RSA Archer Integration¶
Connects Chronicle SOAR to RSA Archer for managing GRC (Governance, Risk, and Compliance) processes, particularly incident management.
Configuration¶
(Details on setting up the RSA Archer integration, including authentication methods, API endpoints, and necessary permissions, would go here.)
Key Actions (Tools)¶
The following actions are available through the RSA Archer integration:
rsa_archer_add_incident_journal_entry¶
Description: Add a journal entry to the Security Incident in RSA Archer.
Parameters:
case_id(str, required): The ID of the case.alert_group_identifiers(List[str], required): Identifiers for the alert groups.destination_content_id(str, required): Specify a content id of the security incident to which you want to add journal entry.text(str, required): Specify the text for the journal entry.target_entities(List[TargetEntity], optional, default: []): Optional list of specific target entities (Identifier, EntityType) to run the action on.scope(str, optional, default: “All entities”): Defines the scope for the action.
rsa_archer_update_incident¶
Description: Update an incident
Parameters:
case_id(str, required): The ID of the case.alert_group_identifiers(List[str], required): Identifiers for the alert groups.content_id(str, required): Content Id of the incident to update.application_name(Optional[str], optional, default: None): Specify an application name for the incident. Default: Incidents.incident_summary(Optional[str], optional, default: None): The new summary of the incident.incident_details(Optional[str], optional, default: None): The new details (decsription) of the incident.incident_owner(Optional[str], optional, default: None): The new owner of the incident.incident_status(Optional[str], optional, default: None): The new status of the incident.priority(Optional[str], optional, default: None): The new priority of the incident.category(Optional[str], optional, default: None): The new category of the incident.custom_fields(Optional[str], optional, default: None): Specify a JSON object of fields that need to be updated. Example: {“Category”:“Malware”}.custom_mapping_file(Optional[str], optional, default: None): Specify an absolute path to the file that contains all of the required mapping. If “Remote File“ is enabled, then provide a URL that contains the mapping file. Please refer to action documentation for the additional information.remote_file(Optional[bool], optional, default: None): If enabled, action will treat value provided in “Custom Mapping File“ as a URL and try to fetch a file from it.target_entities(List[TargetEntity], optional, default: []): Optional list of specific target entities (Identifier, EntityType) to run the action on.scope(str, optional, default: “All entities”): Defines the scope for the action.
rsa_archer_ping¶
Description: Test Connectivity
Parameters:
case_id(str, required): The ID of the case.alert_group_identifiers(List[str], required): Identifiers for the alert groups.target_entities(List[TargetEntity], optional, default: []): Optional list of specific target entities (Identifier, EntityType) to run the action on.scope(str, optional, default: “All entities”): Defines the scope for the action.
rsa_archer_get_incident_details¶
Description: Retrieve information about the incident from RSA Archer.
Parameters:
case_id(str, required): The ID of the case.alert_group_identifiers(List[str], required): Identifiers for the alert groups.content_id(str, required): Specify ID of the content for which you want to retrieve details.application_name(Optional[str], optional, default: None): Specify an application name for the incident. Default: Incidents.target_entities(List[TargetEntity], optional, default: []): Optional list of specific target entities (Identifier, EntityType) to run the action on.scope(str, optional, default: “All entities”): Defines the scope for the action.
rsa_archer_create_incident¶
Description: Create a new incident
Parameters:
case_id(str, required): The ID of the case.alert_group_identifiers(List[str], required): Identifiers for the alert groups.incident_summary(Optional[str], optional, default: None): The summary of the new incident.application_name(Optional[str], optional, default: None): Specify an application name for the incident. Default: Incidents.incident_details(Optional[str], optional, default: None): The details (description) of the new incident.incident_owner(Optional[str], optional, default: None): The owner of the new incident.incident_status(Optional[str], optional, default: None): The status of the new incident.priority(Optional[str], optional, default: None): The priority of the new incident.category(Optional[str], optional, default: None): The category of the new incident.custom_fields(Optional[str], optional, default: None): Specify a JSON object of fields that need to be used, when creating an incident . Example: {“Category”:“Malware”}.custom_mapping_file(Optional[str], optional, default: None): Specify an absolute path to the file that contains all of the required mapping. If “Remote File“ is enabled, then provide a URL that contains the mapping file. Please refer to action documentation for the additional information.remote_file(Optional[bool], optional, default: None): If enabled, action will treat value provided in “Custom Mapping File“ as a URL and try to fetch a file from it.target_entities(List[TargetEntity], optional, default: []): Optional list of specific target entities (Identifier, EntityType) to run the action on.scope(str, optional, default: “All entities”): Defines the scope for the action.
Use Cases¶
Creating or updating incidents in Archer based on SOAR case data.
Adding investigation notes from SOAR to Archer incidents.
Retrieving incident details from Archer for enrichment within SOAR.