Skip to content

bpluta-splunk/archer

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

174 Commits
.github/workflows
.github/workflows
 
 
release_notes
release_notes
 
 
wheels
wheels
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
NOTICE
NOTICE
 
 
README.md
README.md
 
 
__init__.py
__init__.py
 
 
archer.json
archer.json
 
 
archer_connector.py
archer_connector.py
 
 
archer_consts.py
archer_consts.py
 
 
archer_soap.py
archer_soap.py
 
 
archer_utils.py
archer_utils.py
 
 
archer_views.py
archer_views.py
 
 
get_ticket.html
get_ticket.html
 
 
list_tickets.html
list_tickets.html
 
 
logo_rsa.svg
logo_rsa.svg
 
 
logo_rsa_dark.svg
logo_rsa_dark.svg
 
 
manual_readme_content.md
manual_readme_content.md
 
 
phantom_utils.py
phantom_utils.py
 
 
requirements.txt
requirements.txt
 
 
tox.ini
tox.ini
 
 

Repository files navigation

RSA Archer

Publisher: Splunk
Connector Version: 2.2.0
Product Vendor: RSA
Product Name: Archer GRC
Product Version Supported (regex): ".*"
Minimum Product Version: 5.3.3

This app implements ticket management actions on RSA Archer GRC

When configuring the CEF to Archer mapping (cef_mapping), include the following...

  • The name of the application (e.g. Incidents)
  • The name of the tracking ID field (e.g. Incident ID)
  • Separate entries for each field that should go into the CEF of an artifact

When done, your mapping will take the names of Archer fields and map them into the CEF of an artifact. It should look something like the following...

{
    "application": "Incidents",
    "tracking": "Incident ID",
    "Status": "status",
    "Category": "category",
    "Details": "details",
    "Archer field name": "CEF name"
    ...
}

Where Status, Category, Details, etc. are fields that exist in your Archer Application that you would like to import.
Certain field types and attachments from Archer are not currently supported. If a field is specified both in the cef_mapping and in the excluded fields list, the field will be excluded and not ingested.

Scheduled | Interval polling

  • During scheduled | interval polling, for the first run, the app will start from the first record and will ingest a maximum of 100 records per poll. Then it remembers the last page and content id and stores it in the state file against the key 'last_page' & 'max_content_id'. For the following scheduled ingestions, it will consider the last_page stored in the state file and will ingest the next 100 records based on the provided Application.

Manual polling

  • During manual polling, the app will start from the recently created record and will ingest up to the number of records specified in the 'Maximum containers' parameter.

Explanation of the [User's Domain] asset configuration parameter

  • This asset configuration parameter affects [test connectivity] and all the other actions of the application.
  • When the value of this asset parameter is specified, the application will consider the user specified in the asset parameter [username] as the domain user of a given domain, and all the actions will be executed with the domain user session token created while running the action.
  • The user will be considered as a local user when the value of this parameter is not present. And if the local user attempts to change/add any of the field value(fields that expect the username value) with the domain user, then the action will fail because it requires a domain user session token to look up the domain user. And this token is generated only if the test connectivity is successfully run by the domain user.

Configuration Variables

The below configuration variables are required for this Connector to operate. These variables are specified when configuring a Archer GRC asset in SOAR.

VARIABLE REQUIRED TYPE DESCRIPTION
endpoint_url required string API endpoint (e.g., http://host/RSAarcher)
instance_name required string Instance name (e.g., Default)
username required string Username
password required password Password
verify_ssl optional boolean Verify server certificate
cef_mapping optional string CEF to Archer mapping
exclude_fields optional string Fields to exclude (comma separated)
domain optional string User's Domain

Supported Actions

test connectivity - Validate the asset configuration for connectivity and field mapping
create ticket - Create a new ticket
update ticket - Update the value of a field of a record
get ticket - Get ticket information
list tickets - Get a list of tickets in an application
on poll - Callback action for the on_poll ingest functionality

action: 'test connectivity'

Validate the asset configuration for connectivity and field mapping

Type: test
Read only: True

Action Parameters

No parameters are required for this action

Action Output

No Output

action: 'create ticket'

Create a new ticket

Type: generic
Read only: False

JSON specifying the field names and values for a new Archer record \(key/value pairs\)\. For Cross\-Reference fields, the value must be the content id of the referenced content\.

Create record sample JSON\: 

\{ "Incident Summary"\: "test incident summary data", "Incident Owner"\: "susan" \}

Parameter application is case\-sensitive\.

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
application required Application/Module name (e.g. Incidents) string archer application
json_string required JSON data string string

Action Output

DATA PATH TYPE CONTAINS
action_result.status string
action_result.parameter.application string archer application
action_result.parameter.json_string string
action_result.data.*.content_id numeric archer content id
action_result.summary.content_id numeric archer content id
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'update ticket'

Update the value of a field of a record

Type: generic
Read only: False

There are multiple ways of locating a ticket to update. You must either give the content ID for the record, which can be obtained from Archer, or by specifying both the name of the Tracking ID field (name_field) and the Tracking ID (name_value). If all three parameters are provided, the content ID will be used as an overriding parameter to fetch the ticket. Parameters application, name_field, name_value, field_id, and value are case-sensitive.

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
application required Application/Module name (e.g. Incidents) string archer application
content_id optional Content ID (Identifies the specific record) numeric archer content id
name_field optional Name of Tracking ID field (e.g. "Incident ID") string
name_value optional Name of record (e.g. "INC-1234") string archer user friendly id
field_id required ID or name of the field to update in the record string
value required New value of the record's field string

Action Output

DATA PATH TYPE CONTAINS
action_result.status string
action_result.parameter.application string archer application
action_result.parameter.content_id numeric archer content id
action_result.parameter.field_id string
action_result.parameter.name_field string
action_result.parameter.name_value string archer user friendly id
action_result.parameter.value string
action_result.data string
action_result.summary.content_id numeric archer content id
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'get ticket'

Get ticket information

Type: investigate
Read only: True

There are multiple ways of locating a ticket to update. You must either give the content ID for the record, which can be obtained from Archer, or by specifying both the name of the Tracking ID field (name_field) and the Tracking ID (name_value). If all three parameters are provided, the content ID will be used as an overriding parameter to fetch the ticket. Parameters application, name_field, and name_value are case-sensitive.

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
application required Application/Module name (e.g. Incidents) string archer application
content_id optional Content ID (Identifies the specific record) numeric archer content id
name_field optional Name of Tracking ID field (e.g. "Incident ID") string
name_value optional Name of record (e.g. "INC-1234") string archer user friendly id

Action Output

DATA PATH TYPE CONTAINS
action_result.status string
action_result.parameter.application string archer application
action_result.parameter.content_id numeric archer content id
action_result.parameter.name_field string
action_result.parameter.name_value string archer user friendly id
action_result.data.*.@contentId numeric archer content id
action_result.data.*.@moduleId numeric
action_result.data.*.Record.@id string
action_result.data.*.Record.@sequentialId string
action_result.data.*.Record.@updateDate string
action_result.data.*.Record.@updateLogin string
action_result.data.*.Record.Field.*.@height string
action_result.data.*.Record.Field.*.@id string
action_result.data.*.Record.Field.*.@name string
action_result.data.*.Record.Field.*.@parentId string
action_result.data.*.Record.Field.*.@type string
action_result.data.*.Record.Field.*.@updateDate string
action_result.data.*.Record.Field.*.@updateLogin string
action_result.data.*.Record.Field.*.@value string ip
action_result.data.*.Record.Field.*.@valueID string
action_result.data.*.Record.Field.*.@width string
action_result.data.*.Record.Field.*.Groups.Group.*.@desc string
action_result.data.*.Record.Field.*.Groups.Group.*.@id string
action_result.data.*.Record.Field.*.Groups.Group.*.@name string
action_result.data.*.Record.Field.*.Groups.Group.*.@updateDate string
action_result.data.*.Record.Field.*.Groups.Group.*.@updateLogin string
action_result.data.*.Record.Field.*.Groups.Group.@desc string
action_result.data.*.Record.Field.*.Groups.Group.@id string
action_result.data.*.Record.Field.*.Groups.Group.@name string
action_result.data.*.Record.Field.*.Groups.Group.@updateDate string
action_result.data.*.Record.Field.*.Groups.Group.@updateLogin string
action_result.data.*.Record.Field.*.Record.*.@id string
action_result.data.*.Record.Field.*.Record.*.@levelId string
action_result.data.*.Record.Field.*.Record.*.Field.*.@id string
action_result.data.*.Record.Field.*.Record.*.Field.*.@parentId string
action_result.data.*.Record.Field.*.Record.*.Field.*.@type string
action_result.data.*.Record.Field.*.Record.*.Field.*.@value string
action_result.data.*.Record.Field.*.Record.*.Field.*.@valueID string
action_result.data.*.Record.Field.*.Record.*.Field.*.Users.User.@firstName string
action_result.data.*.Record.Field.*.Record.*.Field.*.Users.User.@id string
action_result.data.*.Record.Field.*.Record.*.Field.*.Users.User.@lastName string
action_result.data.*.Record.Field.*.Record.*.Field.*.Users.User.@middleName string
action_result.data.*.Record.Field.*.Record.*.Field.*.Users.User.@updateDate string
action_result.data.*.Record.Field.*.Record.*.Field.*.Users.User.@updateLogin string
action_result.data.*.Record.Field.*.Record.@id string
action_result.data.*.Record.Field.*.Record.@levelId string
action_result.data.*.Record.Field.*.Record.Field.*.@id string
action_result.data.*.Record.Field.*.Record.Field.*.@type string
action_result.data.*.Record.Field.*.Record.Field.*.@value string
action_result.data.*.Record.Field.*.Record.Field.@id string
action_result.data.*.Record.Field.*.Record.Field.@type string
action_result.data.*.Record.Field.*.Record.Field.@value string
action_result.data.*.Record.Field.*.Users.User.*.@firstName string
action_result.data.*.Record.Field.*.Users.User.*.@id string
action_result.data.*.Record.Field.*.Users.User.*.@lastName string
action_result.data.*.Record.Field.*.Users.User.*.@middleName string
action_result.data.*.Record.Field.*.Users.User.*.@updateDate string
action_result.data.*.Record.Field.*.Users.User.*.@updateLogin string
action_result.data.*.Record.Field.*.Users.User.@firstName string
action_result.data.*.Record.Field.*.Users.User.@id string
action_result.data.*.Record.Field.*.Users.User.@lastName string
action_result.data.*.Record.Field.*.Users.User.@middleName string
action_result.data.*.Record.Field.*.Users.User.@updateDate string
action_result.data.*.Record.Field.*.Users.User.@updateLogin string
action_result.data.*.Record.Field.*.multi_value string
action_result.summary.content_id numeric
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'list tickets'

Get a list of tickets in an application

Type: investigate
Read only: True

You must provide both the field name/ID (name_field) and the value to search for (search_value) to search in records. If the combination of field name and search value is incorrect or the user provides neither of them, you may get an unfiltered list. Parameters application, name_field, and search_value are case-sensitive.

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
application required Application/Module name (e.g. Incidents) string archer application
max_results required Max number of records to return numeric
name_field optional Name of field to search in (e.g. "Incident ID") string
search_value optional Value to search for in this application string

Action Output

DATA PATH TYPE CONTAINS
action_result.status string
action_result.parameter.application string archer application
action_result.parameter.max_results numeric
action_result.parameter.name_field string
action_result.parameter.search_value string
action_result.data.*.@contentId numeric archer content id
action_result.data.*.@levelGuid string
action_result.data.*.@levelId string
action_result.data.*.@moduleId string
action_result.data.*.@parentId string
action_result.data.*.Field.*.#text string ip
action_result.data.*.Field.*.@guid string
action_result.data.*.Field.*.@id string
action_result.data.*.Field.*.@name string
action_result.data.*.Field.*.@type string
action_result.data.*.Field.*.@xmlConvertedValue string
action_result.data.*.Field.*.ListValues.ListValue.#text string
action_result.data.*.Field.*.ListValues.ListValue.@displayName string
action_result.data.*.Field.*.ListValues.ListValue.@id string
action_result.data.*.Field.*.multi_value string
action_result.summary.records_found numeric
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'on poll'

Callback action for the on_poll ingest functionality

Type: ingest
Read only: True

This action has a persistent copy of the most recent 'Date Created' value it's seen on any successfully processed record. It uses this to pull all records created since then and creates a Phantom container for each. Records are pulled by referencing that 'poll_report' key of each cef_mapping entry. If any such entry does not have a 'poll_report' key, it is skipped; otherwise, the Archer report named by that key's value will be used as a list of records to pull and process according to that mapping.

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
start_time optional Parameter ignored for this app numeric
end_time optional Parameter ignored for this app numeric
container_count optional Maximum number of container records to query for numeric
artifact_count optional Maximum number of artifact records to query for numeric

Action Output

No Output

About

adding 2 actions

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 90.0%
  • HTML 10.0%