[Rtir] RTIR and ArcSight Integration

Kevin Falcone falcone at bestpractical.com
Fri Sep 5 10:22:22 EDT 2014


On Wed, Sep 03, 2014 at 06:39:31PM -0400, Scot Fackler via rtir wrote:
> 
> I have looked high and low through the current RTIR documentation to no avail
> for information on the built-in ArcSight integrations noted on the RTIR
> Features page. What I would like to do is use the ArcSight case export to
> create RTIR tickets for Incident Response activities. Is there a better method
> than using an xml parser to parse the ArcSight case export xml file in order to
> generate a ticket via the RTIR REST API?
> 

The ArcSight integration is not built in (if there's documentation
implying that it's built-in, please provide a URL so it can be
corrected).

An ArcSight integration was worked up for a customer running 3.8+RTIR,
would probably still work on current RTIR, but was definitely tied to
their process. The mapping from ArcSight fields to RT fields was not
well generalized and as such I do not believe that the code is public.

The extension did not use the REST API, it used RT's built-in API and
consumed the case export XMLs, creating Incident Reports and an
Incident based on the data contained in the file.

Also - reposting your question to rt-users within 24 hours of posting
here doesn't get it answered sooner.

-kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 221 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rtir/attachments/20140905/f6dcb73b/attachment.pgp>


More information about the rtir mailing list