I have looked high and low through the current RTIR documentation to no avail for information on the built-in ArcSight integrations noted on the RTIR Features page. What I would like to do is use the ArcSight case export to create RTIR tickets for Incident Response activities. Is there a better method than using an xml parser to parse the ArcSight case export xml file in order to generate a ticket via the RTIR REST API?
Scot Fackler
Technical Advisor
FedEx Information Security
|
’—o–o--(_)–o--o—’
" " "
I have looked high and low through the current RTIR documentation to no avail
for information on the built-in ArcSight integrations noted on the RTIR
Features page. What I would like to do is use the ArcSight case export to
create RTIR tickets for Incident Response activities. Is there a better method
than using an xml parser to parse the ArcSight case export xml file in order to
generate a ticket via the RTIR REST API?
The ArcSight integration is not built in (if there’s documentation
implying that it’s built-in, please provide a URL so it can be
corrected).
An ArcSight integration was worked up for a customer running 3.8+RTIR,
would probably still work on current RTIR, but was definitely tied to
their process. The mapping from ArcSight fields to RT fields was not
well generalized and as such I do not believe that the code is public.
The extension did not use the REST API, it used RT’s built-in API and
consumed the case export XMLs, creating Incident Reports and an
Incident based on the data contained in the file.
Also - reposting your question to rt-users within 24 hours of posting
here doesn’t get it answered sooner.
-kevin
Thank you for your reply.
Let me apologize for the perceived repost. After posting to this list specific to RTIR I thought that others may have had success importing an xml parse to RT not using RTIR so I reformatted the question to the rt-user list. Duplicate queries was not my intent.
The URL in reference is Request Tracker for Incident Response: the open source ticket management system — Best Practical Solutions where I read “We’ve already built integrations with ArcSight, Nagios, and other software…” as there was existing script that may be available for reference. I see now that this was a custom integration.
I appreciate your time.
Scot-----Original Message-----
From: rtir [mailto:rtir-bounces@lists.bestpractical.com] On Behalf Of Kevin Falcone
Sent: Friday, September 05, 2014 9:22 AM
To: rtir@lists.bestpractical.com
Subject: Re: [Rtir] RTIR and ArcSight Integration
On Wed, Sep 03, 2014 at 06:39:31PM -0400, Scot Fackler via rtir wrote:
I have looked high and low through the current RTIR documentation to
no avail for information on the built-in ArcSight integrations noted
on the RTIR Features page. What I would like to do is use the ArcSight
case export to create RTIR tickets for Incident Response activities.
Is there a better method than using an xml parser to parse the
ArcSight case export xml file in order to generate a ticket via the RTIR REST API?
The ArcSight integration is not built in (if there’s documentation implying that it’s built-in, please provide a URL so it can be corrected).
An ArcSight integration was worked up for a customer running 3.8+RTIR, would probably still work on current RTIR, but was definitely tied to their process. The mapping from ArcSight fields to RT fields was not well generalized and as such I do not believe that the code is public.
The extension did not use the REST API, it used RT’s built-in API and consumed the case export XMLs, creating Incident Reports and an Incident based on the data contained in the file.
Also - reposting your question to rt-users within 24 hours of posting here doesn’t get it answered sooner.
-kevin
ok, so, how would you use ArcSight case export to create RTIR ticket, i think it a good ideal to start with.
thank you, how can i go about it