Additional options: Automate correlated event updates and closure based on SIR incident status

  • Rversion finale: Australia
  • Mis à jour 12 mars 2026
  • 3 minutes de lecture

    • The ArcSight ESM integration has a bi-directional interface that allows for both correlation events to create security incidents, as well as an ability to update the correlation events once the security incident is created and/or closed with relevant incident details such as security incident number, assignment group, SIR incident URL, and so on.

    Avant de commencer

    Role required: sn_si.admin

    Procédure

    1. If the Additional Options page on the progress bar is not displayed, select Additional Options.
    2. Follow the instructions below to complete the configuration for updating correlated events when the security incident is created.
      Option or FieldDescription
      Update Correlated Events upon SIR Incident Creation Select this option if you want to update the correlation event stage in ArcSight ESM and update the event with additional comments when a security incident is created from the correlation event. This can occur for correlation events that could either create a new security incident, as well as aggregate existing security incidents.
      Remarque :
      If this option is not selected, the event stage will not be updated when the security incident is created.
      Correlated Event Stage Update Select a stage option from the Correlated Event Stage Update choice list that displays all available stages retrieved from the ArcSight ESM server.
      Correlated event stage not configured: If you have not configured any correlated event stages in your ServiceNow AI Platform instance, you will only see the Assign Stage - Initial Setup in the Correlated Event Stage Update choice list. To configure the stage, follow these steps:
      • Enter a resource ID in the Enter Stage Resource ID field and click Submit. The resource ID is validated in the ArcSight ESM console and the following screen is displayed.
        ArcSight ESM: Stage Resource ID
      • Click Save to save the new stage (Monitoring).
      • Click the Select Correlated Event Stage drop down list.
        ArcSight ESM: Event Stage List
      • You can select the newly created stage from the list.
      Correlated event stage already configured: If you have already configured the correlated event stage, follow these steps:
      • Select Use Previously Assigned Stage in the Correlated Event Stage Update choice list.
      • Select an existing stage from the Select Correlated Event Stage choice list as shown below.
        ArcSight ESM: Previously Assigned Stage
      • Initial Comments posted back to Correlated Event: In addition to updating the correlation event stage value, you can also post comments to the correlation stage annotations. As indicated in the instructions, you may edit the default text displayed in the comments section including adding or modifying the substitution variables using format $⁠{field name}$ for any field on the Security Incident Response incident form.
      Remarque :
      You can either use the default stages defined in the ArcSight ESM console or create your own custom stages. To create a new stage, follow these steps:
      • In the ArcSight ESM console, select File > New > Stage. The Inspect/Edit tab is displayed.
      • Define the new stage and do not select the User Required check box. Ensure that the stage is defined correctly and is in the correct position in the event life cycle.
    3. In the Automating Correlated Event Closure section, you can define how to update the security incident when it is closed.
    4. On the form, fill in the fields.
      Option or FieldDescription
      Update Correlated Events upon SIR Incident Closure Select this option if you want to update the correlation event status and add additional comments when a security incident is closed from the correlated event. This will occur for both the initial triggering notable events that create the security incident, as well as aggregated events.
      Remarque :
      If this option is not selected, the event stage will not be updated when the security incident is closed.
      Correlated Event Stage Update Select a stage option from the menu that displays all available stages retrieved from the ArcSight ESM server. Select the stage value to be set for all correlation events when a security incident is to be closed.
      Remarque :
      The stages displayed here are based on the stages configured in the Correlation Event Initial Updates section.
      Select Correlated Event Stage Select an appropriate status here.
      Closure Comments Posted back to Correlated Event In addition to updating the correlation event status value, you can also post closure comments to the correlation event annotations. As indicated in the instructions, you may edit the default text displayed in the comments section including adding or modifying the substitution variables using format $⁠{field name}$ for any field on the Security Incident Response incident form.

      ArcSight ESM: Closure Event Stage
    5. Click Finish to complete the configuration.
      A confirmation dialog is displayed. You have successfully completed the setup and configuration for the integration. Activate this profile to pull correlation events from the ArcSight ESM console based on your scheduling.