ArcSight ESM | Marketplace

Details
Content
Dependencies
Version History

ArcSight ESM SIEM by Micro Focus (Formerly HPE Software).

Integrations

Name	Description
ArcSight ESM v2	ArcSight ESM SIEM by Micro Focus (Formerly HPE Software).

Playbooks

Name	Description
TIM - ArcSight Add IP Indicators	This playbook receives indicators from its parent playbook and provides the indicators as inputs for the sub-playbooks that push the indicators to SIEM.
TIM - ArcSight Add Bad Hash Indicators	This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to an ArcSight Active List. The Active List ID should be defined in the playbook inputs, as well as the field name in the Active list to which to add the indicators.
TIM - ArcSight Add Url Indicators	This playbook queries indicators based on a pre-defined query or results from a parent playbook and adds the resulting indicators to an ArcSight Active List. The Active List ID should also be defined in the playbook inputs as well as the field name in the Active list to add to.
Arcsight - Get events related to the Case	Get the Case's Arcsight ResourceID from the FetchID field, or the "ID" label. If neither is there, ask user for the ID. Use the resource ID to get full data for the case, the correlated/aggregate events underneath it, and all base events underneath them.
TIM - ArcSight Add Domain Indicators	This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to an ArcSight Active List. The Active List ID should also be defined in the playbook inputs, as well as the field name in the Active list to add to.

Integrations

Name	Description
ArcSight ESM v2	ArcSight ESM SIEM by Micro Focus (Formerly HPE Software).

Playbooks

Name	Description
TIM - ArcSight Add Bad Hash Indicators	This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to an ArcSight Active List. The Active List ID should be defined in the playbook inputs, as well as the field name in the Active list to which to add the indicators.
TIM - ArcSight Add Url Indicators	This playbook queries indicators based on a pre-defined query or results from a parent playbook and adds the resulting indicators to an ArcSight Active List. The Active List ID should also be defined in the playbook inputs as well as the field name in the Active list to add to.
TIM - ArcSight Add IP Indicators	This playbook receives indicators from its parent playbook and provides the indicators as inputs for the sub-playbooks that push the indicators to SIEM.
TIM - ArcSight Add Domain Indicators	This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to an ArcSight Active List. The Active List ID should also be defined in the playbook inputs, as well as the field name in the Active list to add to.
Arcsight - Get events related to the Case	Get the Case's Arcsight ResourceID from the FetchID field, or the "ID" label. If neither is there, ask user for the ID. Use the resource ID to get full data for the case, the correlated/aggregate events underneath it, and all base events underneath them.

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (0)

Pack Name	Pack By

All level dependencies (4)

Pack Name	Pack By
Cortex REST API	By: Cortex XSOAR
Base	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

1.2.9 - 7850318 (March 23, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43567

Download

1.2.8 - R7448282 (March 5, 2026)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41629

Download

1.2.7 - 4096037 (July 8, 2025)

Integrations

ArcSight ESM v2

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 40498

Download

1.2.6 - R3980324 (June 26, 2025)

Integrations

ArcSight ESM v2

Metadata and documentation improvements.

Related pull requests:
- 39011

Download

1.2.5 - 2659951 (March 5, 2025)

Integrations

ArcSight ESM v2

Fixed an issue where JSON HTTP responses could not be parsed when string values contained quotes.
Updated the Docker image to: demisto/python3:3.12.8.1983910.

Related pull requests:
- 38742

Download

1.2.4 - R2040490 (January 22, 2025)

Integrations

ArcSight ESM v2

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37407
- 37402
- 37403
- 37405
- 37406
- 37404

Download

1.2.3 - 1155254 (July 7, 2024)

Integrations

ArcSight ESM v2

Fixed an issue where as-delete-entries failure message was incorrect.
Updated the Docker image to: demisto/python3:3.10.14.99865.

Related pull requests:
- 35210

Download

1.2.2 - 991362 (May 3, 2024)

Integrations

ArcSight ESM v2

Fixed an issue in which a JSON HTTP response with more than three backslashes could not be parsed.

Related pull requests:
- 34044

Download

1.2.1 - 889167 (March 13, 2024)

Integrations

ArcSight ESM v2

Improved API response handling, adding support for responses with known invalid JSON formats.

Related pull requests:
- 33032

Download

1.2.0 - R6834680 (November 8, 2023)

Integrations

ArcSight ESM v2

Added support for as-add-entries command to use the new Detect REST API of ArcSight. It stopped working after upgrading ArcSight to 7.6.4.
Updated the Docker image to: demisto/python3:3.10.13.78960.

Related pull requests:
- 30365

Download

1.1.11 - R6592021 (October 13, 2023)

Integrations

ArcSight ESM v2

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27936

Download

1.2.9 - 7850318 (March 23, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43567

Download

1.2.8 - R7448282 (March 5, 2026)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41629

Download

1.2.7 - 4096037 (July 8, 2025)

Integrations

ArcSight ESM v2

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 40498

Download

1.2.6 - R3980324 (June 26, 2025)

Integrations

ArcSight ESM v2

Metadata and documentation improvements.

Related pull requests:
- 39011

Download

1.2.5 - 2659951 (March 5, 2025)

Integrations

ArcSight ESM v2

Fixed an issue where JSON HTTP responses could not be parsed when string values contained quotes.
Updated the Docker image to: demisto/python3:3.12.8.1983910.

Related pull requests:
- 38742

Download

1.2.4 - R2040490 (January 22, 2025)

Integrations

ArcSight ESM v2

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37407
- 37402
- 37403
- 37405
- 37406
- 37404

Download

1.2.3 - 1155254 (July 7, 2024)

Integrations

ArcSight ESM v2

Fixed an issue where as-delete-entries failure message was incorrect.
Updated the Docker image to: demisto/python3:3.10.14.99865.

Related pull requests:
- 35210

Download

1.2.2 - 991362 (May 3, 2024)

Integrations

ArcSight ESM v2

Fixed an issue in which a JSON HTTP response with more than three backslashes could not be parsed.

Related pull requests:
- 34044

Download

1.2.1 - 887575 (March 13, 2024)

Integrations

ArcSight ESM v2

Improved API response handling, adding support for responses with known invalid JSON formats.

Related pull requests:
- 33032

Download

1.2.0 - R6834680 (November 8, 2023)

Integrations

ArcSight ESM v2

Added support for as-add-entries command to use the new Detect REST API of ArcSight. It stopped working after upgrading ArcSight to 7.6.4.
Updated the Docker image to: demisto/python3:3.10.13.78960.

Related pull requests:
- 30365

Download

1.1.11 - R6592021 (October 13, 2023)

Integrations

ArcSight ESM v2

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27936

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	July 28, 2020
Last Release	March 23, 2026

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

By downloading or using Marketplace content, you agree to the applicable Terms of Use and End User License Agreement. Third-party content is provided by its publisher, and Palo Alto Networks does not warrant, endorse, support, or assume responsibility for content not expressly identified as owned by Palo Alto Networks.