IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

ArcSight - Resilient Template

  • 1.  ArcSight - Resilient Template

    Posted Mon January 11, 2021 07:48 AM
    Hi Everyone,

    We integrated arcsight and resilient with the resilient_arcsight_alert.py, and we tested so that script is still working fine.
    I have 2 questions about after integration. Both of are about the jinja template;

    1) There was a time stamp issue, for example; We have mapped arcsight device receipt time to resilient discovered date, so arcsight device receipt time is "7 Jan 2021 19:36:27 EET" and resilient discovery date is "    12/08/1971 03:28". its due to the time stamp format, how can we change timestamp format and solve this issue? 

    2) After the ArcSight - Resilient Integration, we can only add one artifact to resilient with below template and when we change that template for adding second or third artifact to resilient it didn't work. How can we add multi artifact with the below template? For exampIe; we try to add e.device.hostName (arcsight field) as second artifact to resilient but that hostname field could not added to resilient.

    If you share stamples, it would be great :)

    I shared sample template below about 2 issue; 
    (Devices : Resilient Version: 38.2.37 and ArcSight ESM Version 7.3    )

    sample_temp.jinja
    -------------------------------------------------------
    {
    {# This is a JINJA2 template for ArcSight event mapping to Resilient incident #}
    "inc_training": true,
    "confirmed": false,
    "description" : {
    "format": "html",
    "content": "<div>{% if e.generator %}<p>ArcSight Rule Name: {{e.name|html}}</p>{% endif %}<p>Correlated Event ID: '{{e.eventId}}'</p><p>Base Event ID: '{{e.baseEventIds}}'</p></div>"
    },
    "name": "Arcsight Event ID {{e.eventId}} - {{e.name}}",
    "reporter": "ArcSight",
    "discovered_date": {{e.deviceReceiptTime|js}},
    "start_date": {{e.startTime|js}},
    "incident_type_ids": ["Test_Incidents"],

    "properties": {
    "arcsight_id": "{{e.ieventId|js}}"
    },

    {# maybe map these to "High", "Moderate", "Critical" etc:
    "severity_code" : "Medium"
    #}

    "pii": {
    "data_compromised": false

    },


    {# Add fields to indicate the source, owner, etc #}

    "artifacts": [ {% for base_event in events %}
    {
    "type": "User Account",
    "value": "{{e.destination.userName}}",
    "description": "Destination User Name - Base Event ID: {{e.baseEventIds|js}}"

    }{% if not loop.last %},{% endif %}
    {% endfor%}]

    }
    -------------------------------------------------------------

    I am looking forward to your help and opinions,

    BR,
    Sayit K.

    ------------------------------
    Sayit KARAKIS
    ------------------------------