-b3db-d5c917e51e5f)
-20241017-192013.png?inst-v=14315ac1-e236-4137-b3db-d5c917e51e5f)
-20241017-192025.png?inst-v=14315ac1-e236-4137-b3db-d5c917e51e5f)
